mantao/ovpn-lb-socks5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ovpn-lb-socks5/iptable.sh

63 lines
2.1 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
# Flush the tables. This may cut the system's internet.
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Let the VPN client communicate with the outside world.
#iptables -A OUTPUT -j ACCEPT -o enp1s0
iptables -A OUTPUT -j ACCEPT -o enp1s0 -m owner --gid-owner openvpn
# The loopback device is harmless, and TUN is required for the VPN.
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -o tun+
#iptables -A OUTPUT -j ACCEPT -o tun+
iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11
iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o enp1s0 -j MASQUERADE
echo ip route
ip route flush all
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
echo "create route table if it does not exist"
if [ $(cat /etc/iproute2/rt_tables | grep novpn | wc -l) -eq 0 ]; then
echo "11 novpn" >> /etc/iproute2/rt_tables
fi
echo "add to novpn table"
ip route flush table novpn
ip route add 192.168.122.0/24 dev enp1s0
ip route add default via 192.168.122.1 dev enp1s0 table novpn
echo "add to default table"
# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated.
ip route add default via 192.168.122.254 dev enp1s0
echo "disable rp_filter"
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
echo "add ip rule fwmark"
ip rule add fwmark 11 table novpn pref 99
# We should permit replies to traffic we've sent out.
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
# allow LAN
iptables -A OUTPUT -d 192.168.122.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.122.0/24 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
# The default policy, if no other rules match, is to refuse traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
Reference in New Issue View Git Blame Copy Permalink