From 7daa49f7de9627b205563e6eea251da699fcf264 Mon Sep 17 00:00:00 2001 From: bedefaced Date: Wed, 30 Aug 2017 01:07:17 +0300 Subject: [PATCH] uninstall added; bugfixes; adduser dir changed --- ipsec/adduser.sh | 22 +++-- ipsec/backup.sh | 167 ++++++++++++++++++++++++++++++++++++++ ipsec/env.sh | 11 +++ ipsec/install.sh | 11 +-- ipsec/iptables-setup.sh | 21 +++-- ipsec/sysctl.sh | 8 +- openvpn/adduser.sh | 16 ++-- openvpn/backup.sh | 135 ++++++++++++++++++++++++++++++ openvpn/env.sh | 11 +++ openvpn/install.sh | 11 +-- openvpn/iptables-setup.sh | 21 +++-- openvpn/sysctl.sh | 8 +- pptp/adduser.sh | 10 +-- pptp/backup.sh | 134 ++++++++++++++++++++++++++++++ pptp/env.sh | 11 +++ pptp/install.sh | 11 +-- pptp/iptables-setup.sh | 21 +++-- pptp/sysctl.sh | 7 +- 18 files changed, 558 insertions(+), 78 deletions(-) create mode 100755 ipsec/backup.sh create mode 100755 openvpn/backup.sh create mode 100755 pptp/backup.sh diff --git a/ipsec/adduser.sh b/ipsec/adduser.sh index 7f74ab3..c140117 100755 --- a/ipsec/adduser.sh +++ b/ipsec/adduser.sh @@ -64,39 +64,37 @@ do PSK=$(sed -n "s/^[^#]\+[[:space:]]\+PSK[[:space:]]\+\"\(.\+\)\"/\1/p" $SECRETSFILE) - STARTDIR=$(pwd) - - mkdir -p "$STARTDIR/$LOGIN" - DISTFILE=$STARTDIR/$LOGIN/setup.sh + mkdir -p "$DIR/$LOGIN" + DISTFILE=$DIR/$LOGIN/setup.sh cp -rf $DIR/setup.sh.dist "$DISTFILE" sed -i -e "s@_PSK_@$PSK@g" "$DISTFILE" sed -i -e "s@_SERVERLOCALIP_@$LOCALPREFIX.0.1@g" "$DISTFILE" - DISTFILE=$STARTDIR/$LOGIN/ipsec.conf + DISTFILE=$DIR/$LOGIN/ipsec.conf cp -rf $DIR/ipsec.conf.dist "$DISTFILE" sed -i -e "s@LEFTIP@%any@g" "$DISTFILE" sed -i -e "s@LEFTPORT@%any@g" "$DISTFILE" sed -i -e "s@RIGHTIP@$IP@g" "$DISTFILE" sed -i -e "s@RIGHTPORT@1701@g" "$DISTFILE" - DISTFILE=$STARTDIR/$LOGIN/xl2tpd.conf + DISTFILE=$DIR/$LOGIN/xl2tpd.conf cp -rf $DIR/client-xl2tpd.conf.dist "$DISTFILE" sed -i -e "s@REMOTEIP@$IP@g" "$DISTFILE" - DISTFILE=$STARTDIR/$LOGIN/options.xl2tpd + DISTFILE=$DIR/$LOGIN/options.xl2tpd cp -rf $DIR/client-options.xl2tpd.dist "$DISTFILE" sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE" sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE" - cp -rf $DIR/connect.sh.dist "$STARTDIR/$LOGIN/connect.sh" - cp -rf $DIR/disconnect.sh.dist "$STARTDIR/$LOGIN/disconnect.sh" + cp -rf $DIR/connect.sh.dist "$DIR/$LOGIN/connect.sh" + cp -rf $DIR/disconnect.sh.dist "$DIR/$LOGIN/disconnect.sh" - chmod +x "$STARTDIR/$LOGIN/setup.sh" "$STARTDIR/$LOGIN/connect.sh" "$STARTDIR/$LOGIN/disconnect.sh" + chmod +x "$DIR/$LOGIN/setup.sh" "$DIR/$LOGIN/connect.sh" "$DIR/$LOGIN/disconnect.sh" USERNAME=${SUDO_USER:-$USER} - chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/ + chown -R $USERNAME:$USERNAME $DIR/$LOGIN/ echo - echo "Directory $STARTDIR/$LOGIN with client-side installation script has been created." + echo "Directory $DIR/$LOGIN with client-side installation script has been created." if [[ $# -eq 0 ]]; then diff --git a/ipsec/backup.sh b/ipsec/backup.sh new file mode 100755 index 0000000..d03c1ba --- /dev/null +++ b/ipsec/backup.sh @@ -0,0 +1,167 @@ +#!/usr/bin/env bash + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +source $DIR/env.sh + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +UNINSTALLDIR="$DIR/uninstall" + +if [[ -e "$UNINSTALLDIR" ]]; then + echo "$UNINSTALLDIR exists. Skipping..." + exit 0 +fi + +mkdir -p "$UNINSTALLDIR" + +UNINSTALL_SCRIPT="$UNINSTALLDIR/uninstall.sh" + +# backuping configs +yes | cp -rf $SYSCTLCONFIG "$UNINSTALLDIR/sysctl.conf" 2>/dev/null +yes | cp -rf $PPPCONFIG "$UNINSTALLDIR/options.xl2tpd" 2>/dev/null +yes | cp -rf $XL2TPDCONFIG "$UNINSTALLDIR/xl2tpd.conf" 2>/dev/null +yes | cp -rf $IPSECCONFIG "$UNINSTALLDIR/ipsec.conf" 2>/dev/null +yes | cp -rf $CHAPSECRETS "$UNINSTALLDIR/chap-secrets" 2>/dev/null +yes | cp -rf $SECRETSFILE "$UNINSTALLDIR/ipsec.secrets" 2>/dev/null + +# restore system configuration +cat <>$UNINSTALL_SCRIPT +#!