mesh firewall for vpn
This commit is contained in:
Bob Mottram
parent
5ee100c67d
commit
a68de1c30c
|
|
@ -158,20 +158,16 @@ function stop {
|
|||
# SSB/Patchwork
|
||||
iptables -D INPUT -p udp --dport 8008 -j ACCEPT
|
||||
iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
|
||||
# Tunnel over the internet
|
||||
iptables -D INPUT -p tcp --dport 53 -j ACCEPT
|
||||
iptables -D INPUT -p udp --dport 53 -j ACCEPT
|
||||
iptables -D INPUT -p tcp --dport 8942 -j ACCEPT
|
||||
iptables -D INPUT -p udp --dport 8942 -j ACCEPT
|
||||
|
||||
iptables -t nat -D POSTROUTING -o $EIFACE -j MASQUERADE
|
||||
iptables -D FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
|
||||
iptables -D FORWARD -i $IFACE -o $EIFACE -j ACCEPT
|
||||
|
||||
if [ $IFACE_SECONDARY ]; then
|
||||
iptables -D FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
|
||||
iptables -D FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
|
||||
fi
|
||||
# vpn over the internet
|
||||
iptables -D INPUT -p tcp --dport 553 -j ACCEPT
|
||||
iptables -D INPUT -p udp --dport 553 -j ACCEPT
|
||||
iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
|
||||
iptables -D INPUT -i tun+ -j ACCEPT
|
||||
iptables -D FORWARD -i tun+ -j ACCEPT
|
||||
iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
|
||||
iptables -D OUTPUT -o tun+ -j ACCEPT
|
||||
|
||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
|
||||
|
|
@ -332,20 +328,16 @@ function start {
|
|||
# SSB/Patchwork
|
||||
iptables -A INPUT -p udp --dport 8008 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
|
||||
# Tunnel over the internet
|
||||
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
|
||||
iptables -A INPUT -p udp --dport 53 -j ACCEPT
|
||||
iptables -A INPUT -p tcp --dport 8942 -j ACCEPT
|
||||
iptables -A INPUT -p udp --dport 8942 -j ACCEPT
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $EIFACE -j MASQUERADE
|
||||
iptables -A FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
|
||||
iptables -A FORWARD -i $IFACE -o $EIFACE -j ACCEPT
|
||||
|
||||
if [ $hotspot_enabled ]; then
|
||||
iptables -A FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
|
||||
iptables -A FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
|
||||
fi
|
||||
# vpn over the internet
|
||||
iptables -A INPUT -p tcp --dport 553 -j ACCEPT
|
||||
iptables -A INPUT -p udp --dport 553 -j ACCEPT
|
||||
iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
|
||||
iptables -A INPUT -i tun+ -j ACCEPT
|
||||
iptables -A FORWARD -i tun+ -j ACCEPT
|
||||
iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
|
||||
iptables -A OUTPUT -o tun+ -j ACCEPT
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
|
||||
|
|
|
|||
Loading…
Reference in New Issue