From ef30d9863c0f858acee2e8ca6a17d60eaec608a0 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 30 Apr 2020 00:28:27 +0200 Subject: [PATCH] Improved firewall management - Always use firewalld for CentOS and Fedora - Cleaner check to find out if firewalld is active --- openvpn-install.sh | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 86f6e1d..943abeb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -181,7 +181,15 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") [[ -z "$client" ]] && client="client" echo - echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." + echo "We are ready to set up your OpenVPN server now." + # DigitalOcean ships their CentOS and Fedora images without firewalld + # We don't want to silently enable a firewall, so we give a subtle warning + # If the user continues, firewalld will be installed and enabled during setup + if [[ "$os" == "centos" || "$os" == "fedora" ]] && ! systemctl is-active --quiet firewalld.service; then + echo + echo "firewalld, which is required to manage routing tables, will also be installed." + fi + echo read -n1 -r -p "Press any key to continue..." # If running inside a container, disable LimitNPROC to prevent conflicts if systemd-detect-virt -cq; then @@ -194,10 +202,12 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab apt-get install -y openvpn iptables openssl ca-certificates elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn iptables openssl ca-certificates tar + yum install -y openvpn firewalld openssl ca-certificates tar + systemctl enable --now firewalld.service else # Else, OS must be Fedora - dnf install -y openvpn iptables openssl ca-certificates tar + dnf install -y openvpn firewalld openssl ca-certificates tar + systemctl enable --now firewalld.service fi # Get easy-rsa easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' @@ -308,7 +318,7 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Enable without waiting for a reboot or service restart echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi - if pgrep firewalld; then + if systemctl is-active --quiet firewalld.service; then # Using both permanent and not permanent rules to avoid a firewalld # reload. # We don't use --add-service=openvpn because that would only work with @@ -360,9 +370,11 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service # Install semanage if not already present if ! hash semanage 2>/dev/null; then if [[ "$os_version" -eq 7 ]]; then + # Centos 7 yum install -y policycoreutils-python else - yum install -y policycoreutils-python-utils + # CentOS 8 or Fedora + dnf install -y policycoreutils-python-utils fi fi semanage port -a -t openvpn_port_t -p "$protocol" "$port" @@ -476,7 +488,7 @@ else if [[ "$remove" =~ ^[yY]$ ]]; then port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - if pgrep firewalld; then + if systemctl is-active --quiet firewalld.service; then ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --remove-port="$port"/"$protocol"