From 7cdd372a6e2d80066ebd79cb52e77d584f5f873e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 21 Sep 2016 21:06:22 -0500 Subject: [PATCH] Improve IPTables rules - Fixed an uncommon use case where the setup script is run again after a server IP change. Make sure to update IPTables rules in this case. - Thanks @larryisthere! Ref: #17 --- vpnsetup.sh | 16 +++++++++++++--- vpnsetup_centos.sh | 16 +++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 4599c81..36777bd 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -323,10 +323,20 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -# Create basic IPTables rules. First check for existing rules. -# - If IPTables is "empty", simply write out the new rules. -# - If *not* empty, insert new rules and save them with existing ones. +# Check if IPTables rules need updating +ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +fi + +# Create basic IPTables rules +# - If IPTables is "empty", write out the entire new rule set. +# - If *not* empty, insert only the required rules for the VPN. +if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "/etc/iptables.rules.old-$sys_dt" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0f8afaa..4792f8d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -317,10 +317,20 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -# Create basic IPTables rules. First check for existing rules. -# - If IPTables is "empty", simply write out the new rules. -# - If *not* empty, insert new rules and save them with existing ones. +# Check if IPTables rules need updating +ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +fi + +# Create basic IPTables rules +# - If IPTables is "empty", write out the entire new rule set. +# - If *not* empty, insert only the required rules for the VPN. +if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "/etc/sysconfig/iptables.old-$sys_dt" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')"