#!/bin/sh # example: # iptable_docker.sh $if if="$1" gw="$(ip -4 r show dev $if | awk '/default/ {print $3}')" network="$(ip -o route show dev $if |awk '$1 != "default" {print $1}')" #network="$(ip -o route show dev $if |awk '$6 == "src" {print $1}')" echo nameserver 1.1.1.1 > /etc/resolv.conf #network="$(ip -o addr show dev $if| awk '$3 == "inet" {print $4}')" #ip="$(ip -4 a show dev $if | awk -F '[ \t/]+' '/inet .*global/ {print $3}')" echo if=$if echo network=$network echo gw=$gw # Drop all IPv6 traffic ip6tables -F ip6tables -X ip6tables -P OUTPUT DROP ip6tables -P INPUT DROP # Flush the tables. This may cut the system's internet. iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Let the VPN client communicate with the outside world. iptables -A OUTPUT -j ACCEPT -o $if -m owner --gid-owner openvpn # The loopback device is harmless, and TUN is required for the VPN. iptables -A OUTPUT -j ACCEPT -o lo iptables -A OUTPUT -j ACCEPT -o tun+ #iptables -A OUTPUT -j ACCEPT -o tun+ iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11 iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o $1 -j MASQUERADE echo "flushing ip route table" ip route flush all echo "setting up ip rules" ip rule flush ip rule add from all lookup main pref 32766 ip rule add from all lookup default pref 32767 echo "create route table if it does not exist" if [ $(cat /etc/iproute2/rt_tables | grep novpn | wc -l) -eq 0 ]; then echo "11 novpn" >> /etc/iproute2/rt_tables fi echo "add to novpn table" ip route flush table novpn ip route add $network dev $if ip route add default via $gw dev $if table novpn echo "add to default table" # need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated. # will not allow connection for because is blocked by default ip route add default via $gw dev $if #echo "disable rp_filter" #for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done echo "add ip rule fwmark" ip rule add fwmark 11 table novpn pref 99 # We should permit replies to traffic we've sent out. iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED # allow LAN iptables -A OUTPUT -d $network -j ACCEPT iptables -A INPUT -s $network -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT # The default policy, if no other rules match, is to refuse traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP