0

I used a script from here to setup rules that make sure user transmission-daemon can only send traffic via the VPN i use.

At least that's what the author says. I have troubles understanding the following output. For example, what does the line tcp spt:9091 owner GID match debian-transmission mean? Why is there no traffic on that rule?

Hint: My ethernet port is enp3s0 (like eth0).

$ sudo iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  436 35225 f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
 1085  221K ACCEPT     all  --  tun0   any     anywhere             anywhere            
 2913  923K ACCEPT     all  --  enp3s0 any     anywhere             anywhere            
  112 12221 ACCEPT     all  --  lo     any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 4540 packets, 1267K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  any    enp3s0  anywhere             192.168.100.0/25     tcp spt:9091 owner GID match debian-transmission
    0     0 ACCEPT     udp  --  any    enp3s0  anywhere             192.168.100.0/25     udp spt:9091 owner GID match debian-transmission
 2263  202K ACCEPT     all  --  any    tun0    anywhere             anywhere             owner GID match debian-transmission
   12  2581 ACCEPT     all  --  any    lo      anywhere             anywhere             owner GID match debian-transmission
    0     0 REJECT     all  --  any    any     anywhere             anywhere             owner GID match debian-transmission reject-with icmp-port-unreachable
bomben
  • 1,969
  • 5
  • 22
  • 44

1 Answers1

1

the rule:

iptables -A OUTPUT -d 192.168.100.0/25 -p tcp --sport 9091 -m owner --gid-owner debian-transmission -o enp3s0 -j ACCEPT

will ACCEPT the packet IF it is to any IP in the range 192.168.100.0 - 192.168.100.127 AND the protocol is tcp AND the source port is 9091 AND the packet owner is debian-transmission AND it is destined for the network interface enp3s0 ELSE go to the next iptables rule.

bomben
  • 1,969
  • 5
  • 22
  • 44
Doug Smythies
  • 14,898
  • 5
  • 40
  • 57
  • So this means that the VPN could be sending from `127.0.0.1:9091` (which is tun0) to `enp3s0`. Why is there no traffic? Does `tun0` have to send to `enp3s0` to send something out? Also, I wanted to edit your answer (`.1.` to `.100.`), but I have to edit more than 6 characters to be able to save it. :) – bomben Dec 15 '20 at 08:42
  • Was able to edit now. – bomben Dec 15 '20 at 08:49
  • Ah, `tun0` is actually `10.8.8.9`, so there must be another reason for the rule for `9091`. Probably the web interface (which I don't use). – bomben Dec 15 '20 at 08:51
  • So, an important part is the last line `REJECT ... owner GID match debian-transmission reject-with icmp-port-unreachable`: Any packet that did not match the previous rules gets rejected in the output chain if it is send by this specific user. Therefore it is impossible to send any packet to `enp3s0` with that user? – bomben Dec 15 '20 at 09:15
  • 2
    @Ben You can *send* packets to an interface but they will be rejected, yes. That restricts the `debian-transmission` user from transmitting to anywhere other than the VPN tunnel, or to the private network on port 9025. – Thomas Ward Dec 15 '20 at 14:57