Created
April 13, 2017 20:30
-
-
Save Dhole/afb2e77df762dac91e16610a2e7cef43 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| #set -e | |
| set -x | |
| reset_all () { | |
| iptables -F | |
| iptables -Z | |
| ufw disable | |
| iptables -X | |
| iptables -P INPUT ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| ip route del default table 10 | |
| ip rule del table 10 | |
| } | |
| novpn () { | |
| DEVS="enp0s31f6 wlp4s0" | |
| usr=novpn | |
| gate=192.168.0.1 | |
| #gate=10.123.64.1 | |
| for dev in $DEVS | |
| do | |
| iptables -A ufw-user-output -o $dev -m owner --uid-owner $usr -j ACCEPT | |
| iptables -A ufw-user-input -i $dev -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| ip=`ip addr show dev $dev | awk '$1=="inet" {match($2,/[0-9.]+/,i); print i[0]}'` | |
| iptables -t nat -A POSTROUTING -o $dev -m mark --mark 0xa -j SNAT --to-source $ip | |
| sysctl -w net.ipv4.conf.$dev.rp_filter=2 | |
| done | |
| ip route add default via $gate table 10 | |
| ip route flush cache | |
| iptables -t mangle -A OUTPUT -m owner --uid-owner $usr -j MARK --set-mark 0xa | |
| ip rule add fwmark 0xa table 10 | |
| } | |
| ufw_rules () { | |
| UFW=/usr/sbin/ufw | |
| VPN_PORT=2018 | |
| #VPN_PORT=443 | |
| #DEVS="wlan0 eth0" | |
| DEVS="enp0s31f6 wlp4s0" | |
| if [ "$1" = "" ] | |
| then | |
| THIRD=0 | |
| else | |
| THIRD=$1 | |
| fi | |
| $UFW reset | |
| #ip route add default via 192.168.0.1 table 10 | |
| #ip route flush cache | |
| #ip rule add fwmark 0xa table 10 | |
| #iptables -t mangle -A OUTPUT -m owner --uid-owner novpn \ | |
| # -j MARK --set-mark 0xa | |
| #for dev in $DEVS | |
| #do | |
| # iptables -A OUTPUT -o $dev -m owner --uid-owner novpn -j ACCEPT | |
| # iptables -t nat -A POSTROUTING -o $dev -m mark --mark 0xa \ | |
| # -j SNAT --to-source 192.168.0.1 | |
| #done | |
| # Default policies | |
| $UFW default deny incoming | |
| $UFW default deny outgoing | |
| # Openvpn interface (adjust interface accordingly to your configuration) | |
| $UFW allow in on tun0 | |
| $UFW allow out on tun0 | |
| for dev in $DEVS | |
| do | |
| # Local Network (adjust ip accordingly to your configuration) | |
| $UFW allow in on $dev from 192.168.$THIRD.0/24 | |
| $UFW allow out on $dev to 192.168.$THIRD.0/24 | |
| # Openvpn | |
| $UFW allow out on $dev to any port $VPN_PORT | |
| $UFW allow in on $dev from any port $VPN_PORT | |
| done | |
| # Allow VirtualBox network | |
| #$UFW allow in on vboxnet0 from 192.168.56.0/24 | |
| #$UFW allow out on vboxnet0 to 192.168.56.0/24 | |
| # Allow KVM network | |
| $UFW allow in on virbr0 from 192.168.122.0/24 | |
| $UFW allow out on virbr0 to 192.168.122.0/24 | |
| # DNS (in order to resolve openvpn server name) | |
| $UFW allow in from any to any port 53 | |
| $UFW allow out from any to any port 53 | |
| $UFW reload | |
| $UFW enable | |
| # Allow kvm virtual network to send packets to tun0 | |
| iptables -A FORWARD -i virbr0 -o tun0 -j ACCEPT | |
| sysctl -w net.ipv6.conf.all.disable_ipv6=1 | |
| sysctl -w net.ipv6.conf.default.disable_ipv6=1 | |
| # drop all IPv6 traffic | |
| ip6tables -F | |
| ip6tables -P INPUT DROP | |
| ip6tables -P FORWARD DROP | |
| ip6tables -P OUTPUT DROP | |
| ip6tables -t filter -I INPUT 1 -j DROP | |
| ip6tables -t filter -I INPUT 1 -i lo -j ACCEPT | |
| ip6tables -t filter -I FORWARD 1 -j DROP | |
| ip6tables -t filter -I OUTPUT 1 -j DROP | |
| ip6tables -t filter -I OUTPUT 1 -o lo -j ACCEPT | |
| } | |
| if [ $(whoami) != "root" ]; then | |
| echo "Switching to root" | |
| sudo $0 $* | |
| else | |
| reset_all | |
| ufw_rules $* | |
| novpn | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment