--- /dev/null
+# format from iptables-save. [0:0] are comments of packet-count/byte-count
+# which I removed
+*filter
+:INPUT DROP
+:FORWARD ACCEPT
+:OUTPUT DROP
+# from ip route, we can deduce that traffic goes to the
+# local 10.8.0.x tun0, then to the normal interface.
+# For the normal interface, we allow only some ports:
+# dns, vpn, transmission-remote.
+# dns is only used to resolve the vpn server ip on initial
+# connection.
+# rules are mirror on input and output, just for extra safety,
+# although just having output should do fine.
+
+# We could also firewall from outside the nat, for example like this,
+# but I'm thinking this is simpler.
+#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
+#-A FORWARD -i brvpn -j REJECT
+
+# prevent dns leaks, openvpn runs as root, allow root to
+# make non-vpn dns calls, but not transmission which does not run as root.
+# openvpn needs this in order to lookup the ip of the vpn server
+# before it's connected to it. We could hardcode the vpn ips in the
+# config, but our vpn service provider gave us dns, so the ip might change.
+-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p udp -m udp --sport 53 -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
+
+# 1195 is used for the secondary vpn server
+-A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1194:1195 -j ACCEPT
+
+-A OUTPUT -o tun0 -j ACCEPT
+-A INPUT -i tun0 -j ACCEPT
+COMMIT
iankelling.org / git / distro-setup / commitdiff