/usr/bin/env bash + +if [[ "\$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +DIR=\$( cd "\$( dirname "\${BASH_SOURCE[0]}" )" && pwd ) + +echo "Removing cron task..." +TMPFILE=\$(mktemp crontab.XXXXX) +crontab -l > \$TMPFILE + +sed -i -e "\@$IPTABLES@d" \$TMPFILE +sed -i -e "\@$CHECKSERVER@d" \$TMPFILE + +crontab \$TMPFILE > /dev/null +rm \$TMPFILE + +rm $CHECKSERVER + +echo "Restoring sysctl parameters..." +cp -i \$DIR/sysctl.conf $SYSCTLCONFIG +sysctl -p +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - +END + +# restore firewalls +cat <>$UNINSTALL_SCRIPT + +echo "Restoring firewall..." +iptables-save | awk '(\$0 !~ /^-A/)||!(\$0 in a) {a[\$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES +rm $IPTABLES + +END + +if [ "$(systemctl status ufw; echo $?)" == "0" ]; then + echo "systemctl enable ufw" >>$UNINSTALL_SCRIPT + echo "systemctl start ufw" >>$UNINSTALL_SCRIPT +fi +if [ "$(systemctl status firewalld; echo $?)" == "0" ]; then + echo "systemctl enable firewalld" >>$UNINSTALL_SCRIPT + echo "systemctl start firewalld" >>$UNINSTALL_SCRIPT +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + # iptables + if [ "$(systemctl status iptables; echo $?)" != "0" ]; then + echo "systemctl stop iptables" >>$UNINSTALL_SCRIPT + echo "systemctl disable iptables" >>$UNINSTALL_SCRIPT + fi +fi + +# remove packages +UNINST_PACKAGES= +if [[ ! -n "$(which pgrep)" ]]; then + UNINST_PACKAGES+="procps " +fi +if [[ ! -n "$(which ifconfig)" ]]; then + UNINST_PACKAGES+="net-tools " +fi +if [[ ! -n "$(which pppd)" ]]; then + UNINST_PACKAGES+="ppp " +fi +if [[ ! -n "$(which xl2tpd)" ]]; then + UNINST_PACKAGES+="xl2tpd " +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + if [[ ! -n "$(which strongswan)" ]]; then + UNINST_PACKAGES+="strongswan " + fi +fi +if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then + if [[ ! -n "$(which ipsec)" ]]; then + UNINST_PACKAGES+="strongswan " + fi +fi + +if [[ ! -n "$(which crontab)" ]]; then + UNINST_PACKAGES+="$CRON_PACKAGE " +fi +if [[ ! -n "$(which iptables)" ]]; then + UNINST_PACKAGES+="$IPTABLES_PACKAGE " +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + if [ "$(ls /etc/yum.repos.d/epel.repo 2>/dev/null; echo $?)" != "0" ]; then + UNINST_PACKAGES+="epel-release " + fi +fi +if [[ ! -z "$UNINST_PACKAGES" ]]; then + echo -e "echo \"Removing installed packages...\"" >>$UNINSTALL_SCRIPT + echo "$UNINSTALLER $UNINST_PACKAGES" >>$UNINSTALL_SCRIPT +fi + +# restore files +echo -e "echo \"Restoring configs...\"" >>$UNINSTALL_SCRIPT +if [[ -n "$(which pppd)" ]]; then + echo -e "cp -i \"\$DIR/options.xl2tpd\" $PPPCONFIG" >>$UNINSTALL_SCRIPT + echo -e "cp -i \"\$DIR/chap-secrets\" $CHAPSECRETS" >>$UNINSTALL_SCRIPT +fi +if [[ -n "$(which xl2tpd)" ]]; then + echo -e "cp -i \"\$DIR/xl2tpd.conf\" $XL2TPDCONFIG" >>$UNINSTALL_SCRIPT +fi + +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + if [[ -n "$(which strongswan)" ]]; then + echo -e "cp -i \"\$DIR/ipsec.secrets\" $SECRETSFILE" >>$UNINSTALL_SCRIPT + echo -e "cp -i \"\$DIR/ipsec.conf\" $IPSECCONFIG" >>$UNINSTALL_SCRIPT + fi +fi + +if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then + if [[ -n "$(which ipsec)" ]]; then + echo -e "cp -i \"\$DIR/ipsec.secrets\" $SECRETSFILE" >>$UNINSTALL_SCRIPT + echo -e "cp -i \"\$DIR/ipsec.conf\" $IPSECCONFIG" >>$UNINSTALL_SCRIPT + fi +fi + +# restore xl2tpd if necessary +if [ "$(systemctl status xl2tpd; echo $?)" == "0" ]; then + echo -e "echo \"Restarting xl2tpd...