1
0
mirror of synced 2024-11-21 20:46:10 +03:00

Improve IPTables rules

- Improve IPTables rules for IPsec VPN setup on systems such as CentOS 8.
  Do not add a DROP rule to the IPTables FORWARD chain if firewalld is
  active, so that existing firewalld FORWARD rules can continue to work.
This commit is contained in:
hwdsl2 2022-06-05 00:02:22 -05:00
parent 4ea627697c
commit 6e6d01dcf7
2 changed files with 4 additions and 2 deletions

View File

@ -273,7 +273,7 @@ update_iptables_rules() {
nft_bk=$(find /etc/sysconfig -maxdepth 1 -name 'nftables.conf.old-*-*-*-*_*_*' -print0 \
| xargs -r -0 ls -1 -t | head -1)
if [ -f "$nft_bk" ] \
&& [ "$(diff -y --suppress-common-lines "$IPT_FILE" "$nft_bk" | wc -l)" = "25" ]; then
&& [ "$(diff -y --suppress-common-lines "$IPT_FILE" "$nft_bk" | wc -l)" = "24" ]; then
bigecho "Restoring nftables rules..."
conf_bk "$IPT_FILE"
/bin/cp -f "$nft_bk" "$IPT_FILE" && /bin/rm -f "$nft_bk"

View File

@ -581,7 +581,9 @@ update_iptables() {
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
iptables -A FORWARD -j DROP
if [ "$use_nft" != "1" ]; then
iptables -A FORWARD -j DROP
fi
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"