API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 3rd, 2014
412
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.34 KB | None | 0 0
raw download clone embed print report
  1. #! /bin/bash
  2. # http://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/
  3. # Mark all packets for the VPN
  4. export INTERFACE="tun0"
  5. export VPNUSER="rt"
  6. export LANIP="192.168.0.0/24"
  7. export NETIF="enp2s0"
  8.  
  9. iptables -F -t nat
  10. iptables -F -t mangle
  11. iptables -F -t filter
  12.  
  13. # mark packets from $VPNUSER
  14. iptables -t mangle -A PREROUTING ! -s $LANIP  -j MARK --set-mark 0x1
  15. iptables -t mangle -A OUTPUT ! --dest $LANIP  -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  16. iptables -t mangle -A OUTPUT ! --src $LANIP -j MARK --set-mark 0x1
  17.  
  18. # allow responses
  19. iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
  20.  
  21. # allow bittorrent
  22. ## Edit: Changed the ports here to my rtorrent port range.
  23. iptables -A INPUT -i $INTERFACE -p tcp --dport 55500:55555 -j ACCEPT
  24. #iptables -A INPUT -i $INTERFACE -p tcp --dport 59560 -j ACCEPT
  25. #iptables -A INPUT -i $INTERFACE -p tcp --dport 6443 -j ACCEPT
  26.  
  27. iptables -A INPUT -i $INTERFACE -p udp --dport 55500:55555 -j ACCEPT
  28. #iptables -A INPUT -i $INTERFACE -p udp --dport 8881 -j ACCEPT
  29. #iptables -A INPUT -i $INTERFACE -p udp --dport 7881 -j ACCEPT
  30.  
  31. # block everything incoming on $INTERFACE
  32. iptables -A INPUT -i $INTERFACE -j REJECT
  33.  
  34. # send DNS to google (8.8.8.8 & 8.8.4.4) for $VPNUSER
  35. ## Edit: Changed to Cyberghost VPN dns-servers
  36. iptables -t nat -A OUTPUT --dest $LANIP -p udp --dport 53  -m owner --uid-owner $VPNUSER  -j DNAT --to-destination 79.141.167.14
  37. iptables -t nat -A OUTPUT --dest $LANIP -p tcp --dport 53  -m owner --uid-owner $VPNUSER  -j DNAT --to-destination 79.141.160.2
  38.  
  39. # allow web interface
  40. ## Edit: Not too sure about this. What port is this?
  41. iptables -A OUTPUT -p tcp --dport 6443 -m owner --uid-owner $VPNUSER -j ACCEPT
  42.  
  43. # let $VPNUSER access lo and $INTERFACE
  44. iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
  45. iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
  46.  
  47. # all packets on $INTERFACE needs to be masqueraded
  48. iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
  49.  
  50. iptables -t mangle -A OUTPUT -p tcp --sport 6443  -m owner --uid-owner $VPNUSER  -j MARK --set-mark 0x2
  51.  
  52. # reject connections from predator ip going over $NETIF
  53. iptables -A OUTPUT ! --src $LANIP -o $NETIF -j REJECT
  54.  
  55. ## Edit: Start routing script/script2
  56. /etc/openvpn/route_vpn.sh
  57.  
  58. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!