\"" >>$UNINSTALL_SCRIPT + echo "systemctl restart xl2tpd" >>$UNINSTALL_SCRIPT +fi + +# restore strongswan if necessary +if [ "$(systemctl status strongswan; echo $?)" == "0" ]; then + echo -e "echo \"Restarting strongswan...\"" >>$UNINSTALL_SCRIPT + echo "systemctl restart strongswan" >>$UNINSTALL_SCRIPT +fi + +echo "echo" >>$UNINSTALL_SCRIPT +echo -e "echo \"Uninstall script has been completed!\"" >>$UNINSTALL_SCRIPT + +chmod +x "$UNINSTALL_SCRIPT" diff --git a/ipsec/env.sh b/ipsec/env.sh index 1a32d02..1214238 100755 --- a/ipsec/env.sh +++ b/ipsec/env.sh @@ -5,10 +5,20 @@ CENTOSPLATFORM="CENTOS" if [ -n "$(. /etc/os-release; echo $NAME | grep -i Ubuntu)" -o -n "$(. /etc/os-release; echo $NAME | grep -i Debian)" ]; then PLATFORM=$DEBIANPLATFORM + + IPTABLES_PACKAGE="iptables" + CRON_PACKAGE="cron" + INSTALLER="apt-get -y install" + UNINSTALLER="apt-get purge --auto-remove" fi if [ -n "$(. /etc/os-release; echo $NAME | grep -i CentOS)" ]; then PLATFORM=$CENTOSPLATFORM + + IPTABLES_PACKAGE="iptables-services" + CRON_PACKAGE="cronie" + INSTALLER="yum -y install" + UNINSTALLER="yum remove" fi SYSCTLCONFIG=/etc/sysctl.conf @@ -19,6 +29,7 @@ CHAPSECRETS=/etc/ppp/chap-secrets IPTABLES=/etc/iptables.rules SECRETSFILE=/etc/ipsec.secrets CHECKSERVER=/etc/xl2tpd/checkserver.sh +IPTABLES_COMMENT="IPSEC" if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then SECRETSFILE=/etc/strongswan/ipsec.secrets diff --git a/ipsec/install.sh b/ipsec/install.sh index cf9d731..de7d244 100755 --- a/ipsec/install.sh +++ b/ipsec/install.sh @@ -8,15 +8,16 @@ if [[ "$EUID" -ne 0 ]]; then exit 1 fi +echo +echo "Creating backup..." +$DIR/backup.sh + echo echo "Installing strongSwan and xl2tp server..." -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - apt-get -y install strongswan xl2tpd cron iptables procps net-tools -fi if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then yum -y install epel-release - yum -y install strongswan xl2tpd cronie iptables-services procps net-tools fi +eval $INSTALLER strongswan xl2tpd ppp $CRON_PACKAGE $IPTABLES_PACKAGE procps net-tools echo echo "Configuring routing..." @@ -60,5 +61,5 @@ service xl2tpd restart service strongswan restart echo -echo "Installation script completed!" +echo "Installation script has been completed!" diff --git a/ipsec/iptables-setup.sh b/ipsec/iptables-setup.sh index 24b2e96..8b2866b 100755 --- a/ipsec/iptables-setup.sh +++ b/ipsec/iptables-setup.sh @@ -10,7 +10,12 @@ if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then systemctl start iptables fi -COMMENT=" -m comment --comment \"IPSEC\"" +if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then + systemctl stop ufw + systemctl disable ufw +fi + +COMMENT=" -m comment --comment \"$IPTABLES_COMMENT\"" if [[ ! -e $IPTABLES ]]; then touch $IPTABLES @@ -21,8 +26,11 @@ if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then exit 1 fi -# backup and remove rules with $LOCALIP -iptables-save > $IPTABLES.backup +# clear existing rules +iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES IFS=$'\n' @@ -98,9 +106,10 @@ eval iptables -A OUTPUT -p esp -j ACCEPT $COMMENT eval iptables -A INPUT -p ah -j ACCEPT $COMMENT eval iptables -A OUTPUT -p ah -j ACCEPT $COMMENT -# remove standart REJECT rules -iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited -iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited +# remove standard REJECT rules +echo "Note: standard REJECT rules for INPUT and FORWARD will be removed." +iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited 2>/dev/null +iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited 2>/dev/null iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F diff --git a/ipsec/sysctl.sh b/ipsec/sysctl.sh index aa3bdf8..bbf2975 100755 --- a/ipsec/sysctl.sh +++ b/ipsec/sysctl.sh @@ -30,9 +30,5 @@ sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG sysctl -p -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - service procps restart -fi -if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then - service network restart -fi + +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - diff --git a/openvpn/adduser.sh b/openvpn/adduser.sh index 940dcd8..83b0c35 100755 --- a/openvpn/adduser.sh +++ b/openvpn/adduser.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash -STARTDIR=$(pwd) - DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) source $DIR/env.sh @@ -32,16 +30,16 @@ do if [ $? -eq 0 ]; then # copy files and OVPN config - mkdir -p "$STARTDIR/$LOGIN" - cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/" + mkdir -p "$DIR/$LOGIN" + cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$DIR/$LOGIN/" - DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn" + DIST="$DIR/$LOGIN/openvpn-server.ovpn" cp $DIR/openvpn-server.ovpn.dist $DIST sed -i -e "s@LOGIN@$LOGIN@g" $DIST sed -i -e "s@IP@$IP@g" $DIST - SRC="$STARTDIR/$LOGIN" - DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn" + SRC="$DIR/$LOGIN" + DIST="$DIR/$LOGIN/openvpn-server-embedded.ovpn" cp $DIR/openvpn-server-embedded.ovpn.dist $DIST sed -i -e "s@IP@$IP@g" $DIST @@ -62,9 +60,9 @@ do echo "" >> $DIST echo - echo "Directory $STARTDIR/$LOGIN with necessary files has been created." + echo "Directory $DIR/$LOGIN with necessary files has been created." USERNAME=${SUDO_USER:-$USER} - chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/ + chown -R $USERNAME:$USERNAME $DIR/$LOGIN/ fi diff --git a/openvpn/backup.sh b/openvpn/backup.sh new file mode 100755 index 0000000..6368563 --- /dev/null +++ b/openvpn/backup.sh @@ -0,0 +1,135 @@ +#!/usr/bin/env bash + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +source $DIR/env.sh + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +UNINSTALLDIR="$DIR/uninstall" + +if [[ -e "$UNINSTALLDIR" ]]; then + echo "$UNINSTALLDIR exists. Skipping..." + exit 0 +fi + +mkdir -p "$UNINSTALLDIR" + +UNINSTALL_SCRIPT="$UNINSTALLDIR/uninstall.sh" + +# backuping configs +yes | cp -rf $SYSCTLCONFIG "$UNINSTALLDIR/sysctl.conf" 2>/dev/null +yes | cp -rf $OPENVPNDIR "$UNINSTALLDIR" 2>/dev/null + +# restore system configuration +cat <>$UNINSTALL_SCRIPT +#!/usr/bin/env bash + +if [[ "\$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +DIR=\$( cd "\$( dirname "\${BASH_SOURCE[0]}" )" && pwd ) + +echo "Removing cron task..." +TMPFILE=\$(mktemp crontab.XXXXX) +crontab -l > \$TMPFILE + +sed -i -e "\@$IPTABLES@d" \$TMPFILE +sed -i -e "\@$CHECKSERVER@d" \$TMPFILE + +crontab \$TMPFILE > /dev/null +rm \$TMPFILE + +rm $CHECKSERVER + +echo "Restoring sysctl parameters..." +cp -i \$DIR/sysctl.conf $SYSCTLCONFIG +sysctl -p +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - +END + +# restore firewalls +cat <>$UNINSTALL_SCRIPT + +echo "Restoring firewall..." +iptables-save | awk '(\$0 !~ /^-A/)||!