LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-19-2015, 11:55 AM   #1
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Rep: Reputation: Disabled
(OpenVPN) Route one user's traffic into tun0 with iptables


Hello,

All I'm trying to do is bind my torrenting application (deluge) to my VPN's interface: tun0. I've been unsuccessful so far, when checking my IP online I see both my personal IP AND my VPN's IP. Deluge is run by two users with id 125 and 126. I added the "route-nopull" option to OpenVPN in order to prevent all of my traffic from being routed into tun0 because this machine is not only meant for torrenting.

Here is my full iptables scripts with the rules concerning deluge in bold:

Quote:
#!/bin/sh
#
# IPTables firewall script. There are many. This is mine.
#


#
# Ensure sane path
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin

# Variables
LOCALsrc='-s 127.0.0.0/8,192.168.1.2'
LOCALdest='-d 127.0.0.0/8,192.168.1.2'
LANsrc='-s 192.168.1.0/24'
LANdest='-d 192.168.1.0/24'
ADMINsrc='-s 192.168.1.11'
ADMINdest='-d 192.168.1.11'
Internet1='eth0'
VPN1='tun0'

#
# When running from the command line, provide a -v option to print the
# installed rules at the end.
#
verbose=
if [ "$1" = "-v" ]; then
shift
verbose=on
fi

#
# Rather than duplicate entries for iptables and ip6tables, have some small
# wrapper functions do it for us.
#
# ip4tbl - apply ruleset for just iptables
# ip6tbl - apply ruleset for just ip6tables
# iptbl - apply ruleset for both iptables and ip6tables
#
ip4tbl()
{
iptables "$@"
}
ip6tbl()
{
ip6tables "$@"
}
iptbl()
{
ip4tbl "$@"
ip6tbl "$@"
}

#
# Flush all rulesets
#
iptbl -F
iptbl -X

#
# Block by default except outgoing traffic
#
iptbl -P INPUT DROP
iptbl -P FORWARD DROP
iptbl -P OUTPUT DROP

#
# Allow everything on loopback
#
ip4tbl -A INPUT -i lo -j ACCEPT
ip4tbl -A OUTPUT -o lo -j ACCEPT

#
# Permit established connections
#
ip4tbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -i $VPN1 -j ACCEPT

#
# Permit allowed services on all interfaces. DNS is restricted to my public
# DNS servers, this just runs a hidden master.
#

#################
## INPUT RULES ##
#################
# openSSH
ip4tbl -A INPUT -p tcp -m tcp --dport 22 $ADMINsrc $LOCALdest -i $Internet1 -j ACCEPT
# DNS
ip4tbl -A INPUT -p tcp -m tcp --dport 53 -s 192.168.1.0/24 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 53 -s 192.168.1.0/24 -i $Internet1 -j ACCEPT
# HTTP
ip4tbl -A INPUT -p tcp -m tcp --dport 80 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8080 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8081 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 8083 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# HTTPS
ip4tbl -A INPUT -p tcp -m tcp --dport 443 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# NFS
ip4tbl -A INPUT -p tcp -m tcp --dport 111 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 111 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 2049 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 2049 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32764 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32764 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32765 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32765 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32766 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32766 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32767 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32767 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32768 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32768 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 32769 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 32769 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# Deluged (web interface)
ip4tbl -A INPUT -p tcp -m tcp --dport 8112 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# Samba
ip4tbl -A INPUT -p tcp -m tcp --dport 137 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 137 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 138 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 138 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 139 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 139 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p tcp -m tcp --dport 445 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 445 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# mySQL server
ip4tbl -A INPUT -p tcp -m tcp --dport 3306 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 3306 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# isc-dhcp-server
ip4tbl -A INPUT $LANsrc $LANdest -p tcp --sport 68 --dport 67 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LANdest -p udp --sport 68 --dport 67 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT -p udp -m udp --dport 69 $LANsrc $LOCALdest -i $Internet1 -j ACCEPT
# murmur (mumble-server)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 64738 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p udp -m udp --dport 64738 -i $Internet1 -j ACCEPT
# saned (scanner)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6566 -i $Internet1 -j ACCEPT
# cups (print server)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 631 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p udp -m udp --dport 631 -i $Internet1 -j ACCEPT
# VNC server
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 5901 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6001 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 5902 -i $Internet1 -j ACCEPT
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 6002 -i $Internet1 -j ACCEPT
# icecast2 (music & radio streaming)
ip4tbl -A INPUT $LANsrc $LOCALdest -p tcp -m tcp --dport 9000 -i $Internet1 -j ACCEPT
# Permit ICMP
ip4tbl -A INPUT $LANsrc $LOCALdest -p icmp -i $Internet1 -j ACCEPT
##########################
## END OF INPUT RULES ##
##########################

