Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! /bin/bash
- # Niftiest Software – www.niftiestsoftware.com
- # Modified version by HTPC Guides – www.htpcguides.com
- export INTERFACE="tun0"
- export VPNUSER="vpn"
- export LOCALIP="192.168.178.203"
- export NETIF="ens160"
- # flushes all the iptables rules, if you have other rules to use then add them into the script
- iptables -F -t nat
- iptables -F -t mangle
- iptables -F -t filter
- # mark packets from $VPNUSER
- iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
- iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
- iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
- iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
- iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
- iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
- # allow responses
- iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
- # block everything incoming on $INTERFACE to prevent accidental exposing of ports
- iptables -A INPUT -i $INTERFACE -j REJECT
- # let $VPNUSER access lo and $INTERFACE
- iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
- iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
- # all packets on $INTERFACE needs to be masqueraded
- iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
- # reject connections from predator IP going over $NETIF
- iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
- # Start routing script
- /etc/openvpn/routing.sh
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
