mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Revert "Improve iptables configuration"
This reverts commit fdc2bfbdac
.
This commit is contained in:
parent
fdc2bfbdac
commit
cc81838501
@ -25,9 +25,11 @@ fi
|
|||||||
if [[ -e /etc/debian_version ]]; then
|
if [[ -e /etc/debian_version ]]; then
|
||||||
OS=debian
|
OS=debian
|
||||||
GROUPNAME=nogroup
|
GROUPNAME=nogroup
|
||||||
|
RCLOCAL='/etc/rc.local'
|
||||||
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
|
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
|
||||||
OS=centos
|
OS=centos
|
||||||
GROUPNAME=nobody
|
GROUPNAME=nobody
|
||||||
|
RCLOCAL='/etc/rc.d/rc.local'
|
||||||
else
|
else
|
||||||
echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
|
echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
|
||||||
exit
|
exit
|
||||||
@ -131,12 +133,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
else
|
else
|
||||||
IP=$(grep 'iptables -t nat -C POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' /etc/openvpn/iptables-init | cut -d " " -f 14)
|
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14)
|
||||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
|
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
||||||
if iptables -L -n | grep -qE '^ACCEPT'; then
|
if iptables -L -n | grep -qE '^ACCEPT'; then
|
||||||
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
||||||
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
|
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||||
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
|
||||||
|
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
||||||
|
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
||||||
@ -315,22 +321,26 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
|||||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
else
|
else
|
||||||
|
# Needed to use rc.local with some systemd distros
|
||||||
|
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
|
||||||
|
echo '#!/bin/sh -e
|
||||||
|
exit 0' > $RCLOCAL
|
||||||
|
fi
|
||||||
|
chmod +x $RCLOCAL
|
||||||
# Set NAT for the VPN subnet
|
# Set NAT for the VPN subnet
|
||||||
# iptables-init checks if the rules already exist, so duplicates aren't
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
|
||||||
# added when iptables-init is called after an OpenVPN service restart.
|
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||||
echo '#!/bin/bash' > /etc/openvpn/iptables-init
|
|
||||||
echo "iptables -t nat -C POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP || iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" >> /etc/openvpn/iptables-init
|
|
||||||
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
|
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
|
||||||
# If iptables has at least one REJECT rule, we asume this is needed.
|
# If iptables has at least one REJECT rule, we asume this is needed.
|
||||||
# Not the best approach but I can't think of other and this shouldn't
|
# Not the best approach but I can't think of other and this shouldn't
|
||||||
# cause problems.
|
# cause problems.
|
||||||
echo "iptables -C INPUT -p $PROTOCOL --dport $PORT -j ACCEPT || iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
||||||
iptables -C FORWARD -s 10.8.0.0/24 -j ACCEPT || iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||||
iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/openvpn/iptables-init
|
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
|
||||||
|
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
|
||||||
|
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
|
||||||
fi
|
fi
|
||||||
chmod +x /etc/openvpn/iptables-init
|
|
||||||
echo "script-security 2
|
|
||||||
up /etc/openvpn/iptables-init" >> /etc/openvpn/server.conf
|
|
||||||
fi
|
fi
|
||||||
# If SELinux is enabled and a custom port was selected, we need this
|
# If SELinux is enabled and a custom port was selected, we need this
|
||||||
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user