Browse Source

use openvpn variable for remote ips in firewall rules when available

HgO 1 year ago
parent
commit
5b9802a3f8
1 changed files with 31 additions and 28 deletions
  1. 31 28
      conf/hook_post-iptable-rules

+ 31 - 28
conf/hook_post-iptable-rules

@@ -1,27 +1,32 @@
 #!/bin/bash
 
-server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
-
-# In case an ip has been provided in ovpn conf
-host4=""
-host6=""
-for i in ${server_names}; do
-  if [[ "${i}" =~ : ]]; then
+if [[ -z "${trusted_ip}" && -z "${trusted_ip6}" ]]; then
+  server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
+
+  # In case an ip has been provided in ovpn conf
+  host4=""
+  host6=""
+  for i in ${server_names}; do
+    if [[ "${i}" =~ : ]]; then
       host6+=" ${i}"
-  elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+    elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
       host4+=" ${i}"
+    else
+      host6+=" $(dig AAAA +short "${i}" @127.0.0.1 | grep -v '\.$' | grep -v "timed out")"
+      host4+=" $(dig A +short "${i}" @127.0.0.1 | grep -v '\.$' | grep -v "timed out")"
+    fi
+  done
+else
+  if [[ -n "${trusted_ip6}" ]]; then
+    host6=${trusted_ip6}
   fi
-done
 
-if [[ -z "${host6}" ]]; then
-  host6=$(dig AAAA +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
-fi
-
-if [[ -z "${host4}" ]]; then
-  host4=$(dig A +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
+  if [[ -n "${trusted_ip}" ]]; then
+    host4=${trusted_ip}
+  fi
 fi
 
-interface=$(ip route | awk '/default via/ { print $5; }')
+wired_device=$(ip route | awk '/default via/ { print $5; }')
 dns=$(grep -o -P '^\s*nameserver\s+\K[a-fA-F\d.:]+$' /etc/resolv.dnsmasq.conf | sort | uniq)
 
 # IPv6
@@ -37,14 +42,13 @@ ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
 ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 ip6tables -w -A vpnclient_in -j DROP
 
-if [ ! -z "${host6}" ]; then
+if [[ ! -z "${host6}" ]]; then
   for i in ${host6}; do
     ip6tables -w -A vpnclient_out -d "${i}" -j ACCEPT
   done
 fi
 
-for i in ${dns};
-do
+for i in ${dns}; do
   if [[ "${i}" =~ : ]]; then
     ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
   fi
@@ -58,9 +62,9 @@ ip6tables -w -A vpnclient_out -j DROP
 
 ip6tables -w -A vpnclient_fwd -j DROP
 
-ip6tables -w -I INPUT 1 -i $interface -j vpnclient_in
-ip6tables -w -I OUTPUT 1 -o $interface -j vpnclient_out
-ip6tables -w -I FORWARD 1 -o $interface -j vpnclient_fwd
+ip6tables -w -I INPUT 1 -i $wired_device -j vpnclient_in
+ip6tables -w -I OUTPUT 1 -o $wired_device -j vpnclient_out
+ip6tables -w -I FORWARD 1 -o $wired_device -j vpnclient_fwd
 
 # IPv4
 
@@ -75,14 +79,13 @@ iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
 iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -w -A vpnclient_in -j DROP
 
-if [ ! -z "${host4}" ]; then
+if [[ ! -z "${host4}" ]]; then
   for i in ${host4}; do
     iptables -w -A vpnclient_out -d "${i}" -j ACCEPT
   done
 fi
 
-for i in ${dns};
-do
+for i in ${dns}; do
   if [[ "${i}" =~ \. ]]; then
     iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
   fi
@@ -95,8 +98,8 @@ iptables -w -A vpnclient_out -j DROP
 
 iptables -w -A vpnclient_fwd -j DROP
 
-iptables -w -I INPUT 1 -i $interface -j vpnclient_in
-iptables -w -I OUTPUT 1 -o $interface -j vpnclient_out
-iptables -w -I FORWARD 1 -o  $interface -j vpnclient_fwd
+iptables -w -I INPUT 1 -i $wired_device -j vpnclient_in
+iptables -w -I OUTPUT 1 -o $wired_device -j vpnclient_out
+iptables -w -I FORWARD 1 -o  $wired_device -j vpnclient_fwd
 
 exit 0