(\$0 in a) {a[\$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES +rm $IPTABLES + +END + +if [ "$(systemctl status ufw; echo $?)" == "0" ]; then + echo "systemctl enable ufw" >>$UNINSTALL_SCRIPT + echo "systemctl start ufw" >>$UNINSTALL_SCRIPT +fi +if [ "$(systemctl status firewalld; echo $?)" == "0" ]; then + echo "systemctl enable firewalld" >>$UNINSTALL_SCRIPT + echo "systemctl start firewalld" >>$UNINSTALL_SCRIPT +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + # iptables + if [ "$(systemctl status iptables; echo $?)" != "0" ]; then + echo "systemctl stop iptables" >>$UNINSTALL_SCRIPT + echo "systemctl disable iptables" >>$UNINSTALL_SCRIPT + fi +fi + +# remove packages +UNINST_PACKAGES= +if [[ ! -n "$(which pgrep)" ]]; then + UNINST_PACKAGES+="procps " +fi +if [[ ! -n "$(which ifconfig)" ]]; then + UNINST_PACKAGES+="net-tools " +fi +if [[ ! -n "$(which openvpn)" ]]; then + UNINST_PACKAGES+="openvpn " +fi +if [[ ! -n "$(which make-cadir)" ]]; then + UNINST_PACKAGES+="easy-rsa " +fi +if [[ ! -n "$(which crontab)" ]]; then + UNINST_PACKAGES+="$CRON_PACKAGE " +fi +if [[ ! -n "$(which iptables)" ]]; then + UNINST_PACKAGES+="$IPTABLES_PACKAGE " +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + if [ "$(ls /etc/yum.repos.d/epel.repo 2>/dev/null; echo $?)" != "0" ]; then + UNINST_PACKAGES+="epel-release " + fi +fi +if [[ ! -z "$UNINST_PACKAGES" ]]; then + echo -e "echo \"Removing installed packages...\"" >>$UNINSTALL_SCRIPT + echo "$UNINSTALLER $UNINST_PACKAGES" >>$UNINSTALL_SCRIPT +fi + +# restore files +echo -e "echo \"Restoring configs...\"" >>$UNINSTALL_SCRIPT +if [[ -n "$(which openvpn)" ]]; then + echo -e "rm -rf $OPENVPNDIR" >>$UNINSTALL_SCRIPT + echo -e "mkdir -p $OPENVPNDIR" >>$UNINSTALL_SCRIPT + echo -e "cp -rf \"\$DIR/openvpn\" \"$OPENVPNDIR/..\" 2>/dev/null" >>$UNINSTALL_SCRIPT +fi + +if [[ ! -e "$DIR/openvpn" ]]; then + # remove openvpn dir because it was empty + echo -e "rm -rf $OPENVPNDIR" >>$UNINSTALL_SCRIPT +fi + +# restore openvpn if necessary +if [ "$(systemctl status openvpn@openvpn-server; echo $?)" == "0" ]; then + echo -e "echo \"Restarting OpenVPN...\"" >>$UNINSTALL_SCRIPT + echo "systemctl restart openvpn@openvpn-server" >>$UNINSTALL_SCRIPT +fi + +echo "echo" >>$UNINSTALL_SCRIPT +echo -e "echo \"Uninstall script has been completed!\"" >>$UNINSTALL_SCRIPT + +chmod +x "$UNINSTALL_SCRIPT" diff --git a/openvpn/env.sh b/openvpn/env.sh index 6c2c51b..23b1ac6 100755 --- a/openvpn/env.sh +++ b/openvpn/env.sh @@ -5,10 +5,20 @@ CENTOSPLATFORM="CENTOS" if [ -n "$(. /etc/os-release; echo $NAME | grep -i Ubuntu)" -o -n "$(. /etc/os-release; echo $NAME | grep -i Debian)" ]; then PLATFORM=$DEBIANPLATFORM + + IPTABLES_PACKAGE="iptables" + CRON_PACKAGE="cron" + INSTALLER="apt-get -y install" + UNINSTALLER="apt-get purge --auto-remove" fi if [ -n "$(. /etc/os-release; echo $NAME | grep -i CentOS)" ]; then PLATFORM=$CENTOSPLATFORM + + IPTABLES_PACKAGE="iptables-services" + CRON_PACKAGE="cronie" + INSTALLER="yum -y install" + UNINSTALLER="yum remove" fi SYSCTLCONFIG=/etc/sysctl.conf @@ -18,6 +28,7 @@ CADIR=$OPENVPNDIR/easy-rsa IPTABLES=/etc/iptables.rules NOBODYGROUP=nogroup CHECKSERVER=$OPENVPNDIR/checkserver.sh +IPTABLES_COMMENT="OPENVPN" if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then NOBODYGROUP=nobody diff --git a/openvpn/install.sh b/openvpn/install.sh index 66f34dd..72328ca 100755 --- a/openvpn/install.sh +++ b/openvpn/install.sh @@ -10,15 +10,16 @@ if [[ "$EUID" -ne 0 ]]; then exit 1 fi +echo +echo "Creating backup..." +$DIR/backup.sh + echo echo "Installing OpenVPN..." -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - apt-get -y install openvpn easy-rsa cron iptables procps net-tools -fi