From a6048d509fff11c28cbabc36633f76c1ac5ce988 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 7 Jun 2019 16:17:14 +0200 Subject: [PATCH] Switch to systemd for iptables configuration See #464. --- openvpn-install.sh | 52 +++++++++++++++++----------------------------- 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9a500d8..c39d959 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,11 +25,9 @@ fi if [[ -e /etc/debian_version ]]; then OS=debian GROUPNAME=nogroup - RCLOCAL='/etc/rc.local' elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos GROUPNAME=nobody - RCLOCAL='/etc/rc.d/rc.local' else echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS" exit @@ -133,17 +131,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else - IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14) - iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL - if iptables -L -n | grep -qE '^ACCEPT'; then - iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL - fi + systemctl disable --now openvpn-iptables.service + rm -f /etc/systemd/system/openvpn-iptables.service fi if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT @@ -328,26 +317,23 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else - # Needed to use rc.local with some systemd distros - if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then - echo '#!/bin/sh -e -exit 0' > $RCLOCAL - fi - chmod +x $RCLOCAL - # Set NAT for the VPN subnet - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL - if iptables -L -n | grep -qE '^(REJECT|DROP)'; then - # If iptables has at least one REJECT rule, we asume this is needed. - # Not the best approach but I can't think of other and this shouldn't - # cause problems. - iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL - fi + # Create a service to set up persistent iptables rules + echo "[Unit] +Before=network.target +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service + systemctl enable --now openvpn-iptables.service fi # If SELinux is enabled and a custom port was selected, we need this if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then