API tools faq
paste
Advertisement
Nephariouz

iptables.sh

Nephariouz
Nov 28th, 2016
74
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.16 KB | None | 0 0
raw download clone embed print report
  1. #! /bin/bash
  2. # Niftiest Software – www.niftiestsoftware.com
  3. # Modified version by HTPC Guides – www.htpcguides.com
  4.  
  5. export INTERFACE="tun0"
  6. export VPNUSER="vpn"
  7. export LOCALIP=EXTERNALIP (VPS doesn't have LocalIP)
  8. export NETIF="ens192"
  9.  
  10. export HOMEVPNIF="tun_home"
  11. export HOMEUSER=USERNAME
  12.  
  13. # flushes all the iptables rules, if you have other rules to use then add them into the script
  14. iptables -F -t nat
  15. iptables -F -t mangle
  16. iptables -F -t filter
  17.  
  18. # mark packets from $VPNUSER
  19. iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
  20. iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  21. iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  22. iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  23.  
  24. ### Set !LocalIP marking to only apply to the VPNUSER
  25. ###iptables -t mangle -A OUTPUT ! --src $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  26.  
  27. iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
  28.  
  29. ### Set HomeLAN ip addresses to a different Mark than the VPNUSER
  30. ###iptables -t mangle -A OUTPUT ! --src 192.168.1.0/24 -j MARK --set-mark 0x0
  31.  
  32. ### Set !LocalIP traffic from the HOMEUSER to a different Mark than the VPNUSER
  33. ###iptables -t mangle -A OUTPUT ! --src $LOCALIP -m owner --uid-owner $HOMEUSER -j MARK --set-mark 0x0
  34.  
  35. iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
  36.  
  37. # allow responses
  38. iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
  39.  
  40. # block everything incoming on $INTERFACE to prevent accidental exposing of ports
  41. iptables -A INPUT -i $INTERFACE -j REJECT
  42.  
  43. # let $VPNUSER access lo and $INTERFACE
  44. iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
  45. iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
  46.  
  47. # all packets on $INTERFACE needs to be masqueraded
  48. iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
  49.  
  50. # reject connections from predator IP going over $NETIF
  51. iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
  52.  
  53. # Start routing script
  54. /etc/openvpn/routing.sh
  55.  
  56. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!