if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then yum -y install epel-release - yum -y install openvpn easy-rsa cronie iptables-services procps net-tools fi +eval $INSTALLER openvpn easy-rsa $CRON_PACKAGE $IPTABLES_PACKAGE procps net-tools echo echo "Configuring routing..." @@ -79,5 +80,5 @@ systemctl -f enable openvpn@openvpn-server systemctl restart openvpn@openvpn-server echo -echo "Installation script completed!" +echo "Installation script has been completed!" diff --git a/openvpn/iptables-setup.sh b/openvpn/iptables-setup.sh index 4a81dcf..34a5d12 100755 --- a/openvpn/iptables-setup.sh +++ b/openvpn/iptables-setup.sh @@ -10,7 +10,12 @@ if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then systemctl start iptables fi -COMMENT=" -m comment --comment \"OPENVPN\"" +if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then + systemctl stop ufw + systemctl disable ufw +fi + +COMMENT=" -m comment --comment \"$IPTABLES_COMMENT\"" if [[ ! -e $IPTABLES ]]; then touch $IPTABLES @@ -21,8 +26,11 @@ if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then exit 1 fi -# backup and remove rules with $LOCALIP -iptables-save > $IPTABLES.backup +# clear existing rules +iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES IFS=$'\n' @@ -85,9 +93,10 @@ eval iptables -A OUTPUT -o tun+ -j ACCEPT $COMMENT eval iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT $COMMENT eval iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT $COMMENT -# remove standart REJECT rules -iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited -iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited +# remove standard REJECT rules +echo "Note: standard REJECT rules for INPUT and FORWARD will be removed." +iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited 2>/dev/null +iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited 2>/dev/null iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F diff --git a/openvpn/sysctl.sh b/openvpn/sysctl.sh index aa3bdf8..bbf2975 100755 --- a/openvpn/sysctl.sh +++ b/openvpn/sysctl.sh @@ -30,9 +30,5 @@ sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG sysctl -p -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - service procps restart -fi -if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then - service network restart -fi + +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - diff --git a/pptp/adduser.sh b/pptp/adduser.sh index 030b675..56b557d 100755 --- a/pptp/adduser.sh +++ b/pptp/adduser.sh @@ -62,10 +62,8 @@ do echo "$CHAPSECRETS has been updated!" fi - STARTDIR=$(pwd) - - mkdir -p "$STARTDIR/$LOGIN" - DISTFILE=$STARTDIR/$LOGIN/setup.sh + mkdir -p "$DIR/$LOGIN" + DISTFILE=$DIR/$LOGIN/setup.sh cp -rf $DIR/setup.sh.dist "$DISTFILE" sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE" sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE" @@ -73,9 +71,9 @@ do sed -i -e "s@_LOCALPREFIX_@$LOCALPREFIX@g" "$DISTFILE" chmod +x "$DISTFILE" USERNAME=${SUDO_USER:-$USER} - chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/ + chown -R $USERNAME:$USERNAME $DIR/$LOGIN/ echo - echo "Directory $STARTDIR/$LOGIN with client-side installation script has been created." + echo "Directory $DIR/$LOGIN with client-side installation script has been created." if [[ $# -eq 0 ]]; then echo diff --git a/pptp/backup.sh b/pptp/backup.sh new file mode 100755 index 0000000..d65f646 --- /dev/null +++ b/pptp/backup.sh @@ -0,0 +1,134 @@ +#!