From 9317f4824d838e1d9b0e11be5c96bab0bad65e46 Mon Sep 17 00:00:00 2001 From: hwdsl2 <hwdsl2@users.noreply.github.com> Date: Sun, 5 Jun 2016 17:34:24 -0500 Subject: [PATCH] Improve IPTables rules for VPN - Allow traffic between VPN clients themselves by default - Add notes on how to change this behavior (uncomment rules) --- vpnsetup.sh | 12 ++++++++++-- vpnsetup_centos.sh | 12 ++++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 384182c..5806711 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -343,8 +343,12 @@ cat > /etc/iptables.rules <<EOF -A INPUT -p udp --dport 1701 -j DROP -A INPUT -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP +# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP +# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT +-A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT -A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -j DROP @@ -367,8 +371,12 @@ iptables -I INPUT 3 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT -iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT +iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT +iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT +# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP +# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 21e5e30..cb9e213 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -353,8 +353,12 @@ cat > /etc/sysconfig/iptables <<EOF -A INPUT -p udp --dport 1701 -j DROP -A INPUT -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP +# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP +# -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp+ -o eth+ -j ACCEPT +-A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT -A FORWARD -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.43.0/24 -o eth+ -j ACCEPT -A FORWARD -j DROP @@ -376,8 +380,12 @@ iptables -I INPUT 3 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT -iptables -I FORWARD 4 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -I FORWARD 5 -s 192.168.43.0/24 -o eth+ -j ACCEPT +iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT +iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT +# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP +# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"