[Not Solved]
Jun 26, 2017, 11:16 AM
(This post was last modified: Jun 26, 2017, 11:23 AM by falghar.)
Hi,
I've followed the guide part 1 & 2 on how to enable split tunnelling and get transmission working here
My VPN is IVPN and they have a static port forwarding port which I would like to add to the vpn user ip rules
I also have ports for various services I need to forward for any other user
I've had a go at entering rules
My iptables.sh script now contains the following addition
Full script here
I haven't managed to forward a port for the VPN user the two I've added seem to only work for everything else
Is there a safer way to create these rules or a better advised way?
Could you show me how to add a port forward for the VPN user please and any critique on the rules I've added that shouldn't apply to vpn but to everything else
Thanks
I've followed the guide part 1 & 2 on how to enable split tunnelling and get transmission working here
My VPN is IVPN and they have a static port forwarding port which I would like to add to the vpn user ip rules
I also have ports for various services I need to forward for any other user
I've had a go at entering rules
My iptables.sh script now contains the following addition
Code:
# allow forwarded ports for non vpn host
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 32400 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 32400 -j ACCEPT
Code:
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.2.11"
export NETIF="enp3s0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# allow forwarded ports for non vpn host
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 32400 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 32400 -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# Start routing script
/etc/openvpn/routing.sh
exit 0
Is there a safer way to create these rules or a better advised way?
Could you show me how to add a port forward for the VPN user please and any critique on the rules I've added that shouldn't apply to vpn but to everything else
Thanks