Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ### Custom user script
- ### Called after internal VPN client connected/disconnected to remote VPN server
- ### $1 - action (up/down)
- ### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
- ### $IPLOCAL - tunnel local IP address
- ### $IPREMOTE - tunnel remote IP address
- ### $DNS1 - peer DNS1
- ### $DNS2 - peer DNS2
- # private LAN subnet behind a remote server (example)
- peer_lan="192.168.9.0"
- peer_msk="255.255.255.0"
- ### example: add static route to private LAN subnet behind a remote server
- func_ipup()
- {
- ## CUSTOMIZE YOUR SCRIPT VARIABLES
- #
- ## Uncomment and set value(s) as needed to customize your rules
- #
- # IP addresses, contiguous range AND/OR individual.
- #
- ip_addrs_lst="192.168.1.50-192.168.1.99"
- ##Server ports to bypass VPN
- #server_ports="3389,27,23045"
- #
- # Specific destination websites ip range - Spotify , Netflix...
- #
- #web_range_lst="72.44.32.1-72.44.63.254
- #67.202.0.1-67.202.63.254
- #207.223.0.1-207.223.15.254
- #98.207.0.1-98.207.255.254
- #208.85.40.1-208.85.47.254
- #78.31.8.1-78.31.15.254
- #193.182.8.1-193.182.15.254"
- ########################################
- # NO NEED TO CHANGE BELOW THIS LINE #
- ########################################
- # SHELL COMMANDS FOR MAINTENANCE.
- # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
- #
- # List Contents by line number
- # iptables -L PREROUTING -t mangle -n --line-numbers
- #
- # Delete rules from mangle by line number
- # iptables -D PREROUTING type-line-number-here -t mangle
- #
- # To list the current rules on the router, issue the command:
- # iptables -t mangle -L PREROUTING
- #
- # Flush/reset all the rules to default by issuing the command:
- # iptables -t mangle -F PREROUTING
- sleep 1
- #
- # First it is necessary to disable Reverse Path Filtering on all
- # current and future network interfaces:
- #
- for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
- echo 0 > $i
- done
- #
- # Delete table 100 and flush any existing rules if they exist.
- #
- ip route flush table 100
- ip route del default table 100
- ip rule del fwmark 1 table 100
- ip route flush cache
- iptables -t mangle -F PREROUTING
- #
- # Let's find out the tunnel interface
- #
- iface_lst=`route | awk ' {print $8}'`
- for tun_if in $iface_lst; do
- if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
- break
- fi
- done
- #
- # Copy all non-default and non-VPN related routes from the main table into table 100.
- # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
- #
- ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
- | while read ROUTE ; do
- ip route add table 100 $ROUTE
- done
- ip route add default table 100 via $(nvram get wan0_gateway)
- ip rule add fwmark 1 table 100
- ip route flush cache
- # EXAMPLES:
- #
- # All LAN traffic will bypass the VPN (Useful to put this rule first,
- # so all traffic bypasses the VPN and you can configure exceptions afterwards)
- # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
- #
- # Ports 80 and 443 will bypass the VPN
- # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
- #
- # All traffic from a particular computer on the LAN will use the VPN
- # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
- #
- # All traffic to a specific Internet IP address will use the VPN
- # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
- #
- # All UDP and ICMP traffic will bypass the VPN
- # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
- # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
- # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
- iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
- # IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
- for ip_addrs in $ip_addrs_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
- done
- ###### Ports that bypass VPN ######
- ###### Normal portforwarding will ######
- ###### need to be applied ######
- iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
- iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1
- # WEBSITES_IP_RANGES -
- for web_dst_range in $web_range_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
- done
- # Testing Environment
- for ip_addrs in $ip_addrs_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j ACCEPT
- done
- # End Test Environment
- return 0
- }
- func_ipdown()
- {
- # Testing Environment
- for ip_addrs in $ip_addrs_lst ; do
- iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j DROP
- done
- # End Test Environment
- return 0
- }
- logger -t vpnc-script "$IFNAME $1"
- case "$1" in
- up)
- func_ipup
- ;;
- down)
- func_ipdown
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement