labriqueinternet
/
vpnclient_ynh
mirror of https://github.com/labriqueinternet/vpnclient_ynh


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
							#!/bin/bash

host6=$(dig AAAA +short <TPL:SERVER_NAME> | grep -v '\.$')
host4=$(dig A +short <TPL:SERVER_NAME> | grep -v '\.$')

# IPv6

sudo ip6tables -w -N vpnclient_in
sudo ip6tables -w -N vpnclient_out
sudo ip6tables -w -N vpnclient_fwd

sudo ip6tables -w -A vpnclient_in -p icmpv6 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -s fd00::/8,fe80::/10 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
sudo ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -w -A vpnclient_in -j DROP

if [ ! -z "${host6}" ]; then
  for i in ${host6}; do
    sudo ip6tables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
  done
fi

for i in <TPL:DNS0> <TPL:DNS1>; do
  if [[ "${i}" =~ : ]]; then
    sudo ip6tables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
  fi
done

sudo ip6tables -w -A vpnclient_out -d fd00::/8,fe80::/10 -j ACCEPT
sudo ip6tables -w -A vpnclient_out -p udp --dport 5353 -d ff02::fb -j ACCEPT
sudo ip6tables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -w -A vpnclient_out -j DROP

sudo ip6tables -w -A vpnclient_fwd -j DROP

sudo ip6tables -w -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
sudo ip6tables -w -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
sudo ip6tables -w -I FORWARD 1 -o <TPL:WIRED_DEVICE> -j vpnclient_fwd

# IPv4

sudo iptables -w -N vpnclient_in
sudo iptables -w -N vpnclient_out
sudo iptables -w -N vpnclient_fwd

sudo iptables -w -A vpnclient_in -p icmp -j ACCEPT
sudo iptables -w -A vpnclient_in -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
sudo iptables -w -A vpnclient_in -p tcp --dport 22 -j ACCEPT
sudo iptables -w -A vpnclient_in -p tcp --dport 443 -j ACCEPT
sudo iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -w -A vpnclient_in -j DROP

if [ ! -z "${host4}" ]; then
  for i in ${host4}; do
    sudo iptables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
  done
fi

for i in <TPL:DNS0> <TPL:DNS1>; do
  if [[ "${i}" =~ \. ]]; then
    sudo iptables -w -A vpnclient_out -p udp -d "${i}" --dport 53 -j ACCEPT
  fi
done

sudo iptables -w -A vpnclient_out -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16 -j ACCEPT
sudo iptables -w -A vpnclient_out -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
sudo iptables -w -A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -w -A vpnclient_out -j DROP

sudo iptables -w -A vpnclient_fwd -j DROP

sudo iptables -w -I INPUT 1 -i <TPL:WIRED_DEVICE> -j vpnclient_in
sudo iptables -w -I OUTPUT 1 -o <TPL:WIRED_DEVICE> -j vpnclient_out
sudo iptables -w -I FORWARD 1 -o  <TPL:WIRED_DEVICE> -j vpnclient_fwd

exit 0