Improve IPTables rules

- Improve IPTables rules for IPsec VPN setup on systems such as CentOS 8. Do not add a DROP rule to the IPTables FORWARD chain if firewalld is active, so that existing firewalld FORWARD rules can continue to work.
2024-11-22 04:56:03 +03:00 · 2022-06-05 00:02:22 -05:00 · 2022-06-05 00:02:22 -05:00 · 6e6d01dcf7
commit 6e6d01dcf7
parent 4ea627697c
2 changed files with 4 additions and 2 deletions
--- a/extras/vpnuninstall.sh
+++ b/extras/vpnuninstall.sh
@ -273,7 +273,7 @@ update_iptables_rules() {
      nft_bk=$(find /etc/sysconfig -maxdepth 1 -name 'nftables.conf.old-*-*-*-*_*_*' -print0 \
        | xargs -r -0 ls -1 -t | head -1)
      if [ -f "$nft_bk" ] \
-        && [ "$(diff -y --suppress-common-lines "$IPT_FILE" "$nft_bk" | wc -l)" = "25" ]; then
+        && [ "$(diff -y --suppress-common-lines "$IPT_FILE" "$nft_bk" | wc -l)" = "24" ]; then
        bigecho "Restoring nftables rules..."
        conf_bk "$IPT_FILE"
        /bin/cp -f "$nft_bk" "$IPT_FILE" && /bin/rm -f "$nft_bk"
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -581,7 +581,9 @@ update_iptables() {
    $ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
    $ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
    $ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
+    if [ "$use_nft" != "1" ]; then
      iptables -A FORWARD -j DROP
+    fi
    $ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
    $ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
    echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"