up.sh

1. #! /bin/bash
2.  
3. # Script I
4.  
5. export INTERFACE="tun0"
6. export VPNUSER="debian-transmission"
7. export LANIP="192.168.1.0/24"
8. export NETIF="eth0"
9.  
10. iptables -F -t nat
11. iptables -F -t mangle
12. iptables -F -t filter
13.  
14. # mark packets from $VPNUSER
15. iptables -t mangle -A OUTPUT ! --dest $LANIP  -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
16. iptables -t mangle -A OUTPUT --dest $LANIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
17. iptables -t mangle -A OUTPUT --dest $LANIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
18. iptables -t mangle -A OUTPUT ! --src $LANIP -j MARK --set-mark 0x1
19.  
20. # allow responses
21. iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
22.  
23.  
24. # J'autorise les Ports de mon Application
25. iptables -A INPUT -i $INTERFACE -p tcp --dport 56287 -j ACCEPT
26. iptables -A INPUT -i $INTERFACE -p udp --dport 56287 -j ACCEPT
27. iptables -A INPUT -i $INTERFACE -p tcp --dport 56969 -j ACCEPT
28. iptables -A INPUT -i $INTERFACE -p udp --dport 56969 -j ACCEPT
29. iptables -A INPUT -i $INTERFACE -p tcp --dport 80 -j ACCEPT
30. iptables -A INPUT -i $INTERFACE -p udp --dport 80 -j ACCEPT
31.  
32.  
33.  
34. # block everything incoming on $INTERFACE
35. iptables -A INPUT -i $INTERFACE -j REJECT
36.  
37. # J'utilise les DNS de mon VPN
38. iptables -t nat -A OUTPUT --dest $LANIP -p udp --dport 53  -m owner --uid-owner $VPNUSER  -j DNAT --to-destination 46.246.46.46
39. iptables -t nat -A OUTPUT --dest $LANIP -p tcp --dport 53  -m owner --uid-owner $VPNUSER  -j DNAT --to-destination 194.132.32.23
40.  
41. # let $VPNUSER access lo and $INTERFACE
42. iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
43. iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
44.  
45. # all packets on $INTERFACE needs to be masqueraded
46. iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
47.  
48. # reject connections from predator ip going over $NETIF
49. iptables -A OUTPUT ! --src $LANIP -o $NETIF -j REJECT
50.  
51.  
52. # Script II
53.  
54. VPNIF="tun0"
55. VPNUSER="debian-transmission"
56. GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1`
57.  
58. if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
59. ip rule add from all fwmark 0x1 lookup $VPNUSER
60. fi
61. ip route replace default via $GATEWAYIP table $VPNUSER
62. ip route append default via 127.0.0.1 dev lo table $VPNUSER
63. ip route flush cache
64.  
65. service transmission-daemon restart