LiittleCookie/vpn-install
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

iptables rules comments

Browse Source
This commit is contained in:
bedefaced 2017-04-21 00:50:46 +03:00
parent 3075a20c6b
commit 20db75b316
3 changed files with 52 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
ipsec/iptables-setup.sh
View File

@ -3,6 +3,8 @@
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source $DIR/env.sh source $DIR/env.sh
COMMENT=" -m comment --comment \"IPSEC\""
if [[ ! -e $IPTABLES ]]; then if [[ ! -e $IPTABLES ]]; then
touch $IPTABLES touch $IPTABLES
fi fi
@ -38,11 +40,11 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
if [ "$STATIC" == "$ANSIP" ]; then if [ "$STATIC" == "$ANSIP" ]; then
# SNAT # SNAT
sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG
iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
else else
# MASQUERADE # MASQUERADE
sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG
iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
fi fi
DROP="yes" DROP="yes"
@ -51,37 +53,37 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
if [ "$DROP" == "$ANSDROP" ]; then if [ "$DROP" == "$ANSDROP" ]; then
# disable forwarding # disable forwarding
iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
else else
echo "Deleting DROP rule if exists..." echo "Deleting DROP rule if exists..."
iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
fi fi
# Enable forwarding # Enable forwarding
iptables -A FORWARD -j ACCEPT eval iptables -A FORWARD -j ACCEPT $COMMENT
# MSS Clamping # MSS Clamping
iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $COMMENT
# PPP # PPP
iptables -A INPUT -i ppp+ -j ACCEPT eval iptables -A INPUT -i ppp+ -j ACCEPT $COMMENT
iptables -A OUTPUT -o ppp+ -j ACCEPT eval iptables -A OUTPUT -o ppp+ -j ACCEPT $COMMENT
# XL2TPD # XL2TPD
iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT eval iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT $COMMENT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT eval iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT $COMMENT
iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT eval iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT $COMMENT
iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT eval iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT $COMMENT
# IPSEC # IPSEC
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT eval iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT $COMMENT
iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT eval iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT $COMMENT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT eval iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT $COMMENT
iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT eval iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT $COMMENT
iptables -A INPUT -p esp -j ACCEPT eval iptables -A INPUT -p esp -j ACCEPT $COMMENT
iptables -A OUTPUT -p esp -j ACCEPT eval iptables -A OUTPUT -p esp -j ACCEPT $COMMENT
iptables -A INPUT -p ah -j ACCEPT eval iptables -A INPUT -p ah -j ACCEPT $COMMENT
iptables -A OUTPUT -p ah -j ACCEPT eval iptables -A OUTPUT -p ah -j ACCEPT $COMMENT
iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES

30
openvpn/iptables-setup.sh
View File

@ -3,6 +3,8 @@
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source $DIR/env.sh source $DIR/env.sh
COMMENT=" -m comment --comment \"OPENVPN\""
if [[ ! -e $IPTABLES ]]; then if [[ ! -e $IPTABLES ]]; then
touch $IPTABLES touch $IPTABLES
fi fi
@ -38,11 +40,11 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
if [ "$STATIC" == "$ANSIP" ]; then if [ "$STATIC" == "$ANSIP" ]; then
# SNAT # SNAT
sed -i -e "s@PUBLICIP@$IP@g" $OPENVPNCONFIG sed -i -e "s@PUBLICIP@$IP@g" $OPENVPNCONFIG
iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
else else
# MASQUERADE # MASQUERADE
sed -i -e "/PUBLICIP/d" $OPENVPNCONFIG sed -i -e "/PUBLICIP/d" $OPENVPNCONFIG
iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
fi fi
DROP="yes" DROP="yes"
@ -52,29 +54,29 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
if [ "$DROP" == "$ANSDROP" ]; then if [ "$DROP" == "$ANSDROP" ]; then
# disable forwarding # disable forwarding
sed -i -e "/client-to-client/d" $OPENVPNCONFIG sed -i -e "/client-to-client/d" $OPENVPNCONFIG
iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
iptables -A FORWARD -i tun+ -o tun+ -j DROP eval iptables -A FORWARD -i tun+ -o tun+ -j DROP $COMMENT
iptables -A FORWARD -i tap+ -o tap+ -j DROP eval iptables -A FORWARD -i tap+ -o tap+ -j DROP $COMMENT
else else
echo "Deleting DROP rules if exists..." echo "Deleting DROP rules if exists..."
iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
iptables -D FORWARD -i tap+ -o tap+ -j DROP eval iptables -D FORWARD -i tap+ -o tap+ -j DROP $COMMENT
iptables -D FORWARD -i tun+ -o tun+ -j DROP eval iptables -D FORWARD -i tun+ -o tun+ -j DROP $COMMENT
fi fi
# Enable forwarding # Enable forwarding
iptables -A FORWARD -j ACCEPT eval iptables -A FORWARD -j ACCEPT $COMMENT
# MSS Clamping # MSS Clamping
iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $COMMENT
# TUN/TAP # TUN/TAP
iptables -A INPUT -i tun+ -j ACCEPT eval iptables -A INPUT -i tun+ -j ACCEPT $COMMENT
iptables -A OUTPUT -o tun+ -j ACCEPT eval iptables -A OUTPUT -o tun+ -j ACCEPT $COMMENT
# OpenVPN # OpenVPN
iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT eval iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT $COMMENT
iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT eval iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT $COMMENT
iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
iptables -F iptables -F

26
pptp/iptables-setup.sh
View File

@ -3,6 +3,8 @@
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source $DIR/env.sh source $DIR/env.sh
COMMENT=" -m comment --comment \"PPTP\""
if [[ ! -e $IPTABLES ]]; then if [[ ! -e $IPTABLES ]]; then
touch $IPTABLES touch $IPTABLES
fi fi
@ -37,10 +39,10 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
if [ "$STATIC" == "$ANSIP" ]; then if [ "$STATIC" == "$ANSIP" ]; then
# SNAT # SNAT
iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
else else
# MASQUERADE # MASQUERADE
iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
fi fi
DROP="yes" DROP="yes"
@ -49,29 +51,29 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
if [ "$DROP" == "$ANSDROP" ]; then if [ "$DROP" == "$ANSDROP" ]; then
# disable forwarding # disable forwarding
iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
else else
echo "Deleting DROP rule if exists..." echo "Deleting DROP rule if exists..."
iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT
fi fi
# Enable forwarding # Enable forwarding
iptables -A FORWARD -j ACCEPT eval iptables -A FORWARD -j ACCEPT $COMMENT
# MSS Clamping # MSS Clamping
iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $COMMENT
# PPP # PPP
iptables -A INPUT -i ppp+ -j ACCEPT eval iptables -A INPUT -i ppp+ -j ACCEPT $COMMENT
iptables -A OUTPUT -o ppp+ -j ACCEPT eval iptables -A OUTPUT -o ppp+ -j ACCEPT $COMMENT
# PPTP # PPTP
iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT eval iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT $COMMENT
iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT eval iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT $COMMENT
# GRE # GRE
iptables -A INPUT -p gre -j ACCEPT eval iptables -A INPUT -p gre -j ACCEPT $COMMENT
iptables -A OUTPUT -p gre -j ACCEPT eval iptables -A OUTPUT -p gre -j ACCEPT $COMMENT
iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
iptables -F iptables -F