Killswitch configuration

angler1 · 15 February 2025 20:02

Hi,
I would like to use Diet-PI as a seedbox. I have installed various ARR apps and Deluge on DietPi for this purpose. For security reasons, however, I absolutely need a VPN. I have a subscription with PIA and have set it up via the VPN GUI. Everything worked fine up to this point.
However, I get problems as soon as I activate the killswitch. Now I can no longer access the ARR/Deluge GUIs from the local network. As far as I understand, this is caused by the killswitch. I have tried to add the following lines to the rules for the killswitch under /var/lib/dietpi/dietpi-vpn/killswitch.rules:

-A INPUT -p tcp --dport 8989 -j ACCEPT -s
-A INPUT -p tcp --dport 7878 -j ACCEPT -s
-A INPUT -p tcp --dport 9696 -j ACCEPT -s
-A INPUT -p tcp --dport 8112 -j ACCEPT -s
-A INPUT -p tcp --dport 6767 -j ACCEPT -s

However, this causes the VPN to completely break down and it can no longer establish a connection at all. Can anyone help me here?
Thanks for your help

Joulinar · 15 February 2025 20:14

Maybe @trendy can help on this

trendy · 15 February 2025 21:37

What are the firewall rules before you add anything there?
iptables-save -c
And these rules are wrong because you don’t specify the source IPs.

angler1 · 16 February 2025 16:24

Thx for your answer, where do I have too look fpr the IP-Tables? I tried looking at /etc/iptables/, but the folder doesn´t exist.

Joulinar · 16 February 2025 16:55

Did you tried this

angler1 · 16 February 2025 17:14

Yes, nothing happens…

trendy · 17 February 2025 09:15

Try with sudo iptables-save -c
If nothing happens again, give a nft list ruleset

angler1 · 25 February 2025 16:15

I think I found a solution on my own:
I was able to manually open the ports with

sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --dport 8112 -j ACCEPT  # Deluge
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --dport 9696 -j ACCEPT  # Prowlarr
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --dport 6767 -j ACCEPT  # Bazarr
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --dport 8989 -j ACCEPT  # Sonarr
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --dport 7878 -j ACCEPT  # Radarr

This worked, but the ports got closed again after restart. So I editted the “up” script with the following:

# Kurze Pause, um sicherzustellen, dass die VPN-Regeln vollständig angewendet wurden
sleep 5

# Lokales Netzwerk für Web-UIs freigeben
iptables -I INPUT 1 -s 192.168.178.0/24 -p tcp --dport 8112 -j ACCEPT
iptables -I INPUT 1 -s 192.168.178.0/24 -p tcp --dport 9696 -j ACCEPT
iptables -I INPUT 1 -s 192.168.178.0/24 -p tcp --dport 6767 -j ACCEPT
iptables -I INPUT 1 -s 192.168.178.0/24 -p tcp --dport 8989 -j ACCEPT
iptables -I INPUT 1 -s 192.168.178.0/24 -p tcp --dport 7878 -j ACCEPT

Is this a safe/correct solution in your opinion?

trendy · 25 February 2025 22:25

It’s fine, you only need to remove them upon disconnect, otherwise you might end up with thousands lines in the firewall and will slow down your system.
Or use iptables-restore on boot to restore an iptables-save.