Home Explore Help
Sign In
labriqueinternet
/
vpnclient_ynh
mirror of https://github.com/labriqueinternet/vpnclient_ynh
3
0
Fork 0
Files
Tree: abcddf3634
Branches Tags
vpnclient_ynh
/
conf
/
hook_post-iptable-rules

hook_post-iptable-rules 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. #!/bin/bash
    2. 

  2. 

  3. host6=$(dig AAAA +short <TPL:SERVER_NAME> | tail -n1)
    4. 

  4. host4=$(dig A +short <TPL:SERVER_NAME> | tail -n1)
    5. 

  5. 

  6. # IPv6
    7. 

  7. 

  8. sudo ip6tables -N vpnclient_in
    9. 

  9. sudo ip6tables -N vpnclient_out
    10. 

  10. sudo ip6tables -N vpnclient_fwd
    11. 

  11. 

  12. sudo ip6tables -A vpnclient_in -p icmpv6 -j ACCEPT
    13. 

  13. sudo ip6tables -A vpnclient_in -s fd00::/8,fe80::/10 -j ACCEPT
    14. 

  14. sudo ip6tables -A vpnclient_in -p tcp --dport 22 -j ACCEPT
    15. 

  15. sudo ip6tables -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    16. 

  16. sudo ip6tables -A vpnclient_in -j DROP
    17. 

  17. 

  18. if [ ! -z "${host6}" ]; then
    19. 

  19.   sudo ip6tables -A vpnclient_out -d ${host6} -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
    20. 

  20. fi
    21. 

  21. 

  22. for i in <TPL:DNS0> <TPL:DNS1>; do
    23. 

  23.   if [[ "${i}" =~ : ]]; then
    24. 

  24.     sudo ip6tables -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
    25. 

  25.   fi
    26. 

  26. done
    27. 

  27. 

  28. sudo ip6tables -A vpnclient_out -d fd00::/8,fe80::/10 -j ACCEPT
    29. 

  29. sudo ip6tables -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    30. 

  30. sudo ip6tables -A vpnclient_out -j DROP
    31. 

  31. 

  32. sudo ip6tables -A vpnclient_fwd -j DROP
    33. 

  33. 

  34. sudo ip6tables -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
    35. 

  35. sudo ip6tables -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
    36. 

  36. sudo ip6tables -I FORWARD 1 -o <TPL:WIRED_DEVICE> -j vpnclient_fwd
    37. 

  37. 

  38. # IPv4
    39. 

  39. 

  40. sudo iptables -N vpnclient_in
    41. 

  41. sudo iptables -N vpnclient_out
    42. 

  42. sudo iptables -N vpnclient_fwd
    43. 

  43. 

  44. sudo iptables -A vpnclient_in -p icmp -j ACCEPT
    45. 

  45. sudo iptables -A vpnclient_in -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
    46. 

  46. sudo iptables -A vpnclient_in -p tcp --dport 22 -j ACCEPT
    47. 

  47. sudo iptables -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    48. 

  48. sudo iptables -A vpnclient_in -j DROP
    49. 

  49. 

  50. if [ ! -z "${host4}" ]; then
    51. 

  51.   sudo iptables -A vpnclient_out -d ${host4} -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
    52. 

  52. fi
    53. 

  53. 

  54. for i in <TPL:DNS0> <TPL:DNS1>; do
    55. 

  55.   if [[ "${i}" =~ \. ]]; then
    56. 

  56.     sudo iptables -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
    57. 

  57.   fi
    58. 

  58. done
    59. 

  59. 

  60. sudo iptables -A vpnclient_out -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
    61. 

  61. sudo iptables -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    62. 

  62. sudo iptables -A vpnclient_out -j DROP
    63. 

  63. 

  64. sudo iptables -A vpnclient_fwd -j DROP
    65. 

  65. 

  66. sudo iptables -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
    67. 

  67. sudo iptables -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
    68. 

  68. sudo iptables -I FORWARD 1 -o  <TPL:WIRED_DEVICE> -j vpnclient_fwd
    69. 

  69. 

  70. exit 0
    71.