/usr/bin/env bash + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +source $DIR/env.sh + +if [[ "$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +UNINSTALLDIR="$DIR/uninstall" + +if [[ -e "$UNINSTALLDIR" ]]; then + echo "$UNINSTALLDIR exists. Skipping..." + exit 0 +fi + +mkdir -p "$UNINSTALLDIR" + +UNINSTALL_SCRIPT="$UNINSTALLDIR/uninstall.sh" + +# backuping configs +yes | cp -rf $SYSCTLCONFIG "$UNINSTALLDIR/sysctl.conf" 2>/dev/null +yes | cp -rf $PPTPDCONFIG "$UNINSTALLDIR/pptpd.conf" 2>/dev/null +yes | cp -rf $PPTPOPTIONS "$UNINSTALLDIR/options.pptp" 2>/dev/null +yes | cp -rf $CHAPSECRETS "$UNINSTALLDIR/chap-secrets" 2>/dev/null + +# restore system configuration +cat <>$UNINSTALL_SCRIPT +#!/usr/bin/env bash + +if [[ "\$EUID" -ne 0 ]]; then + echo "Sorry, you need to run this as root" + exit 1 +fi + +DIR=\$( cd "\$( dirname "\${BASH_SOURCE[0]}" )" && pwd ) + +echo "Removing cron task..." +TMPFILE=\$(mktemp crontab.XXXXX) +crontab -l > \$TMPFILE + +sed -i -e "\@$IPTABLES@d" \$TMPFILE +sed -i -e "\@$CHECKSERVER@d" \$TMPFILE + +crontab \$TMPFILE > /dev/null +rm \$TMPFILE + +rm $CHECKSERVER + +echo "Restoring sysctl parameters..." +cp -i \$DIR/sysctl.conf $SYSCTLCONFIG +sysctl -p +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - +END + +# restore firewalls +cat <>$UNINSTALL_SCRIPT + +echo "Restoring firewall..." +iptables-save | awk '(\$0 !~ /^-A/)||!(\$0 in a) {a[\$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES +rm $IPTABLES + +END + +if [ "$(systemctl status ufw; echo $?)" == "0" ]; then + echo "systemctl enable ufw" >>$UNINSTALL_SCRIPT + echo "systemctl start ufw" >>$UNINSTALL_SCRIPT +fi +if [ "$(systemctl status firewalld; echo $?)" == "0" ]; then + echo "systemctl enable firewalld" >>$UNINSTALL_SCRIPT + echo "systemctl start firewalld" >>$UNINSTALL_SCRIPT +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + # iptables + if [ "$(systemctl status iptables; echo $?)" != "0" ]; then + echo "systemctl stop iptables" >>$UNINSTALL_SCRIPT + echo "systemctl disable iptables" >>$UNINSTALL_SCRIPT + fi +fi + +# remove packages +UNINST_PACKAGES= +if [[ ! -n "$(which pgrep)" ]]; then + UNINST_PACKAGES+="procps " +fi +if [[ ! -n "$(which ifconfig)" ]]; then + UNINST_PACKAGES+="net-tools " +fi +if [[ ! -n "$(which pppd)" ]]; then + UNINST_PACKAGES+="ppp " +fi +if [[ ! -n "$(which pptpd)" ]]; then + UNINST_PACKAGES+="pptpd " +fi +if [[ ! -n "$(which crontab)" ]]; then + UNINST_PACKAGES+="$CRON_PACKAGE " +fi +if [[ ! -n "$(which iptables)" ]]; then + UNINST_PACKAGES+="$IPTABLES_PACKAGE " +fi +if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then + if [ "$(ls /etc/yum.repos.d/epel.repo 2>/dev/null; echo $?)" != "0" ]; then + UNINST_PACKAGES+="epel-release " + fi +fi +if [[ ! -z "$UNINST_PACKAGES" ]]; then + echo -e "echo \"Removing installed packages...\"" >>$UNINSTALL_SCRIPT + echo "$UNINSTALLER $UNINST_PACKAGES" >>$UNINSTALL_SCRIPT +fi + +# restore files +echo -e "echo \"Restoring configs...\"" >>$UNINSTALL_SCRIPT +if [[ -n "$(which pptpd)" ]]; then + echo -e "cp -i \"\$DIR/pptpd.conf\" $PPTPDCONFIG" >>$UNINSTALL_SCRIPT +fi +if [[ -n "$(which pppd)" ]]; then + echo -e "cp -i \"\$DIR/options.pptp\" $PPTPOPTIONS" >>$UNINSTALL_SCRIPT + echo -e "cp -i \"\$DIR/chap-secrets\" $CHAPSECRETS" >>$UNINSTALL_SCRIPT +fi + +# restore pptpd if necessary +if [ "$(systemctl status pptpd; echo $?)" == "0" ]; then + echo -e "echo \"Restarting pptpd...\"" >>$UNINSTALL_SCRIPT + echo "systemctl restart pptpd" >>$UNINSTALL_SCRIPT +fi + +echo "echo" >>$UNINSTALL_SCRIPT +echo -e "echo \"Uninstall script has been completed!