API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 3rd, 2015
247
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.15 KB | None | 0 0
raw download clone embed print report
  1. gateway:~# cat /etc/iproute2/rt_tables
  2. 1 ISP
  3. 2 VPN
  4.  
  5. gateway:~# cat /etc/ppp/ip-up
  6. #!/bin/sh
  7. #
  8. # This script is run by pppd when there's a successful ppp connection.
  9. #
  10.  
  11. # Flush out any old routes when ppp0 goes down
  12. /sbin/ip route flush table ISP
  13.  
  14. # Copy routes from main
  15. /sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table ISP $ROUTE; done
  16.  
  17. # Set default route to ppp0
  18. /sbin/ip route add table ISP default via ${IPLOCAL}
  19.  
  20. gateway:~# cat /etc/openvpn/route-up.sh
  21. #!/bin/sh
  22. #
  23. # This script is run by OpenVPN when there's a successful VPN connection.
  24. #
  25.  
  26. # Flush out any old routes when ppp0 goes down
  27. /sbin/ip route flush table VPN
  28.  
  29. # Copy routes from main
  30. /sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table VPN $ROUTE; done
  31.  
  32. # Set default route to ppp0
  33. /sbin/ip route add default via ${route_vpn_gateway} dev ${dev} table VPN
  34.  
  35. gateway:~# ip route show table main
  36. default dev ppp0 scope link metric 300
  37. 172.16.32.0/20 dev tun0 proto kernel scope link src 172.16.39.64
  38. 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
  39. 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
  40. 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
  41. IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
  42.  
  43. gateway:~# ip route show table ISP
  44. default via IPLOCAL dev ppp0
  45. 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
  46. 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
  47. 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
  48. IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
  49.  
  50. gateway:~# ip route show table VPN
  51. default via 172.16.32.1 dev tun0
  52. 172.16.32.0/20 dev tun0 proto kernel scope link src 172.16.39.64
  53. 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
  54. 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
  55. 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
  56. IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
  57.  
  58. post-up /etc/network/fwmark_rules
  59.  
  60. gateway:~# cat /etc/network/fwmark_rules
  61. #!/bin/sh
  62.  
  63. /sbin/ip rule add fwmark 0x1/0x3 lookup ISP
  64. /sbin/ip rule add fwmark 0x2/0x3 lookup VPN
  65.  
  66. #!/bin/sh
  67.  
  68. iptables -F
  69. iptables -X
  70. iptables -t nat -F
  71. iptables -t nat -X
  72. iptables -t mangle -F
  73. iptables -t mangle -X
  74.  
  75. # Create rule chain per input interface for forwarding packets
  76. iptables -t filter -N FWD_ETH0
  77. iptables -t filter -N FWD_ETH1
  78. iptables -t filter -N FWD_PPP0
  79. iptables -t filter -N FWD_TUN0
  80.  
  81. # Create rule chain per input interface for input packets (for host itself)
  82. iptables -t filter -N IN_ETH0
  83. iptables -t filter -N IN_ETH1
  84. iptables -t filter -N IN_PPP0
  85. iptables -t filter -N IN_TUN0
  86.  
  87. # Pass input packet to corresponding rule chain
  88. iptables -t filter -A INPUT -i eth0 -j IN_ETH0
  89. iptables -t filter -A INPUT -i eth1 -j IN_ETH1
  90. iptables -t filter -A INPUT -i ppp0 -j IN_PPP0
  91. iptables -t filter -A INPUT -i tun0 -j IN_TUN0
  92.  
  93. # Pass forwarded packet to corresponding rule chain
  94. iptables -t filter -A FORWARD -i eth0 -j FWD_ETH0
  95. iptables -t filter -A FORWARD -i eth1 -j FWD_ETH1
  96. iptables -t filter -A FORWARD -i ppp0 -j FWD_PPP0
  97. iptables -t filter -A FORWARD -i tun0 -j FWD_TUN0
  98.  
  99. # Allow all all from localhost
  100. iptables -t filter -I INPUT -i lo -j ACCEPT
  101.  
  102. # SSH
  103. iptables -A IN_ETH0 -p tcp -s 192.168.1.0/24 --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  104. iptables -A IN_ETH0 -p tcp -s 192.168.2.0/24 --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  105.  
  106. # DNS
  107. iptables -A IN_ETH0 -p udp -s 192.168.1.0/24 --dport 53 -m conntrack --ctstate NEW -j ACCEPT
  108. iptables -A IN_ETH0 -p udp -s 192.168.2.0/24 --dport 53 -m conntrack --ctstate NEW -j ACCEPT
  109.  
  110. # SSH To Modem from Router
  111. iptables -A IN_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.0.1/30 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  112.  
  113. # SSH To Modem forward from Network
  114. iptables -A FWD_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.1.0/24 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  115. iptables -A FWD_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.2.0/24 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  116.  
  117. # Bittorrent forwarded to Linux Workstation through VPN
  118. iptables -t nat -A PREROUTING -p tcp --dport 20001 -i tun0 -j DNAT --to 192.168.2.30
  119. iptables -t nat -A PREROUTING -p tcp --dport 20001 -i tun0 -j DNAT --to 192.168.2.30
  120.  
  121. # Forward traffic to LAN
  122. iptables -A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  123. iptables -A FWD_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  124.  
  125. # Accept traffic to router
  126. iptables -A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  127. iptables -A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  128.  
  129. # Accept ICMP from VPN, (breaks traceroute through VPN)
  130. iptables -A IN_TUN0 -p icmp -d 192.168.2.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  131. iptables -A FWD_TUN0 -p icmp -d 192.168.2.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  132.  
  133. # -------- Start Section I'm Unsure about -------
  134.  
  135. # Some exception, eg VOIP server
  136. iptables -t mangle -A PREROUTING -s <IP OF VOIP SERVER> -j MARK --set-mark 0x1/0x3
  137.  
  138. # Postroute VPN
  139. iptables -t filter -A IN_TUN0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  140. iptables -A FWD_TUN0 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  141. iptables -t mangle -A OUTPUT -o ppp0 -j MARK --set-mark 0x2/0x3
  142. iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j MASQUERADE
  143.  
  144. # Postroute PPP connection to ISP
  145. iptables -t filter -A IN_PPP0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  146. iptables -A FWD_PPP0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  147. iptables -t mangle -A OUTPUT -o tun0 -j MARK --set-mark 0x1/0x3
  148. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
  149.  
  150. # -------- End Section I'm Unsure about -------
  151.  
  152. iptables -P INPUT DROP
  153. iptables -P OUTPUT ACCEPT
  154. iptables -P FORWARD DROP
  155.  
  156. iptables -t filter -A FORWARD -j LOG --log-prefix "iptables/filter/FORWARD end"
  157. iptables -t filter -A INPUT -j LOG --log-prefix "iptables/filter/INPUT end"
  158.  
  159. echo 1 > /proc/sys/net/ipv4/ip_forward
  160. for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
  161.  
  162. /etc/init.d/iptables save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!