iptables block vpn from reconnecting

Question

I am having a bit of trouble with a solution that I have come up with for VPN access.

Here is what I want:

• all traffic that comes from deluge always goes through the VPN
• when VPN disconnects, deluge's internet connect is cut
• when VPN disconnects, I can still access the daemen locally through SSH and through the thin client
• when VPN reconnect, I want deluge to re-establish connection.

Here are the current iptables I have:

sudo iptables -A OUTPUT -m owner --gid-owner pi -o lo -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner pi -d 10.0.0.0/16 \! -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --gid-owner pi  \! -o tun0 -j REJECT

This works, kind of. It does have some problems:

• after the VPN disconnects it can't reconnect because of my second rule (I assume)

After some research, it seems there is no feature in iptables to apply rules based on process/application, only by gid or uid. Is that correct?

So is my thinking correct that the only solution would be to run deluged as a different user then target that specific user in the iptable rules? This way VPN (which is currently run by the same user as deluged) can reconnect.

PS. an audit of my current iptables would be appreciated!

Thanks everyone, I appreciate the help!

Answer 1

Your Netfilter rules are in the wrong order: The third one is never hit because it is a special case of the second rule.

Under normal conditions the packets sent by openvpn belong to root because superuser privilege is required to set up an interface and routing. Thus the user-specific rules should not match.

You can use tcpdump for checking whether the packets of the new OpenVPN connection leave your system. If they do not then you can use the Netfilter target TRACE to see what happens to them.