Skip to content

Instantly share code, notes, and snippets.

@polymorphm

polymorphm/br-lan-init.service

Last active May 20, 2022 09:02
Show Gist options
  • Save polymorphm/481a493d23b6d562561cfd75b00b298a to your computer and use it in GitHub Desktop.
Save polymorphm/481a493d23b6d562561cfd75b00b298a to your computer and use it in GitHub Desktop.
Download ZIP
/etc/nftables.conf , /etc/systemd/system/br-lan-init.service , /etc/br-lan-init.sh , /etc/openvpn/client/unloved-public-inet-hook.sh , /etc/wireguard/mullvad-se14.conf , /etc/wireguard/wg-vpn-hook.sh , /etc/systemd/networkd.conf
Raw
br-lan-init.service
[Unit]
Description=br-lan init script
After=network.target
Before=network-online.target
[Service]
Type=oneshot
ExecStart=/etc/br-lan-init.sh start
ExecStop=/etc/br-lan-init.sh stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Raw
br-lan-init.sh
#!/bin/bash
set -xe
direct_uids=(
# direct-net-user
1013152
)
direct_ip4s=(
# unloved (vpn)
'95.179.132.246'
# vpn.stdpr.ru
'93.174.79.86'
)
direct_ip6s=(
)
protect_udp_ports=(
# dlna discovery
1900
)
protect_tcp_ports=(
# dlna http
8200
)
cmd="$1"
if [ "x$cmd" != "xstart" ] && [ "x$cmd" != "xstop" ]
then
echo "invalid command: $cmd" >&2
exit 1
fi
if [ "x$cmd" == "xstop" ] || [ "x$cmd" == "xstart" ]
then
nft flush chain inet filter br_lan__input
nft flush chain inet filter br_lan__forward
nft flush chain inet nat br_lan__masquerade
ip -6 rule flush prio 1002
ip -4 rule flush prio 1002
ip -6 rule flush prio 1001
ip -4 rule flush prio 1001
ip -6 rule flush prio 101
ip -4 rule flush prio 101
ip -6 rule flush prio 92
ip -4 rule flush prio 92
ip -6 rule flush prio 91
ip -4 rule flush prio 91
fi
if [ "x$cmd" == "xstart" ]
then
ip -4 rule add prio 91 to 10.42.0.0/16 lookup 1001
ip -6 rule add prio 92 to fc00:bbbb:bbbb:bb01::/64 lookup 1002
for direct_uid in "${direct_uids[@]}"
do
ip -4 rule add prio 101 uidrange "$direct_uid-$direct_uid" lookup main
ip -6 rule add prio 101 uidrange "$direct_uid-$direct_uid" lookup main
done
ip -4 rule add prio 101 to 10.0.0.0/8 lookup main
ip -4 rule add prio 101 to 172.16.0.0/12 lookup main
ip -4 rule add prio 101 to 192.168.0.0/16 lookup main
ip -4 rule add prio 101 to 169.254.0.0/16 lookup main
ip -4 rule add prio 101 to 224.0.0.0/4 lookup main
ip -6 rule add prio 101 to fd00:3852:deab:bbaf::/64 lookup main
for direct_ip4 in "${direct_ip4s[@]}"
do
ip -4 rule add prio 101 to "$direct_ip4" lookup main
done
for direct_ip6 in "${direct_ip6s[@]}"
do
ip -6 rule add prio 101 to "$direct_ip6" lookup main
done
ip -4 rule add prio 1001 lookup 1001
ip -6 rule add prio 1001 lookup 1001
ip -4 rule add prio 1002 not fwmark 1002 lookup 1002
ip -6 rule add prio 1002 not fwmark 1002 lookup 1002
nft add rule inet nat br_lan__masquerade iif br-lan oif != br-lan masquerade
for direct_ip4 in "${direct_ip4s[@]}"
do
nft add rule inet filter br_lan__forward iif br-lan ip daddr "$direct_ip4" accept
done
for direct_ip6 in "${direct_ip6s[@]}"
do
nft add rule inet filter br_lan__forward iif br-lan ip6 daddr "$direct_ip6" accept
done
for protect_udp_port in "${protect_udp_ports[@]}"
do
nft add rule inet filter br_lan__input iif != br-lan udp dport "$protect_udp_port" reject
done
for protect_tcp_port in "${protect_tcp_ports[@]}"
do
nft add rule inet filter br_lan__input iif != br-lan tcp dport "$protect_tcp_port" reject
done
nft add rule inet filter br_lan__input accept
fi
true
Raw
mullvad-se14.conf
[Interface]
# ... ... ... (SOME IS CUT HERE) ... ... ...
FwMark = 1002
Table = 1002
PostUp = /etc/wireguard/wg-vpn-hook.sh start %i
PreDown = /etc/wireguard/wg-vpn-hook.sh stop %i
# ... ... ... (SOME IS CUT HERE) ... ... ...
[Peer]
# ... ... ... (SOME IS CUT HERE) ... ... ...
AllowedIPs = 0.0.0.0/0,2000::/3,fc00:bbbb:bbbb:bb01::/64
# ... ... ... (SOME IS CUT HERE) ... ... ...
Raw
networkd.conf
# ... ... ... (SOME IS CUT HERE) ... ... ...
[Network]
# ... ... ... (SOME IS CUT HERE) ... ... ...
ManageForeignRoutingPolicyRules=no
# ... ... ... (SOME IS CUT HERE) ... ... ...
Raw
nftables.conf
table inet filter {
chain input {
type filter hook input priority filter;
jump br_lan__input
drop
}
chain forward {
type filter hook forward priority filter;
ct state { established , related } accept
jump br_lan__forward
jump tun_unloved__forward
jump wg_vpn__forward
drop
}
chain br_lan__input {
}
chain br_lan__forward {
}
chain tun_unloved__forward {
}
chain wg_vpn__forward {
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority srcnat;
jump br_lan__masquerade
}
chain br_lan__masquerade {
}
}
Raw
unloved-public-inet-hook.sh
#!/bin/bash
set -xe
if [ "x$script_context" != "xinit" ]
then
echo "invalid script_context" >&2
exit 1
fi
if [ "x$script_type" == "xroute-pre-down" ] || [ "x$script_type" == "xroute-up" ]
then
nft flush chain inet filter tun_unloved__forward
fi
if [ "x$script_type" == "xroute-up" ]
then
ip -4 route add default dev "$dev" table 1001
ip -6 route add 2000::/3 dev "$dev" table 1001
nft add rule inet filter tun_unloved__forward iif br-lan oif "$dev" accept
fi
true
Raw
wg-vpn-hook.sh
#!/bin/bash
set -xe
cmd="$1"
dev="$2"
if [ "x$cmd" == "xstop" ] || [ "x$cmd" == "xstart" ]
then
nft flush chain inet filter wg_vpn__forward
fi
if [ "x$cmd" == "xstart" ]
then
nft add rule inet filter wg_vpn__forward oif "$dev" accept
fi
true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment