I have built my own debian 10 router for my house, principally so its an always on VPN router using openvpn, also acting as DHCP server, and encrypted DNS using dnscrypt-proxy. Everything has been working well for some time, until I got an amazon prime subscription, which identifies the vpn and blocks me. The only way to get amazon prime working is to pull down the vpn, which I dont want to do.
Is there a way that I can use the nftables firewall to route traffic to amazon prime (primevideo.com or 13.32.45.99) around the VPN? Currently I only allow outbound traffic from the LAN to exit via the vpn, but there must be a way to also allow traffic to/from just this site over WAN interface.
VPN is called tun0 using openvpn.
Internet from the LAN is through WAN1 interface (unless VPN is up, when its routed through tun0).
Here is my script for nftables when the vpn is up:
#!/bin/sh
nft flush ruleset
nft add table nat
nft add chain nat prerouting { type nat hook prerouting priority 0\; policy accept\;}
nft add rule nat prerouting udp dport 53 ip saddr 192.168.1.0/24 dnat 192.168.1.1:53
nft add chain nat postrouting { type nat hook postrouting priority 100\; policy accept\;}
nft add rule nat postrouting oifname tun0 masquerade
nft add table filter
nft add chain filter input { type filter hook input priority 0\; policy drop\;}
nft add rule filter input iif lo accept
nft add rule filter input tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter input icmp type echo-request accept
nft add rule filter input icmp type time-exceeded accept
nft add rule filter input ct state related,established accept
nft add chain filter output { type filter hook output priority 0\; policy drop\;}
nft add rule filter output oif lo accept
nft add rule filter output tcp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output udp dport {22,137-139,445,3702,5357,53,67,68,1194,3000,61208,8080,80,443} accept
nft add rule filter output icmp type echo-request accept
nft add rule filter output icmp type time-exceeded accept
nft add rule filter output ct state new,related,established accept
nft add chain filter forward { type filter hook forward priority 0\; policy accept\;}
nft add rule filter forward ct state related,established accept
and this is the nft ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
udp dport domain ip saddr 192.168.1.0/24 dnat to 192.168.1.1:domain
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "tun0" masquerade
}
}
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
icmp type echo-request accept
icmp type time-exceeded accept
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy drop;
oif "lo" accept
tcp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
udp dport { ssh, domain, 67-68, http, 137-139, https, microsoft-ds, openvpn, 3000, 3702, 5357, http-alt, 61208 } accept
icmp type echo-request accept
icmp type time-exceeded accept
ct state established,related,new accept
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state established,related accept
}
}
Router is Debian Buster. NFT version is nftables v0.9.0 (Fearless Fosdick)
Any help would be appreciated. Thanks
