API tools faq
paste
Advertisement
Broken_Fre

openvpn iptable

Broken_Fre
Dec 11th, 2018
96
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.52 KB | None | 0 0
raw download clone embed print report
  1. #! /bin/bash
  2. # Niftiest Software – www.niftiestsoftware.com
  3. # Modified version by HTPC Guides – www.htpcguides.com
  4.  
  5. export INTERFACE="tun0"
  6. export VPNUSER="vpnuser"
  7. export LOCALIP="192.168.0.8"
  8. export NETIF="enp3s0"
  9.  
  10. # flushes all the iptables rules, if you have other rules to use then add them into the script
  11. iptables -F -t nat
  12. iptables -F -t mangle
  13. iptables -F -t filter
  14.  
  15. # mark packets from $VPNUSER
  16. iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
  17. iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  18. iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  19. iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
  20. iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
  21. iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
  22.  
  23. # allow responses
  24. iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
  25.  
  26. # block everything incoming on $INTERFACE to prevent accidental exposing of ports
  27. iptables -A INPUT -i lo -j ACCEPT
  28. iptables -A OUTPUT -o lo -j ACCEPT
  29. iptables -A INPUT -i $INTERFACE -p icmp --icmp-type 8 -j ACCEPT
  30. iptables -A INPUT -i $INTERFACE -p tcp --dport 58846 -j ACCEPT
  31. iptables -A INPUT -i $INTERFACE -p udp --dport 58846 -j ACCEPT
  32. iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 58846 -j DNAT --to 127.0.0.1:58846
  33. iptables -t nat -A PREROUTING -i $INTERFACE -p udp --dport 58846 -j DNAT --to 127.0.0.1:58846
  34. #iptables -t nat -A PREROUTING -i $NETIF -p udp --dport 58846 -j DNAT --to 127.0.0.1:58846
  35. iptables -t nat -A PREROUTING -i $NETIF -p tcp -m tcp --dport 58846 -j DNAT --to 127.0.0.1:58846
  36. iptables -t nat -A PREROUTING -i $NETIF -p udp -m udp --dport 58846 -j DNAT --to 127.0.0.1:58846
  37.  
  38. iptables -A FORWARD -i $NETIF -o lo -p tcp -m tcp -d 127.0.0.1 --dport 58846 -j ACCEPT
  39. iptables -A FORWARD -i $NETIF -o lo -p udp -m udp -d 127.0.0.1 --dport 58846 -j ACCEPT
  40. #iptables -A INPUT -i $INTERFACE -j REJECT
  41.  
  42. # let $VPNUSER access lo and $INTERFACE
  43. iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
  44. iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
  45. # all packets on $INTERFACE needs to be masqueraded
  46. iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
  47.  
  48. # reject connections from predator IP going over $NETIF
  49. iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
  50.  
  51.  
  52. # Start routing script
  53. /etc/openvpn/routing.sh
  54. service docker restart
  55. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!