From cc81838501aef2c896c656059b45b0d8f89465a6 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 14 Jun 2018 22:40:45 +0200 Subject: [PATCH] Revert "Improve iptables configuration" This reverts commit fdc2bfbdace91a8e456f9623c0d9215978f7d888. --- openvpn-install.sh | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b26c7e..403e0fd 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,9 +25,11 @@ fi if [[ -e /etc/debian_version ]]; then OS=debian GROUPNAME=nogroup + RCLOCAL='/etc/rc.local' elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos GROUPNAME=nobody + RCLOCAL='/etc/rc.d/rc.local' else echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS" exit @@ -131,12 +133,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else - IP=$(grep 'iptables -t nat -C POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' /etc/openvpn/iptables-init | cut -d " " -f 14) + IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14) iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL if iptables -L -n | grep -qE '^ACCEPT'; then iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi fi if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then @@ -315,22 +321,26 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else + # Needed to use rc.local with some systemd distros + if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then + echo '#!/bin/sh -e +exit 0' > $RCLOCAL + fi + chmod +x $RCLOCAL # Set NAT for the VPN subnet - # iptables-init checks if the rules already exist, so duplicates aren't - # added when iptables-init is called after an OpenVPN service restart. - echo '#!/bin/bash' > /etc/openvpn/iptables-init -echo "iptables -t nat -C POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP || iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" >> /etc/openvpn/iptables-init + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL if iptables -L -n | grep -qE '^(REJECT|DROP)'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't # cause problems. - echo "iptables -C INPUT -p $PROTOCOL --dport $PORT -j ACCEPT || iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT -iptables -C FORWARD -s 10.8.0.0/24 -j ACCEPT || iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT -iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/openvpn/iptables-init + iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT + iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT + iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL fi - chmod +x /etc/openvpn/iptables-init - echo "script-security 2 -up /etc/openvpn/iptables-init" >> /etc/openvpn/server.conf fi # If SELinux is enabled and a custom port was selected, we need this if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then