| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 |
- #!/bin/bash
- server_names=$(grep -o -P '^\s*remote\s+\K([^\s]+)' /etc/openvpn/client.conf | sort | uniq)
- host6=$(dig AAAA +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
- host4=$(dig A +short $server_names @127.0.0.1 | grep -v '\.$' | grep -v "timed out")
- # In case an ip has been provided in ovpn conf
- for i in ${server_names}; do
- if [[ "${i}" =~ : ]]; then
- host6+=" ${i}"
- elif [[ "${i}" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
- host4+=" ${i}"
- fi
- done
- interface=$(ip route | awk '/default via/ { print $5; }')
- dns=$(grep -o -P '\s*nameserver\s+\K[ABCDEFabcdef\d.:]+' /etc/resolv.dnsmasq.conf)
- # IPv6
- ip6tables -w -N vpnclient_in
- ip6tables -w -N vpnclient_out
- ip6tables -w -N vpnclient_fwd
- ip6tables -w -A vpnclient_in -p icmpv6 -j ACCEPT
- ip6tables -w -A vpnclient_in -s fd00::/8,fe80::/10 -j ACCEPT
- ip6tables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
- ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
- ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- ip6tables -w -A vpnclient_in -j DROP
- if [ ! -z "${host6}" ]; then
- for i in ${host6}; do
- ip6tables -w -A vpnclient_out -d "${i}" -j ACCEPT
- done
- fi
- for i in ${dns};
- do
- if [[ "${i}" =~ : ]]; then
- ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
- fi
- done
- ip6tables -w -A vpnclient_out -d fd00::/8,fe80::/10 -j ACCEPT
- ip6tables -w -A vpnclient_out -p icmpv6 -j ACCEPT
- ip6tables -w -A vpnclient_out -p udp --dport 5353 -d ff02::fb -j ACCEPT
- ip6tables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- ip6tables -w -A vpnclient_out -j DROP
- ip6tables -w -A vpnclient_fwd -j DROP
- ip6tables -w -I INPUT 1 -i $interface -j vpnclient_in
- ip6tables -w -I OUTPUT 1 -o $interface -j vpnclient_out
- ip6tables -w -I FORWARD 1 -o $interface -j vpnclient_fwd
- # IPv4
- iptables -w -N vpnclient_in
- iptables -w -N vpnclient_out
- iptables -w -N vpnclient_fwd
- iptables -w -A vpnclient_in -p icmp -j ACCEPT
- iptables -w -A vpnclient_in -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
- iptables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
- iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
- iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -w -A vpnclient_in -j DROP
- if [ ! -z "${host4}" ]; then
- for i in ${host4}; do
- iptables -w -A vpnclient_out -d "${i}" -j ACCEPT
- done
- fi
- for i in ${dns};
- do
- if [[ "${i}" =~ \. ]]; then
- iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
- fi
- done
- iptables -w -A vpnclient_out -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
- iptables -w -A vpnclient_out -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
- iptables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables -w -A vpnclient_out -j DROP
- iptables -w -A vpnclient_fwd -j DROP
- iptables -w -I INPUT 1 -i $interface -j vpnclient_in
- iptables -w -I OUTPUT 1 -o $interface -j vpnclient_out
- iptables -w -I FORWARD 1 -o $interface -j vpnclient_fwd
- exit 0
|
