Help with iptables rule, how to allow port before REJECT rule?

Question

I'm using iptables to mark packets for vpn user and to do split tunneling. vpn user is tunneled over the tun0 interface, and other users have direct access to internet. Everything works as expected, but I have a problem with one REJECT rule, namely I don't understand what is that rule exactly doing and the syntax. Now I would like to open a port over vpn connection. I can do it when I remove the last OUTPUT REJECT rule, then it works great. What rule should I add before the REJECT rule to allow the port to work and still keep the REJECT rule?

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.28"
export NETIF="eth0"

# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow open TCP port 47657

iptables -A INPUT i $INTERFACE -p tcp --dport 47657 -j ACCEPT

# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT

# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE

# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

The problem is with the last line:

iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

1) I don't understand what exactly this line does, and the syntax.

2) If I remove this last line, the the port 47657 is open and active. If the line above is included, the port is closed. What rule should I insert before the OUTPUT REJECT rule to make only the port 47657 open?

Many thanks!

Answer 1

Something like that:

iptables -I INPUT -p tcp --dport 47657 -j ACCEPT

If TCP is the protocol you will use on this port. Remember that: -A is to append a rule in IPTABLES, it will always put in the end. If you use -I is to give it priority so it will put the rule in the beginning of the rules. You might need to put it in a exactly position if you have more rules that might mess with this rule.