iankelling.org
/
git
/
distro-setup
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
various fies, change network
[distro-setup]
/
transmission-firewall
/
netns.rules
diff --git
a/transmission-firewall/netns.rules
b/transmission-firewall/netns.rules
index f0a37f774e1cf5d8808f14d245aace419b5e0b45..96b404f9251425a6fe69d08f7bc1891342937541 100644
(file)
--- a/
transmission-firewall/netns.rules
+++ b/
transmission-firewall/netns.rules
@@
-1,3
+1,7
@@
+# note, transmission specific thing here is to
+# allow one extra port for transmission-remote, but thats no big deal,
+# might as well use this in general for openvpn-nn
+
# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
@@
-7,7
+11,7
@@
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
-# dns
, vpn,
transmission-remote.
+# dns
for root user, vpn, and
transmission-remote.
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
@@
-29,6
+33,7
@@
-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+# transmission-remote
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT