Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- gateway:~# cat /etc/iproute2/rt_tables
- 1 ISP
- 2 VPN
- gateway:~# cat /etc/ppp/ip-up
- #!/bin/sh
- #
- # This script is run by pppd when there's a successful ppp connection.
- #
- # Flush out any old routes when ppp0 goes down
- /sbin/ip route flush table ISP
- # Copy routes from main
- /sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table ISP $ROUTE; done
- # Set default route to ppp0
- /sbin/ip route add table ISP default via ${IPLOCAL}
- gateway:~# cat /etc/openvpn/route-up.sh
- #!/bin/sh
- #
- # This script is run by OpenVPN when there's a successful VPN connection.
- #
- # Flush out any old routes when ppp0 goes down
- /sbin/ip route flush table VPN
- # Copy routes from main
- /sbin/ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table VPN $ROUTE; done
- # Set default route to ppp0
- /sbin/ip route add default via ${route_vpn_gateway} dev ${dev} table VPN
- gateway:~# ip route show table main
- default dev ppp0 scope link metric 300
- 172.16.32.0/20 dev tun0 proto kernel scope link src 172.16.39.64
- 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
- 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
- 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
- IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
- gateway:~# ip route show table ISP
- default via IPLOCAL dev ppp0
- 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
- 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
- 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
- IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
- gateway:~# ip route show table VPN
- default via 172.16.32.1 dev tun0
- 172.16.32.0/20 dev tun0 proto kernel scope link src 172.16.39.64
- 192.168.0.0/30 dev eth1 proto kernel scope link src 192.168.0.2
- 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
- 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
- IPREMOTE dev ppp0 proto kernel scope link src IPLOCAL
- post-up /etc/network/fwmark_rules
- gateway:~# cat /etc/network/fwmark_rules
- #!/bin/sh
- /sbin/ip rule add fwmark 0x1/0x3 lookup ISP
- /sbin/ip rule add fwmark 0x2/0x3 lookup VPN
- #!/bin/sh
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- # Create rule chain per input interface for forwarding packets
- iptables -t filter -N FWD_ETH0
- iptables -t filter -N FWD_ETH1
- iptables -t filter -N FWD_PPP0
- iptables -t filter -N FWD_TUN0
- # Create rule chain per input interface for input packets (for host itself)
- iptables -t filter -N IN_ETH0
- iptables -t filter -N IN_ETH1
- iptables -t filter -N IN_PPP0
- iptables -t filter -N IN_TUN0
- # Pass input packet to corresponding rule chain
- iptables -t filter -A INPUT -i eth0 -j IN_ETH0
- iptables -t filter -A INPUT -i eth1 -j IN_ETH1
- iptables -t filter -A INPUT -i ppp0 -j IN_PPP0
- iptables -t filter -A INPUT -i tun0 -j IN_TUN0
- # Pass forwarded packet to corresponding rule chain
- iptables -t filter -A FORWARD -i eth0 -j FWD_ETH0
- iptables -t filter -A FORWARD -i eth1 -j FWD_ETH1
- iptables -t filter -A FORWARD -i ppp0 -j FWD_PPP0
- iptables -t filter -A FORWARD -i tun0 -j FWD_TUN0
- # Allow all all from localhost
- iptables -t filter -I INPUT -i lo -j ACCEPT
- # SSH
- iptables -A IN_ETH0 -p tcp -s 192.168.1.0/24 --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- iptables -A IN_ETH0 -p tcp -s 192.168.2.0/24 --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- # DNS
- iptables -A IN_ETH0 -p udp -s 192.168.1.0/24 --dport 53 -m conntrack --ctstate NEW -j ACCEPT
- iptables -A IN_ETH0 -p udp -s 192.168.2.0/24 --dport 53 -m conntrack --ctstate NEW -j ACCEPT
- # SSH To Modem from Router
- iptables -A IN_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.0.1/30 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- # SSH To Modem forward from Network
- iptables -A FWD_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.1.0/24 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- iptables -A FWD_ETH1 -p tcp -s 192.168.0.2/30 -d 192.168.2.0/24 --sport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- # Bittorrent forwarded to Linux Workstation through VPN
- iptables -t nat -A PREROUTING -p tcp --dport 20001 -i tun0 -j DNAT --to 192.168.2.30
- iptables -t nat -A PREROUTING -p tcp --dport 20001 -i tun0 -j DNAT --to 192.168.2.30
- # Forward traffic to LAN
- iptables -A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- iptables -A FWD_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- # Accept traffic to router
- iptables -A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- iptables -A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- # Accept ICMP from VPN, (breaks traceroute through VPN)
- iptables -A IN_TUN0 -p icmp -d 192.168.2.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A FWD_TUN0 -p icmp -d 192.168.2.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- # -------- Start Section I'm Unsure about -------
- # Some exception, eg VOIP server
- iptables -t mangle -A PREROUTING -s <IP OF VOIP SERVER> -j MARK --set-mark 0x1/0x3
- # Postroute VPN
- iptables -t filter -A IN_TUN0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A FWD_TUN0 -d 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- iptables -t mangle -A OUTPUT -o ppp0 -j MARK --set-mark 0x2/0x3
- iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j MASQUERADE
- # Postroute PPP connection to ISP
- iptables -t filter -A IN_PPP0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -A FWD_PPP0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- iptables -t mangle -A OUTPUT -o tun0 -j MARK --set-mark 0x1/0x3
- iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
- # -------- End Section I'm Unsure about -------
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD DROP
- iptables -t filter -A FORWARD -j LOG --log-prefix "iptables/filter/FORWARD end"
- iptables -t filter -A INPUT -j LOG --log-prefix "iptables/filter/INPUT end"
- echo 1 > /proc/sys/net/ipv4/ip_forward
- for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
- /etc/init.d/iptables save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement