deluge-vpn icon indicating copy to clipboard operation
deluge-vpn copied to clipboard

Published 20 hours ago verified publisher icon bendikro

Questions regarding few iptables rules

Open DjDCH opened this issue 9 years ago • 1 comments

Greetings,

Sorry to bother you, but I have some questions regarding few iptables rules. I have tested the scripts and they seems to work fine. But since I didn't find any way to be sure that all the traffic was routed the right way, I'm trying to understand the iptables and routing rules.

  1. Why are you explicitly mangling/nating/routing the DNS traffic? Should it not be already sent through the VPN with the other rules?

  2. What are you trying to accomplish with this rule? Why the arguments -m owner --uid-owner $VPNUSER are not used here?

    iptables -t mangle -A OUTPUT ! --src $LAN_NETWORK -j MARK --set-mark $MARK_ID

  3. And even with or without those arguments, what is the purpose exactly of marking all the traffic not originating from the LAN network (or at least, this is what I understand from the rule above)?

  4. What are you trying to reject with this rule?

    iptables -A OUTPUT ! --src $LAN_NETWORK -o $NETIF -j REJECT

Thank you for your help,

DjDCH

DjDCH avatar Dec 17 '15 04:12 DjDCH

Hi

This is a work in progress, and I haven't actually used this myself yet, so it's a bit rough in the edges. iptables_user_filter.sh is basically copied from https://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/ with only a few minor changes. I also planned to create a script to route torrent traffic based on ports, but I haven't gotten that far yet.

That is to change the DNS requests to use google servers instead of the default configured DNS servers usually from the ISP.

The other rule above matches only when destination is not LAN_NETWORK ( ! --dest $LAN_NETWORK), however, with the local router IP set up in /etc/resolv.conf, the rule will not match.

However, when testing this I can't get it to work. It seems the DNS loopup packets aren't matching the -m owner --uid-owner $VPNUSER rule, so the NAT rule to change the DNS destination IP is not applied.

The idea is to route any packets that is sent from an IP on the VPN net over the tun0 interface. E.g. by binding a socket to the tun0 IP, all the packets will be sent over the tun0 interface.

This allows any user to use the VPN interface by binding to the tun0 IP.

That one is inherited from the original script, but I haven't really thought that one through. I can't really make any sense of it to be honest, so it can probably be removed.

bendikro avatar Dec 27 '15 23:12 bendikro