\"" >>$UNINSTALL_SCRIPT + +chmod +x "$UNINSTALL_SCRIPT" diff --git a/pptp/env.sh b/pptp/env.sh index f84f147..08c553d 100755 --- a/pptp/env.sh +++ b/pptp/env.sh @@ -5,10 +5,20 @@ CENTOSPLATFORM="CENTOS" if [ -n "$(. /etc/os-release; echo $NAME | grep -i Ubuntu)" -o -n "$(. /etc/os-release; echo $NAME | grep -i Debian)" ]; then PLATFORM=$DEBIANPLATFORM + + IPTABLES_PACKAGE="iptables" + CRON_PACKAGE="cron" + INSTALLER="apt-get -y install" + UNINSTALLER="apt-get purge --auto-remove" fi if [ -n "$(. /etc/os-release; echo $NAME | grep -i CentOS)" ]; then PLATFORM=$CENTOSPLATFORM + + IPTABLES_PACKAGE="iptables-services" + CRON_PACKAGE="cronie" + INSTALLER="yum -y install" + UNINSTALLER="yum remove" fi SYSCTLCONFIG=/etc/sysctl.conf @@ -17,6 +27,7 @@ PPTPOPTIONS=/etc/ppp/options.pptp CHAPSECRETS=/etc/ppp/chap-secrets IPTABLES=/etc/iptables.rules CHECKSERVER=/etc/ppp/checkserver.sh +IPTABLES_COMMENT="PPTP" LOCALPREFIX="172.16" LOCALIP="$LOCALPREFIX.0.0" diff --git a/pptp/install.sh b/pptp/install.sh index 3cdd002..5cccb3b 100755 --- a/pptp/install.sh +++ b/pptp/install.sh @@ -8,15 +8,16 @@ if [[ "$EUID" -ne 0 ]]; then exit 1 fi +echo +echo "Creating backup..." +$DIR/backup.sh + echo echo "Installing PPTP server..." -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - apt-get -y install pptpd cron iptables procps net-tools -fi if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then yum -y install epel-release - yum -y install ppp pptpd cronie iptables-services procps net-tools fi +eval $INSTALLER ppp pptpd $CRON_PACKAGE $IPTABLES_PACKAGE procps net-tools ADDUSER="no" ANSUSER="yes" @@ -55,5 +56,5 @@ echo "Starting pptpd..." service pptpd restart echo -echo "Installation script completed!" +echo "Installation script has been completed!" diff --git a/pptp/iptables-setup.sh b/pptp/iptables-setup.sh index cbe6c8d..cc552d2 100755 --- a/pptp/iptables-setup.sh +++ b/pptp/iptables-setup.sh @@ -10,7 +10,12 @@ if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then systemctl start iptables fi -COMMENT=" -m comment --comment \"PPTP\"" +if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then + systemctl stop ufw + systemctl disable ufw +fi + +COMMENT=" -m comment --comment \"$IPTABLES_COMMENT\"" if [[ ! -e $IPTABLES ]]; then touch $IPTABLES @@ -21,8 +26,11 @@ if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then exit 1 fi -# backup and remove rules with $LOCALIP -iptables-save > $IPTABLES.backup +# clear existing rules +iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES +sed -i -e "/--comment $IPTABLES_COMMENT/d" $IPTABLES +iptables -F +iptables-restore < $IPTABLES IFS=$'\n' @@ -82,9 +90,10 @@ eval iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT $COMMENT eval iptables -A INPUT -p gre -j ACCEPT $COMMENT eval iptables -A OUTPUT -p gre -j ACCEPT $COMMENT -# remove standart REJECT rules -iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited -iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited +# remove standard REJECT rules +echo "Note: standard REJECT rules for INPUT and FORWARD will be removed." +iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited 2>/dev/null +iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited 2>/dev/null iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES iptables -F diff --git a/pptp/sysctl.sh b/pptp/sysctl.sh index 90aa824..bbf2975 100755 --- a/pptp/sysctl.sh +++ b/pptp/sysctl.sh @@ -30,10 +30,5 @@ sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG sysctl -p -if [ "$PLATFORM" == "$DEBIANPLATFORM" ]; then - service procps restart -fi -if [ "$PLATFORM" == "$CENTOSPLATFORM" ]; then - service network restart -fi +cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -