Merge c9f0fba117 into 30735c91d8
This commit is contained in:
BornToBeRoot
GitHub
commit
bfa9ad7601
1 changed files with 71 additions and 28 deletions
|
|
@ -870,44 +870,63 @@ verb 3" >> /etc/openvpn/server.conf
|
||||||
installUnbound
|
installUnbound
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Add iptables rules in two scripts
|
# Add firewall rules --> firewalld / iptable (systemd scripts)
|
||||||
mkdir /etc/iptables
|
if pgrep firewalld; then
|
||||||
|
# Allow incoming traffic
|
||||||
|
if [[ "$PORT" == '1194' ]] && [[ "$PROTOCOL" == "udp" ]]; then
|
||||||
|
firewall-cmd --zone=public --add-service=openvpn
|
||||||
|
firewall-cmd --permanent --zone=public --add-service=openvpn
|
||||||
|
else
|
||||||
|
firewall-cmd --zone=public --add-port="$PORT/$PROTOCOL"
|
||||||
|
firewall-cmd --permanent --zone=public --add-port="$PORT/$PROTOCOL"
|
||||||
|
fi
|
||||||
|
|
||||||
# Script to add rules
|
# Add trusted zone
|
||||||
echo "#!/bin/sh
|
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
||||||
|
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
||||||
|
|
||||||
|
# Set NAT for the VPN subnet
|
||||||
|
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
|
||||||
|
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
|
||||||
|
else
|
||||||
|
# Add iptables rules in two scripts
|
||||||
|
mkdir /etc/iptables
|
||||||
|
|
||||||
|
# Script to add rules
|
||||||
|
echo "#!/bin/sh
|
||||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
|
||||||
iptables -A INPUT -i tun0 -j ACCEPT
|
iptables -A INPUT -i tun0 -j ACCEPT
|
||||||
iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
|
iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
|
||||||
iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT
|
iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT
|
||||||
iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
|
iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
|
||||||
|
|
||||||
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
|
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
|
||||||
echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
|
echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
|
||||||
ip6tables -A INPUT -i tun0 -j ACCEPT
|
ip6tables -A INPUT -i tun0 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
|
ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
|
||||||
ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
|
ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Script to remove rules
|
# Script to remove rules
|
||||||
echo "#!/bin/sh
|
echo "#!/bin/sh
|
||||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
|
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
|
||||||
iptables -D INPUT -i tun0 -j ACCEPT
|
iptables -D INPUT -i tun0 -j ACCEPT
|
||||||
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
|
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
|
||||||
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
|
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
|
||||||
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
|
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
|
||||||
|
|
||||||
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
|
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
|
||||||
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
|
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
|
||||||
ip6tables -D INPUT -i tun0 -j ACCEPT
|
ip6tables -D INPUT -i tun0 -j ACCEPT
|
||||||
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
|
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
|
||||||
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
|
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chmod +x /etc/iptables/add-openvpn-rules.sh
|
chmod +x /etc/iptables/add-openvpn-rules.sh
|
||||||
chmod +x /etc/iptables/rm-openvpn-rules.sh
|
chmod +x /etc/iptables/rm-openvpn-rules.sh
|
||||||
|
|
||||||
# Handle the rules via a systemd script
|
# Handle the rules via a systemd script
|
||||||
echo "[Unit]
|
echo "[Unit]
|
||||||
Description=iptables rules for OpenVPN
|
Description=iptables rules for OpenVPN
|
||||||
Before=network-online.target
|
Before=network-online.target
|
||||||
Wants=network-online.target
|
Wants=network-online.target
|
||||||
|
|
@ -921,10 +940,11 @@ RemainAfterExit=yes
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
|
WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
|
||||||
|
|
||||||
# Enable service and apply rules
|
# Enable service and apply rules
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl enable iptables-openvpn
|
systemctl enable iptables-openvpn
|
||||||
systemctl start iptables-openvpn
|
systemctl start iptables-openvpn
|
||||||
|
fi
|
||||||
|
|
||||||
# If the server is behind a NAT, use the correct IP address for the clients to connect to
|
# If the server is behind a NAT, use the correct IP address for the clients to connect to
|
||||||
if [[ "$ENDPOINT" != "" ]]; then
|
if [[ "$ENDPOINT" != "" ]]; then
|
||||||
|
|
@ -1142,14 +1162,37 @@ function removeOpenVPN () {
|
||||||
rm /etc/systemd/system/openvpn\@.service
|
rm /etc/systemd/system/openvpn\@.service
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Remove the iptables rules related to the script
|
# Remove firewall rules --> firewalld / iptable (systemd scripts)
|
||||||
systemctl stop iptables-openvpn
|
if pgrep firewalld; then
|
||||||
# Cleanup
|
# Get IP from firewall-cmd
|
||||||
systemctl disable iptables-openvpn
|
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
|
||||||
rm /etc/systemd/system/iptables-openvpn.service
|
# Get OpenVPN protocol from the configuration
|
||||||
systemctl daemon-reload
|
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||||
rm /etc/iptables/add-openvpn-rules.sh
|
|
||||||
rm /etc/iptables/rm-openvpn-rules.sh
|
if [[ "$PORT" == '1194' ]] && [[ "$PROTOCOL" == "udp" ]]; then
|
||||||
|
firewall-cmd --zone=public --remove-service=openvpn
|
||||||
|
firewall-cmd --permanent --zone=public --remove-service=openvpn
|
||||||
|
else
|
||||||
|
firewall-cmd --zone=public --remove-port="$PORT/$PROTOCOL"
|
||||||
|
firewall-cmd --permanent --zone=public --remove-port="$PORT/$PROTOCOL"
|
||||||
|
fi
|
||||||
|
|
||||||
|
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
||||||
|
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
||||||
|
|
||||||
|
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
|
||||||
|
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$IP"
|
||||||
|
else
|
||||||
|
# Remove the iptables rules related to the script
|
||||||
|
systemctl stop iptables-openvpn
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
systemctl disable iptables-openvpn
|
||||||
|
rm /etc/systemd/system/iptables-openvpn.service
|
||||||
|
systemctl daemon-reload
|
||||||
|
rm /etc/iptables/add-openvpn-rules.sh
|
||||||
|
rm /etc/iptables/rm-openvpn-rules.sh
|
||||||
|
fi
|
||||||
|
|
||||||
# SELinux
|
# SELinux
|
||||||
if hash sestatus 2>/dev/null; then
|
if hash sestatus 2>/dev/null; then
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue