diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b21209..86f6e1d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -328,25 +328,27 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf fi else # Create a service to set up persistent iptables rules + iptables_path=$(command -v iptables) + ip6tables_path=$(command -v ip6tables) echo "[Unit] Before=network.target [Service] Type=oneshot -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT -ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service +ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT +ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT +ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service if [[ -n "$ip6" ]]; then echo "ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service +ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 +ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service fi echo "RemainAfterExit=yes [Install]