Remove IP6Tables rules
- Not needed for the VPN to work
This commit is contained in:
hwdsl2
parent
fa704629f0
commit
f0804e5184
@ -39,13 +39,11 @@ rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service
|
||||
编辑 `/etc/iptables.rules` 并删除不需要的规则。
|
||||
你以前的防火墙规则(如果有)会备份在 `/etc/iptables.rules.old-日期-时间`。
|
||||
另外如果文件 `/etc/iptables/rules.v4` 存在,请编辑它。
|
||||
如果使用 IPv6 ,还需编辑 `/etc/ip6tables.rules` 和/或 `/etc/iptables/rules.v6`。
|
||||
|
||||
### CentOS/RHEL
|
||||
|
||||
编辑 `/etc/sysconfig/iptables` 并删除不需要的规则。
|
||||
你以前的防火墙规则(如果有)会备份在 `/etc/sysconfig/iptables.old-日期-时间`。
|
||||
如果使用 IPv6 ,还需编辑 `/etc/sysconfig/ip6tables`。
|
||||
|
||||
## 第四步
|
||||
|
||||
|
||||
@ -39,13 +39,11 @@ rm -f /etc/init.d/ipsec /lib/systemd/system/ipsec.service
|
||||
Edit `/etc/iptables.rules` and remove unneeded rules.
|
||||
Your original rules (if any) are backed up as `/etc/iptables.rules.old-date-time`.
|
||||
In addition, edit `/etc/iptables/rules.v4` if the file exists.
|
||||
If using IPv6, also edit `/etc/ip6tables.rules` and/or `/etc/iptables/rules.v6`.
|
||||
|
||||
### CentOS/RHEL
|
||||
|
||||
Edit `/etc/sysconfig/iptables` and remove unneeded rules.
|
||||
Your original rules (if any) are backed up as `/etc/sysconfig/iptables.old-date-time`.
|
||||
If using IPv6, also edit `/etc/sysconfig/ip6tables`.
|
||||
|
||||
## Fourth step
|
||||
|
||||
|
||||
31
vpnsetup.sh
31
vpnsetup.sh
@ -392,29 +392,6 @@ if [ -f /etc/iptables/rules.v4 ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create basic IPv6 rules
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
|
||||
/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$sys_dt" 2>/dev/null
|
||||
cat > /etc/ip6tables.rules <<EOF
|
||||
# Added by hwdsl2 VPN script
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
-A INPUT -m rt --rt-type 0 -j DROP
|
||||
-A INPUT -s fe80::/10 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -j DROP
|
||||
COMMIT
|
||||
EOF
|
||||
if [ -f /etc/iptables/rules.v6 ]; then
|
||||
/bin/cp -f /etc/iptables/rules.v6 "/etc/iptables/rules.v6.old-$sys_dt"
|
||||
/bin/cp -f /etc/ip6tables.rules /etc/iptables/rules.v6
|
||||
fi
|
||||
fi
|
||||
|
||||
# Load IPTables rules at system boot
|
||||
mkdir -p /etc/network/if-pre-up.d
|
||||
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
||||
@ -423,12 +400,6 @@ iptables-restore < /etc/iptables.rules
|
||||
exit 0
|
||||
EOF
|
||||
|
||||
cat > /etc/network/if-pre-up.d/ip6tablesload <<EOF
|
||||
#!/bin/sh
|
||||
ip6tables-restore < /etc/ip6tables.rules
|
||||
exit 0
|
||||
EOF
|
||||
|
||||
# Start services at boot
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
|
||||
/bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null
|
||||
@ -450,12 +421,10 @@ sysctl -e -q -p
|
||||
# Update file attributes
|
||||
chmod +x /etc/rc.local
|
||||
chmod +x /etc/network/if-pre-up.d/iptablesload
|
||||
chmod +x /etc/network/if-pre-up.d/ip6tablesload
|
||||
chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||
|
||||
# Apply new IPTables rules
|
||||
iptables-restore < /etc/iptables.rules
|
||||
ip6tables-restore < /etc/ip6tables.rules >/dev/null 2>&1
|
||||
|
||||
# Restart services
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
|
||||
@ -146,11 +146,6 @@ yum -y install ppp xl2tpd
|
||||
# Install Fail2Ban to protect SSH
|
||||
yum -y install fail2ban
|
||||
|
||||
# Install IP6Tables
|
||||
if grep -qs "release 6" /etc/redhat-release; then
|
||||
yum -y install iptables-ipv6
|
||||
fi
|
||||
|
||||
# Installed Libevent2
|
||||
if grep -qs "release 6" /etc/redhat-release; then
|
||||
yum -y remove libevent-devel
|
||||
@ -391,25 +386,6 @@ iptables-save >> /etc/sysconfig/iptables
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create basic IPv6 rules
|
||||
if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
|
||||
/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$sys_dt" 2>/dev/null
|
||||
cat > /etc/sysconfig/ip6tables <<EOF
|
||||
# Added by hwdsl2 VPN script
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
-A INPUT -m rt --rt-type 0 -j DROP
|
||||
-A INPUT -s fe80::/10 -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -j DROP
|
||||
COMMIT
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Create basic Fail2Ban rules
|
||||
if [ ! -f /etc/fail2ban/jail.local ] ; then
|
||||
cat > /etc/fail2ban/jail.local <<EOF
|
||||
@ -435,7 +411,6 @@ cat >> /etc/rc.local <<EOF
|
||||
|
||||
# Added by hwdsl2 VPN script
|
||||
iptables-restore < /etc/sysconfig/iptables
|
||||
ip6tables-restore < /etc/sysconfig/ip6tables
|
||||
service fail2ban restart
|
||||
service ipsec start
|
||||
service xl2tpd start
|
||||
@ -457,7 +432,6 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd*
|
||||
|
||||
# Apply new IPTables rules
|
||||
iptables-restore < /etc/sysconfig/iptables
|
||||
ip6tables-restore < /etc/sysconfig/ip6tables >/dev/null 2>&1
|
||||
|
||||
# Restart services
|
||||
service fail2ban stop >/dev/null 2>&1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user