Find the answer to your Linux question:
Results 1 to 2 of 2
Here is the firewall script on my home router (dd-wrt) : # First it is necessary to disable Reverse Path Filtering on all # current and future network interfaces: for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2013
    Posts
    1

    Help with setting up iptables + openvpn


    Here is the firewall script on my home router (dd-wrt) :
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done

    # Delete and table 100 and flush any existing rules if they exist.
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING

    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    ip route show table main | grep -Ev ^default | grep -Ev tun0 | while read ROUTE ; do ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache

    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    # EXAMPLES:
    #
    # All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
    # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # Ports 80 and 443 will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    # All traffic to a specific Internet IP address will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    # All UDP and ICMP traffic will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0
    iptables -I INPUT -i tun0 -j REJECT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    # Tell p2p to go through vpn
    iptables -t mangle -A POSTROUTING -i br0 -m layer7 --l7proto bittorrent -j MARK --set-mark 0
    What it does is routing http/https and torrent through a vpn service, it does it well, but i actually have a problem : sometimes my vpn drop, and then all my traffic go through my isp again, i don't want that. So my question is : how can i block my torrents + http/https (not all traffic, i already found out how to block all my traffic when vpn is gone) when my vpn is gone ?

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Since you are marking your packets I would think matching marked packets and then rejecting them on the interfaces you do not want them to pass through would be the next step.

    Match MARKed Packets

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •