WEBLIB.RE/vpnclient_ynh
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity
vpnclient_ynh/conf/hook_post-iptable-rules

77 lines
2.6 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
host6=$(dig AAAA +short <TPL:SERVER_NAME> | grep -v '\.$')
host4=$(dig A +short <TPL:SERVER_NAME> | grep -v '\.$')
# IPv6
sudo ip6tables -w -N vpnclient_in
sudo ip6tables -w -N vpnclient_out
sudo ip6tables -w -N vpnclient_fwd
sudo ip6tables -w -A vpnclient_in -p icmpv6 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -s fd00::/8,fe80::/10 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -w -A vpnclient_in -j DROP
if [ ! -z "${host6}" ]; then
for i in ${host6}; do
sudo ip6tables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
done
fi
for i in <TPL:DNS0> <TPL:DNS1>; do
if [[ "${i}" =~ : ]]; then
sudo ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
fi
done
sudo ip6tables -w -A vpnclient_out -d fd00::/8,fe80::/10 -j ACCEPT
sudo ip6tables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -w -A vpnclient_out -j DROP
sudo ip6tables -w -A vpnclient_fwd -j DROP
sudo ip6tables -w -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
sudo ip6tables -w -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
sudo ip6tables -w -I FORWARD 1 -o <TPL:WIRED_DEVICE> -j vpnclient_fwd
# IPv4
sudo iptables -w -N vpnclient_in
sudo iptables -w -N vpnclient_out
sudo iptables -w -N vpnclient_fwd
sudo iptables -w -A vpnclient_in -p icmp -j ACCEPT
sudo iptables -w -A vpnclient_in -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
sudo iptables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
sudo iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
sudo iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -w -A vpnclient_in -j DROP
if [ ! -z "${host4}" ]; then
for i in ${host4}; do
sudo iptables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
done
fi
for i in <TPL:DNS0> <TPL:DNS1>; do
if [[ "${i}" =~ \. ]]; then
sudo iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
fi
done
sudo iptables -w -A vpnclient_out -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
sudo iptables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -w -A vpnclient_out -j DROP
sudo iptables -w -A vpnclient_fwd -j DROP
sudo iptables -w -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
sudo iptables -w -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
sudo iptables -w -I FORWARD 1 -o <TPL:WIRED_DEVICE> -j vpnclient_fwd
exit 0
Reference in New Issue View Git Blame Copy Permalink