##########################
## FORWARD RULES ##
##########################
##########################
## END OF FORWARD RULES ##
##########################

##########################
## OUTPUT RULES ##
##########################
# General traffic
ip4tbl -A OUTPUT $LOCALsrc -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc $LANdest -p tcp -m tcp -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc $LANdest -p udp -m udp -o $Internet1 -j ACCEPT
# HTTP
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 80 -o $Internet1 -j ACCEPT
# HTTPS
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 443 -o $Internet1 -j ACCEPT
# DNS
ip4tbl -A OUTPUT $LOCALsrc -p tcp -m tcp --dport 53 -o $Internet1 -j ACCEPT
ip4tbl -A OUTPUT $LOCALsrc -p udp -m udp --dport 53 -o $Internet1 -j ACCEPT
# Deluge
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 125 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 \! -o $VPN1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p udp -m udp -m owner --uid-owner 126 -o $VPN1 -j ACCEPT
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp -m owner --uid-owner 125 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6881 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6881 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6882 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6882 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6891 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6891 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6892 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6892 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 6771 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 6771 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 36539 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 36539 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 36653 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 36653 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 45346 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 45346 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 4433 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 4433 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p tcp -m tcp --dport 4434 -o $Internet1 -j DROP
ip4tbl -A OUTPUT -p udp -m udp --dport 4434 -o $Internet1 -j DROP

##########################
## END OF OUTPUT RULES ##
##########################

#
# Log denied connections
#
#LOGCOMMON='-m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7'
iptbl -A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7
iptbl -A INPUT -p udp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7
ip4tbl -A INPUT -p icmp -m limit --limit 5/min -j LOG --log-prefix 'iptables: ' --log-level 7

#
# Finally, reject to keep open connections down
#
iptbl -A INPUT -j REJECT

#
# Display INPUT chain if verbose
#
if [ -n "${verbose}" ]; then
iptables -L INPUT -vn --line-numbers
ip6tables -L INPUT -vn --line-numbers
fi
Ports 6881, 6882, 6891 and 6892 were manually set into Deluge's config rather than letting the application chose them randomly. Ports 6771, 36539, 36653, 45346, 4433, 4434 were found to be used by Deluge when I inspected the open ports of my machine.

eth0 is my default interface and tun0 is my VPN's interface. What am I missing here?

Thank you in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Route eth2 TCP packets to tun0 with IPTABLES & IP RULE/ROUTE Thireus Linux - Networking 4 05-09-2011 12:38 PM
How to set a route for Eth1 (DHCP clients) to reach Tun0 (openvpn server)? CentOS torontob Linux - Networking 2 09-22-2010 12:14 AM
[SOLVED] How do I route my internet traffic over tun0? FireRaven Linux - Networking 21 03-30-2010 04:38 PM
iptables question with OpenVPN (tun0 to tun0 filtering) fang0654 Linux - Server 3 09-30-2009 02:17 AM
Iptables/TC: how to make masqueraded traffic go through an openVPN tun0? theVOID Linux - Networking 3 04-25-2008 03:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration