mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Multiple firewall bug fixes
- When FirewallD is detected, NAT is now applied via FirewallD instead of iptables (fixes #267). - iptables REJECT/DROP/ACCEPT rules where not being properly detected. - iptables rules were applied even when FirewallD was detected and the same rules were being applied via firewall-cmd.
This commit is contained in:
parent
0c5af3a4f2
commit
c94bc5e3b4
@ -130,15 +130,20 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
if [[ "$REMOVE" = 'y' ]]; then
|
||||
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 11)
|
||||
if pgrep firewalld; then
|
||||
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 7)
|
||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||
firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
||||
firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
||||
fi
|
||||
if iptables -L -n | grep -qE 'REJECT|DROP|ACCEPT'; then
|
||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
else
|
||||
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 11)
|
||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
||||
if iptables -L -n | grep -qE '^ACCEPT'; then
|
||||
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
||||
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -146,8 +151,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
||||
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
||||
fi
|
||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
||||
fi
|
||||
if hash sestatus 2>/dev/null; then
|
||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
|
||||
@ -309,6 +313,19 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
fi
|
||||
# Avoid an unneeded reboot
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
if pgrep firewalld; then
|
||||
# Using both permanent and not permanent rules to avoid a firewalld
|
||||
# reload.
|
||||
# We don't use --add-service=openvpn because that would only work with
|
||||
# the default port and protocol.
|
||||
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
||||
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
||||
# Set NAT for the VPN subnet
|
||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
else
|
||||
# Needed to use rc.local with some systemd distros
|
||||
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
|
||||
echo '#!/bin/sh -e
|
||||
@ -318,16 +335,7 @@ exit 0' > $RCLOCAL
|
||||
# Set NAT for the VPN subnet
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||
if pgrep firewalld; then
|
||||
# We don't use --add-service=openvpn because that would only work with
|
||||
# the default port and protocol. Using both permanent and not permanent
|
||||
# rules to avoid a firewalld reload.
|
||||
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
||||
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
||||
fi
|
||||
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
||||
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
|
||||
# If iptables has at least one REJECT rule, we asume this is needed.
|
||||
# Not the best approach but I can't think of other and this shouldn't
|
||||
# cause problems.
|
||||
@ -338,6 +346,7 @@ exit 0' > $RCLOCAL
|
||||
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
|
||||
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
|
||||
fi
|
||||
fi
|
||||
# If SELinux is enabled and a custom port or TCP was selected, we need this
|
||||
if hash sestatus 2>/dev/null; then
|
||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||
|
Loading…
Reference in New Issue
Block a user