From 4ab84f14aa71b993b7496010c9c99becd808d3bb Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 17 Jan 2016 14:29:30 -0600
Subject: [PATCH] Update sysctl.conf settings and IPTables rules

---
 vpnsetup.sh        | 9 +++++++++
 vpnsetup_centos.sh | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/vpnsetup.sh b/vpnsetup.sh
index 84dbcd6..5d90867 100644
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -264,8 +264,12 @@ net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.lo.send_redirects = 0
+net.ipv4.conf.eth0.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.lo.rp_filter = 0
+net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
@@ -293,6 +297,7 @@ cat > /etc/iptables.rules <<EOF
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -d 127.0.0.0/8 -j REJECT
 -A INPUT -p icmp --icmp-type 255 -j ICMPALL
 -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
@@ -344,6 +349,8 @@ echo "# Modified by hwdsl2 VPN script" >> /etc/iptables.rules
 fi
 fi
 
+if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
+
 /bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ip6tables.rules <<EOF
 # Added by hwdsl2 VPN script
@@ -360,6 +367,8 @@ cat > /etc/ip6tables.rules <<EOF
 COMMIT
 EOF
 
+fi
+
 cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.rules
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 7f22f08..60797c0 100644
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -303,8 +303,12 @@ net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.lo.send_redirects = 0
+net.ipv4.conf.eth0.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.lo.rp_filter = 0
+net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
@@ -332,6 +336,7 @@ cat > /etc/sysconfig/iptables <<EOF
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -d 127.0.0.0/8 -j REJECT
 -A INPUT -p icmp --icmp-type 255 -j ICMPALL
 -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
@@ -382,6 +387,8 @@ echo "# Modified by hwdsl2 VPN script" >> /etc/sysconfig/iptables
 fi
 fi
 
+if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
+
 /bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/sysconfig/ip6tables <<EOF
 # Added by hwdsl2 VPN script
@@ -398,6 +405,8 @@ cat > /etc/sysconfig/ip6tables <<EOF
 COMMIT
 EOF
 
+fi
+
 if [ ! -f /etc/fail2ban/jail.local ] ; then
 
 cat > /etc/fail2ban/jail.local <<EOF