From d61ece981808dbc4e7fac51ae09ff0a6583393fc Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.me>
Date: Sun, 23 May 2021 15:59:49 +0200
Subject: [PATCH] Fix redirection happening too soon for non-hosting user
 traffic

---
 etc/rc.local | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/etc/rc.local b/etc/rc.local
index 968ec5f..df38999 100755
--- a/etc/rc.local
+++ b/etc/rc.local
@@ -41,12 +41,9 @@ ip6tables -A OUTPUT -d ::1 -p udp --dport 53 -m owner --gid-owner www-data -j AC
 #reject all other local communication
 iptables -A OUTPUT -d 127.0.0.0/8 -m owner --gid-owner www-data -j REJECT
 ip6tables -A OUTPUT -d ::1 -m owner --gid-owner www-data -j REJECT
-#redirect all outgoing DNS querries to our dns server
-iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
-ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
-#redirect all other TCP traffic through tor
-iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
-ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
+#redirect all hosting user TCP traffic through tor
+iptables -t nat -A OUTPUT -m owner --gid-owner www-data -p tcp --syn -j REDIRECT --to-ports 9040
+ip6tables -t nat -A OUTPUT -m owner --gid-owner www-data -p tcp --syn -j REDIRECT --to-ports 9040
 #reject all other hosting user traffic
 iptables -A OUTPUT -m owner --gid-owner www-data -j REJECT
 ip6tables -A OUTPUT -m owner --gid-owner www-data -j REJECT
@@ -73,6 +70,12 @@ for clearnet in 88.191.68.178 51.15.142.60 51.255.197.148 91.121.181.58; do(
 iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN;
 iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
 )done
+#redirect all outgoing DNS querries to our dns server
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+ip6tables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+#redirect all other TCP traffic through tor
+iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
+ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 #reject everything else
 iptables -A OUTPUT -j REJECT
 ip6tables -A OUTPUT -j REJECT