76 lines
2.4 KiB
Bash
Executable File
76 lines
2.4 KiB
Bash
Executable File
#!/bin/sh
|
|
# example:
|
|
# iptable_docker.sh $if
|
|
if="$1"
|
|
gw="$(ip -4 r show dev $if | awk '/default/ {print $3}')"
|
|
network="$(ip -o addr show dev $if| awk '$3 == "inet" {print $4}')"
|
|
#ip="$(ip -4 a show dev $if | awk -F '[ \t/]+' '/inet .*global/ {print $3}')"
|
|
|
|
# Drop all IPv6 traffic
|
|
ip6tables -F
|
|
ip6tables -X
|
|
ip6tables -P OUTPUT DROP
|
|
ip6tables -P INPUT DROP
|
|
|
|
# Flush the tables. This may cut the system's internet.
|
|
iptables -F
|
|
iptables -X
|
|
iptables -t nat -F
|
|
iptables -t nat -X
|
|
iptables -t mangle -F
|
|
iptables -t mangle -X
|
|
# Let the VPN client communicate with the outside world.
|
|
iptables -A OUTPUT -j ACCEPT -o $if -m owner --gid-owner openvpn
|
|
|
|
# The loopback device is harmless, and TUN is required for the VPN.
|
|
iptables -A OUTPUT -j ACCEPT -o lo
|
|
iptables -A OUTPUT -j ACCEPT -o tun+
|
|
|
|
#iptables -A OUTPUT -j ACCEPT -o tun+
|
|
iptables -t mangle -A OUTPUT -m owner --gid-owner openvpn -j MARK --set-mark 11
|
|
iptables -t nat -A POSTROUTING -m owner --gid-owner openvpn -o $1 -j MASQUERADE
|
|
|
|
echo "flushing ip route table"
|
|
ip route flush all
|
|
|
|
echo "setting up ip rules"
|
|
ip rule flush
|
|
ip rule add from all lookup main pref 32766
|
|
ip rule add from all lookup default pref 32767
|
|
|
|
echo "create route table if it does not exist"
|
|
if [ $(cat /etc/iproute2/rt_tables | grep novpn | wc -l) -eq 0 ]; then
|
|
echo "11 novpn" >> /etc/iproute2/rt_tables
|
|
fi
|
|
|
|
echo "add to novpn table"
|
|
ip route flush table novpn
|
|
ip route add $network dev $if
|
|
ip route add default via $gw dev $if table novpn
|
|
|
|
echo "add to default table"
|
|
# need to add a default route for the routing code to trigger the fwmark rule at all, else there's a direct "Network is unreachable" with no packet generated.
|
|
# will not allow connection for because is blocked by default
|
|
ip route add default via $gw dev $if
|
|
|
|
#echo "disable rp_filter"
|
|
#for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
|
|
|
|
echo "add ip rule fwmark"
|
|
ip rule add fwmark 11 table novpn pref 99
|
|
|
|
# We should permit replies to traffic we've sent out.
|
|
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED
|
|
|
|
# allow LAN
|
|
iptables -A OUTPUT -d $network -j ACCEPT
|
|
iptables -A INPUT -s $network -j ACCEPT
|
|
|
|
iptables -I INPUT -p tcp -m tcp --dport 8388 -j ACCEPT
|
|
iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
|
|
iptables -I INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
|
|
iptables -I INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
|
|
# The default policy, if no other rules match, is to refuse traffic.
|
|
iptables -P OUTPUT DROP
|
|
iptables -P INPUT DROP
|