From 3075a20c6b44bb9650cccb41b47992b657654369 Mon Sep 17 00:00:00 2001 From: bedefaced Date: Thu, 20 Apr 2017 22:48:01 +0300 Subject: [PATCH] iptables rules if default policies are DROP, checkserver for ipsec bugfix --- ipsec/checkserver.sh | 2 +- ipsec/iptables-setup.sh | 19 ++++++++++++++++++- openvpn/iptables-setup.sh | 6 +++++- pptp/iptables-setup.sh | 10 +++++++--- 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/ipsec/checkserver.sh b/ipsec/checkserver.sh index 9f4010c..e95791f 100755 --- a/ipsec/checkserver.sh +++ b/ipsec/checkserver.sh @@ -6,7 +6,7 @@ if [ $? -eq 1 ]; then /etc/init.d/xl2tpd restart fi -RET=$(pgrep strongswan) +RET=$(pgrep starter) if [ $? -eq 1 ]; then /etc/init.d/strongswan restart diff --git a/ipsec/iptables-setup.sh b/ipsec/iptables-setup.sh index 2902860..6b6ac89 100755 --- a/ipsec/iptables-setup.sh +++ b/ipsec/iptables-setup.sh @@ -57,6 +57,9 @@ else iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP fi +# Enable forwarding +iptables -A FORWARD -j ACCEPT + # MSS Clamping iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -65,7 +68,21 @@ iptables -A INPUT -i ppp+ -j ACCEPT iptables -A OUTPUT -o ppp+ -j ACCEPT # XL2TPD -iptables -A INPUT -p tcp --dport 1701 -j ACCEPT +iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT +iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT +iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT +iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT + +# IPSEC +iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT +iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT +iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT +iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT +iptables -A INPUT -p esp -j ACCEPT +iptables -A OUTPUT -p esp -j ACCEPT +iptables -A INPUT -p ah -j ACCEPT +iptables -A OUTPUT -p ah -j ACCEPT + iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F diff --git a/openvpn/iptables-setup.sh b/openvpn/iptables-setup.sh index 13c35eb..51bde5d 100755 --- a/openvpn/iptables-setup.sh +++ b/openvpn/iptables-setup.sh @@ -62,6 +62,9 @@ else iptables -D FORWARD -i tun+ -o tun+ -j DROP fi +# Enable forwarding +iptables -A FORWARD -j ACCEPT + # MSS Clamping iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -70,7 +73,8 @@ iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT # OpenVPN -iptables -A INPUT -p udp --dport 1194 -j ACCEPT +iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT +iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F diff --git a/pptp/iptables-setup.sh b/pptp/iptables-setup.sh index 8ad51a7..c4a7722 100755 --- a/pptp/iptables-setup.sh +++ b/pptp/iptables-setup.sh @@ -55,6 +55,9 @@ else iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP fi +# Enable forwarding +iptables -A FORWARD -j ACCEPT + # MSS Clamping iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -63,11 +66,12 @@ iptables -A INPUT -i ppp+ -j ACCEPT iptables -A OUTPUT -o ppp+ -j ACCEPT # PPTP -iptables -A INPUT -p tcp --dport 1723 -j ACCEPT +iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT +iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT # GRE -iptables -A INPUT -p 47 -j ACCEPT -iptables -A OUTPUT -p 47 -j ACCEPT +iptables -A INPUT -p gre -j ACCEPT +iptables -A OUTPUT -p gre -j ACCEPT iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F