Merge branch 'master' of ssh://git.hmthsn.com:222/mantao/mop
This commit is contained in:
mantaohuang
commit
85a1f4f17e
2
.gitignore
vendored
2
.gitignore
vendored
@ -6,4 +6,6 @@ __pycache__/
|
||||
*.py[cod]
|
||||
*$py.class
|
||||
|
||||
profiles.json
|
||||
cache/
|
||||
sessions/
|
||||
|
||||
52
iptable.sh
Executable file
52
iptable.sh
Executable file
@ -0,0 +1,52 @@
|
||||
#!/bin/sh
|
||||
# set -e
|
||||
# Flush the tables. This may cut the system's internet.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
# Let the VPN client communicate with the outside world.
|
||||
#iptables -A OUTPUT -j ACCEPT -o enp1s0
|
||||
iptables -A OUTPUT -j ACCEPT -o enp1s0 -m owner --gid-owner openvpn
|
||||
#iptables -A OUTPUT -j ACCEPT -o vpn0 -m owner --gid-owner openvpn
|
||||
|
||||
# The loopback device is harmless, and TUN is required for the VPN.
|
||||
iptables -A OUTPUT -j ACCEPT -o lo
|
||||
|
||||
iptables -A OUTPUT -j ACCEPT -o tun+
|
||||
|
||||
#iptables -A OUTPUT -j ACCEPT -o tun+
|
||||
iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11
|
||||
iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o enp1s0 -j MASQUERADE
|
||||
echo ip route
|
||||
ip route flush all
|
||||
ip rule flush
|
||||
ip rule add from all lookup main pref 32766
|
||||
ip rule add from all lookup default pref 32767
|
||||
echo add fwmark
|
||||
ip rule add fwmark 11 table novpn
|
||||
echo add to novpn table
|
||||
ip route flush table novpn
|
||||
ip route add 192.168.122.0/24 dev enp1s0 # src 192.168.122.128
|
||||
#ip route add 192.168.122.0/24 dev enp1s0 table novpn
|
||||
ip route add default via 192.168.122.1 dev enp1s0 table novpn
|
||||
echo add to default table
|
||||
# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated.
|
||||
ip route add default via 192.168.122.254 dev enp1s0 # not exist
|
||||
echo rp_filter
|
||||
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
|
||||
|
||||
# We should permit replies to traffic we've sent out.
|
||||
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
|
||||
|
||||
# allow LAN
|
||||
iptables -A OUTPUT -d 192.168.122.0/24 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
|
||||
iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
|
||||
# The default policy, if no other rules match, is to refuse traffic.
|
||||
iptables -P OUTPUT DROP
|
||||
iptables -P INPUT DROP
|
||||
@ -121,7 +121,7 @@ class Openvpn:
|
||||
os.remove(self.pid_fp)
|
||||
except:
|
||||
pass
|
||||
shell = f"sg {group} -c \"echo \\$\\$ > {self.pid_fp}; {cmd}\""
|
||||
shell = f"sg {group} -c \"echo \\$\\$ > {self.pid_fp}; exec {cmd}\""
|
||||
print(shell)
|
||||
proc = await asyncio.create_subprocess_shell(
|
||||
shell,
|
||||
|
||||
File diff suppressed because one or more lines are too long
Loading…
x
Reference in New Issue
Block a user