#!/bin/sh
# set -e
# Flush the tables. This may cut the system's internet.
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Let the VPN client communicate with the outside world.
#iptables -A OUTPUT -j ACCEPT -o enp1s0
iptables -A OUTPUT -j ACCEPT -o enp1s0 -m owner --gid-owner openvpn
#iptables -A OUTPUT -j ACCEPT -o vpn0 -m owner --gid-owner openvpn

# The loopback device is harmless, and TUN is required for the VPN.
iptables -A OUTPUT -j ACCEPT -o lo

iptables -A OUTPUT -j ACCEPT -o tun+

#iptables -A OUTPUT -j ACCEPT -o tun+
iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11
iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o enp1s0 -j MASQUERADE
echo ip route
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
echo add fwmark
ip rule add fwmark 11 table novpn pref 100
echo add to novpn table
ip route flush table novpn
ip route add 192.168.122.0/24 dev enp1s0 # src 192.168.122.128
#ip route add 192.168.122.0/24 dev enp1s0 table novpn
ip route add default via 192.168.122.1 dev enp1s0 table novpn
echo add to default table
# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated.
ip route add default via 192.168.122.254 dev enp1s0 # not exist
echo rp_filter
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# We should permit replies to traffic we've sent out.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED

# allow LAN
iptables -A OUTPUT -d 192.168.122.0/24 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
# The default policy, if no other rules match, is to refuse traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP