| View previous topic :: View next topic |
| Author |
Message |
MarkOwen
n00b
Joined: 11 Nov 2014
Posts: 1
|
 Posted: Tue May 19, 2015 1:54 pm Post subject: (OpenVPN) Route one user's traffic into tun0 with iptables |
 |
|
Hello,
All I'm trying to do is bind my torrenting application (deluge) to my VPN's interface: tun0. I've been unsuccessful so far, when checking my IP online I see both my personal IP AND my VPN's IP. Deluge is run by two users with id 125 and 126. I added the "route-nopull" option to OpenVPN in order to prevent all of my traffic from being routed into tun0 because this machine is not only meant for torrenting.
Here is my full iptables scripts with the rules concerning deluge in bold:
| Quote: | #!/bin/sh
#
# IPTables firewall script. There are many. This is mine.
#
#
# Ensure sane path
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
# Variables
LOCALsrc='-s 127.0.0.0/8,192.168.1.2'
LOCALdest='-d 127.0.0.0/8,192.168.1.2'
LANsrc='-s 192.168.1.0/24'
LANdest='-d 192.168.1.0/24'
ADMINsrc='-s 192.168.1.11'
ADMINdest='-d 192.168.1.11'
Internet1='eth0'
VPN1='tun0'
#
# When running from the command line, provide a -v option to print the
# installed rules at the end.
#
verbose=
if [ "$1" = "-v" ]; then
shift
verbose=on
fi
#
# Rather than duplicate entries for iptables and ip6tables, have some small
# wrapper functions do it for us.
#
# ip4tbl - apply ruleset for just iptables
# ip6tbl - apply ruleset for just ip6tables
# iptbl - apply ruleset for both iptables and ip6tables
#
ip4tbl()
{
iptables "$@"
}
ip6tbl()
{
ip6tables "$@"
}
iptbl()
{
ip4tbl "$@"
ip6tbl "$@"
}
#
# Flush all rulesets
#
iptbl -F
iptbl -X
#
# Block by default except outgoing traffic
#
iptbl -P INPUT DROP
iptbl -P FORWARD DROP
iptbl -P OUTPUT DROP
#
# Allow everything on loopback
#
ip4tbl -A INPUT -i lo -j ACCEPT
ip4tbl -A OUTPUT -o lo -j ACCEPT
#
# Permit established connections
#
ip4tbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -i $VPN1 -j ACCEPT
#
# Permit allowed services on all interfaces. DNS is restricted to my public
# DNS servers, this just runs a hidden master.
#
#################
## INPUT RULES ##
#################
# openSSH
ip4tbl -A INPUT -p tcp -m tcp --dport 22 $ADMINsrc $LOCALdest -i $Internet1 -j ACCEPT
# DNS
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 192.168.1.0/24 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 192.168.1.0/24 -i $Internet1 -j ACCEPT
# HTTP
ip4tbl -A INPUT -p tcp -m tcp --dport 80 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8080 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8081 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8083 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# HTTPS
ip4tbl -A INPUT -p tcp -m tcp --dport 443 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# NFS
ip4tbl -A INPUT -p tcp -m tcp --dport 111 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 111 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 2049 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 2049 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32764 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32764 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32765 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32765 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32766 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32766 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32767 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32767 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32768 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32768 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32769 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32769 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# Deluged (web interface)
ip4tbl -A INPUT -p tcp -m tcp --dport 8112 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# Samba
ip4tbl -A INPUT -p tcp -m tcp --dport 137 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 137 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 138 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 138 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 139 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 139 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 445 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 445 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# mySQL server
ip4tbl -A INPUT -p tcp -m tcp --dport 3306 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 3306 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# isc-dhcp-server
ip4tbl -A INPUT $LANsrc $LANdest -p tcp --sport 68 --dport 67 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LANdest -p udp --sport 68 --dport 67 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 69 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# murmur (mumble-server)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 64738 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p udp -m udp --dport 64738 -i $Internet1 -j ACCEPT
# saned (scanner)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6566 -i $Internet1 -j ACCEPT
# cups (print server)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 631 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p udp -m udp --dport 631 -i $Internet1 -j ACCEPT
# VNC server
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 5901 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6001 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 5902 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6002 -i $Internet1 -j ACCEPT
# icecast2 (music & radio streaming)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 9000 -i $Internet1 -j ACCEPT
# Permit ICMP
ip4tbl -A INPUT $LANsrc $LOCALdest -p icmp -i $Internet1 -j ACCEPT
##########################
## END OF INPUT RULES ##
##########################
##########################
## FORWARD RULES ##
##########################
##########################
## END OF FORWARD RULES ##
##########################
##########################
## OUTPUT RULES ##
##########################
# General traffic
ip4tbl -A OUTPUT $LOCALsrc -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc $LANdest -p tcp -m tcp -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc $LANdest -p udp -m udp -o $Internet1 -j ACCEPT
# HTTP
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 80 -o $Internet1 -j ACCEPT
# HTTPS
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 443 -o $Internet1 -j ACCEPT
# DNS
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 53 -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc -p udp -m udp --dport 53 -o $Internet1 -j ACCEPT
# Deluge
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6881 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6881 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6882 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6882 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6891 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6891 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6892 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6892 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6771 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6771 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 36539 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 36539 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 36653 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 36653 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 45346 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 45346 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 4433 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 4433 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 4434 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 4434 -o $Internet1 -j DROP
##########################
## END OF OUTPUT RULES ##
##########################
#
# Log denied connections
#
#LOGCOMMON='-m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7'
iptbl -A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7
iptbl -A INPUT -p udp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7
ip4tbl -A INPUT -p icmp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7
#
# Finally, reject to keep open connections down
#
iptbl -A INPUT -j REJECT
#
# Display INPUT chain if verbose
#
if [ -n "${verbose}" ]; then
iptables -L INPUT -vn --line-numbers
ip6tables -L INPUT -vn --line-numbers
fi
|
Ports 6881, 6882, 6891 and 6892 were manually set into Deluge's config rather than letting the application chose them randomly. Ports 6771, 36539, 36653, 45346, 4433, 4434 were found to be used by Deluge when I inspected the open ports of my machine.
eth0 is my default interface and tun0 is my VPN's interface. What am I missing here?
Thank you in advance. |
|
| Back to top |
|
 |
Schnulli
Guru
Joined: 25 Jun 2010
Posts: 320
Location: Bremen DE
|
| Posted: Wed May 20, 2015 11:52 pm Post subject: |
|
|
you need to define a "route" : from-over-to
thats all.... i am lazy, emerge Webmin and have a look at Networking for understanding it visually 
But, type it by ur own, learn it
SN |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
