From 5ea3283142670f2746296021f885547f1ac7b163 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 15 Apr 2017 17:57:50 -0700
Subject: [PATCH] add unpublished iptables rules

---
 transmission-firewall/default.rules |  8 ++++++
 transmission-firewall/empty.rules   |  5 ++++
 transmission-firewall/netns.rules   | 41 +++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 transmission-firewall/default.rules
 create mode 100644 transmission-firewall/empty.rules
 create mode 100644 transmission-firewall/netns.rules

diff --git a/transmission-firewall/default.rules b/transmission-firewall/default.rules
new file mode 100644
index 0000000..3f8bae7
--- /dev/null
+++ b/transmission-firewall/default.rules
@@ -0,0 +1,8 @@
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+# prevent transmission daemon from doing anything outside it's
+# network namespace.
+-A OUTPUT -m owner --uid-owner debian-transmission -j REJECT
+COMMIT
diff --git a/transmission-firewall/empty.rules b/transmission-firewall/empty.rules
new file mode 100644
index 0000000..1a7a00c
--- /dev/null
+++ b/transmission-firewall/empty.rules
@@ -0,0 +1,5 @@
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+COMMIT
diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules
new file mode 100644
index 0000000..a8c8c2c
--- /dev/null
+++ b/transmission-firewall/netns.rules
@@ -0,0 +1,41 @@
+# format from iptables-save. [0:0] are comments of packet-count/byte-count
+# which I removed
+*filter
+:INPUT DROP
+:FORWARD ACCEPT
+:OUTPUT DROP
+# from ip route, we can deduce that traffic goes to the
+# local 10.8.0.x tun0, then to the normal interface.
+# For the normal interface, we allow only some ports:
+# dns, vpn, transmission-remote.
+# dns is only used to resolve the vpn server ip on initial
+# connection.
+# rules are mirror on input and output, just for extra safety,
+# although just having output should do fine.
+
+# We could also firewall from outside the nat, for example like this,
+# but I'm thinking this is simpler.
+#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
+#-A FORWARD -i brvpn -j REJECT
+
+# prevent dns leaks, openvpn runs as root, allow root to
+# make non-vpn dns calls, but not transmission which does not run as root.
+# openvpn needs this in order to lookup the ip of the vpn server
+# before it's connected to it. We could hardcode the vpn ips in the
+# config, but our vpn service provider gave us dns, so the ip might change.
+-A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p udp -m udp --sport 53 -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
+-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+
+-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
+
+# 1195 is used for the secondary vpn server
+-A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
+-A INPUT -p udp -m udp --sport 1194:1195 -j ACCEPT
+
+-A OUTPUT -o tun0 -j ACCEPT
+-A INPUT -i tun0 -j ACCEPT
+COMMIT
-- 
2.30.2