1
0
mirror of synced 2024-11-25 06:16:07 +03:00

Minor fix and cleanup

- Minor fix for CentOS 8 for the uncommon scenario where the server has
  "nftables" service enabled
- Cleanup
This commit is contained in:
hwdsl2 2021-04-01 23:06:36 -05:00
parent d76ded2c52
commit 804856064b
3 changed files with 35 additions and 53 deletions

View File

@ -149,13 +149,6 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
bigecho "Adding the EPEL repository..."
(
set -x
amazon-linux-extras install epel -y >/dev/null
) || exiterr2
bigecho "Installing required packages..."
(

View File

@ -161,14 +161,6 @@ esac
mkdir -p /opt/src
cd /opt/src || exit 1
bigecho "Adding the EPEL repository..."
epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm"
(
set -x
yum -y -q install epel-release >/dev/null || yum -y -q install "$epel_url" >/dev/null
) || exiterr2
bigecho "Installing required packages..."
(
@ -178,24 +170,21 @@ bigecho "Installing required packages..."
flex bison gcc make wget sed tar >/dev/null
) || exiterr2
REPO1='--enablerepo=*server-*optional*'
REPO2='--enablerepo=*releases-optional*'
REPO3='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO3='--enablerepo=codeready-builder-for-rhel-8-*'
erp="--enablerepo"
rp1="$erp=*server-*optional*"
rp2="$erp=*releases-optional*"
rp3="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
if [ "$os_ver" = "7" ]; then
(
set -x
yum -y -q install systemd-devel >/dev/null
) || exiterr2
(
set -x
yum "$REPO1" "$REPO2" -y -q install libevent-devel fipscheck-devel >/dev/null
yum "$rp1" "$rp2" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
else
(
set -x
yum "$REPO3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
) || exiterr2
fi

View File

@ -152,11 +152,12 @@ epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{
bigecho "Installing packages required for the VPN..."
REPO1='--enablerepo=epel'
REPO2='--enablerepo=*server-*optional*'
REPO3='--enablerepo=*releases-optional*'
REPO4='--enablerepo=[Pp]ower[Tt]ools'
[ "$os_type" = "rhel" ] && REPO4='--enablerepo=codeready-builder-for-rhel-8-*'
erp="--enablerepo"
rp1="$erp=epel"
rp2="$erp=*server-*optional*"
rp3="$erp=*releases-optional*"
rp4="$erp=[Pp]ower[Tt]ools"
[ "$os_type" = "rhel" ] && rp4="$erp=codeready-builder-for-rhel-8-*"
(
set -x
@ -166,44 +167,41 @@ REPO4='--enablerepo=[Pp]ower[Tt]ools'
) || exiterr2
(
set -x
yum "$REPO1" -y -q install xl2tpd >/dev/null 2>&1
yum "$rp1" -y -q install xl2tpd >/dev/null 2>&1
) || exiterr2
use_nft=0
p1=systemd-devel
p2=libevent-devel
p3=fipscheck-devel
p4=iptables-services
if [ "$os_ver" = "7" ]; then
(
set -x
yum -y -q install systemd-devel iptables-services >/dev/null
) || exiterr2
(
set -x
yum "$REPO2" "$REPO3" -y -q install libevent-devel fipscheck-devel >/dev/null
yum "$rp2" "$rp3" -y -q install $p1 $p2 $p3 $p4 >/dev/null
) || exiterr2
else
(
set -x
yum "$REPO4" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
yum "$rp4" -y -q install $p1 $p2 $p3 >/dev/null
) || exiterr2
if systemctl is-active --quiet firewalld.service \
if systemctl is-active --quiet firewalld \
|| systemctl is-active --quiet nftables \
|| grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then
use_nft=1
(
set -x
yum -y -q install nftables >/dev/null
) || exiterr2
else
(
set -x
yum -y -q install iptables-services >/dev/null
) || exiterr2
p4=nftables
fi
(
set -x
yum -y -q install $p4 >/dev/null
) || exiterr2
fi
bigecho "Installing Fail2Ban to protect SSH..."
(
set -x
yum "$REPO1" -y -q install fail2ban >/dev/null
yum "$rp1" -y -q install fail2ban >/dev/null
) || exiterr2
bigecho "Downloading IKEv2 script..."
@ -461,12 +459,14 @@ if [ "$ipt_flag" = "1" ]; then
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
if [ "$use_nft" = "1" ]; then
for vport in 500 4500 1701; do
nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept
nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept 2>/dev/null
nft insert rule inet nftables_svc allow udp dport "$vport" accept 2>/dev/null
done
for vnet in "$L2TP_NET" "$XAUTH_NET"; do
for vdir in saddr daddr; do
nft insert rule inet firewalld filter_FORWARD ip "$vdir" "$vnet" accept 2>/dev/null
nft insert rule inet nftables_svc FORWARD ip "$vdir" "$vnet" accept 2>/dev/null
done
for vnet in "$L2TP_NET" "$XAUTH_NET"; do
for vdir in saddr daddr; do
nft insert rule inet firewalld filter_FORWARD ip "$vdir" "$vnet" accept
done
done
echo "flush ruleset" >> "$IPT_FILE"
nft list ruleset >> "$IPT_FILE"