From a68de1c30c4c0cac3ddf51a7f5c311f55127f18d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 30 Sep 2017 14:06:26 +0100 Subject: [PATCH] mesh firewall for vpn --- src/freedombone-mesh-batman | 48 ++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/src/freedombone-mesh-batman b/src/freedombone-mesh-batman index e71291ba..32be36c6 100755 --- a/src/freedombone-mesh-batman +++ b/src/freedombone-mesh-batman @@ -158,20 +158,16 @@ function stop { # SSB/Patchwork iptables -D INPUT -p udp --dport 8008 -j ACCEPT iptables -D INPUT -p tcp --dport 8008 -j ACCEPT - # Tunnel over the internet - iptables -D INPUT -p tcp --dport 53 -j ACCEPT - iptables -D INPUT -p udp --dport 53 -j ACCEPT - iptables -D INPUT -p tcp --dport 8942 -j ACCEPT - iptables -D INPUT -p udp --dport 8942 -j ACCEPT - - iptables -t nat -D POSTROUTING -o $EIFACE -j MASQUERADE - iptables -D FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED - iptables -D FORWARD -i $IFACE -o $EIFACE -j ACCEPT - - if [ $IFACE_SECONDARY ]; then - iptables -D FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED - iptables -D FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT - fi + # vpn over the internet + iptables -D INPUT -p tcp --dport 553 -j ACCEPT + iptables -D INPUT -p udp --dport 553 -j ACCEPT + iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT + iptables -D INPUT -i tun+ -j ACCEPT + iptables -D FORWARD -i tun+ -j ACCEPT + iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE + iptables -D OUTPUT -o tun+ -j ACCEPT echo 0 > /proc/sys/net/ipv4/ip_forward sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf @@ -332,20 +328,16 @@ function start { # SSB/Patchwork iptables -A INPUT -p udp --dport 8008 -j ACCEPT iptables -A INPUT -p tcp --dport 8008 -j ACCEPT - # Tunnel over the internet - iptables -A INPUT -p tcp --dport 53 -j ACCEPT - iptables -A INPUT -p udp --dport 53 -j ACCEPT - iptables -A INPUT -p tcp --dport 8942 -j ACCEPT - iptables -A INPUT -p udp --dport 8942 -j ACCEPT - - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $EIFACE -j MASQUERADE - iptables -A FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED - iptables -A FORWARD -i $IFACE -o $EIFACE -j ACCEPT - - if [ $hotspot_enabled ]; then - iptables -A FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED - iptables -A FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT - fi + # vpn over the internet + iptables -A INPUT -p tcp --dport 553 -j ACCEPT + iptables -A INPUT -p udp --dport 553 -j ACCEPT + iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT + iptables -A INPUT -i tun+ -j ACCEPT + iptables -A FORWARD -i tun+ -j ACCEPT + iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE + iptables -A OUTPUT -o tun+ -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf