Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- firewall="sudo `which iptables`"
- local_ip_range="192.168.0.0/24"
- local_interface="wlp2s0" #enter your local interface (usually eth0 or eth1 and so on - you can find it using "ifconfig")
- virtual_ip_range="10.0.0.0/8"
- virtual_interface="tun0" #virtual interface where the VPN goes through (find out with "ifconfig")
- vpn_connect_protocol="udp" #protocol shown in your .ovpn file (options are udp or tcp)
- vpn_connect_port="1194" #connect_port is the port shown in your .ovpn file (1194 or 443 and so on..)
- #enter VPN server IPs here
- your_hostname_or_ip=("")
- #---------------------------------------------------------------
- # Remove old rules and tables
- #---------------------------------------------------------------
- echo "Deleting all old iptables rules..."
- sudo iptables -F
- sudo iptables -X
- sudo iptables -t nat -F
- sudo iptables -t nat -X
- sudo iptables -t mangle -F
- sudo iptables -t mangle -X
- sudo iptables -P INPUT DROP
- sudo iptables -P FORWARD DROP
- sudo iptables -P OUTPUT DROP
- echo "Setting up the new rules..."
- #---------------------------------------------------------------
- # Allow all local connections via loopback
- #---------------------------------------------------------------
- $firewall -A INPUT -i lo -j ACCEPT
- $firewall -A OUTPUT -o lo -j ACCEPT
- #---------------------------------------------------------------
- # Allow Multicast for local network
- #---------------------------------------------------------------
- #$firewall -A INPUT -p igmp -s $local_ip_range -d 224.0.0.0/4 -i $local_interface -j ACCEPT
- #$firewall -A OUTPUT -p igmp -s $local_ip_range -d 224.0.0.0/4 -o $local_interface -j ACCEPT
- #---------------------------------------------------------------
- # UPnP uses IGMP multicast to find media servers
- # Accept IGMP broadcast packets.# Send SSDP Packets
- #---------------------------------------------------------------
- #$firewall -A INPUT -p igmp -s $local_ip_range -d 239.0.0.0/8 -i $local_interface -j ACCEPT
- #$firewall -A OUTPUT -p udp -s $local_ip_range -d 239.255.255.250 --dport 1900 -o $local_interface -j ACCEPT
- #---------------------------------------------------------------
- # Allow all bidirectional traffic from your firewall to the local area network
- #---------------------------------------------------------------
- $firewall -A INPUT -j ACCEPT -s $local_ip_range -i $local_interface
- $firewall -A OUTPUT -j ACCEPT -d $local_ip_range -o $local_interface
- #---------------------------------------------------------------
- # Allow all bidirectional traffic from your firewall to the
- # virtual private network
- #---------------------------------------------------------------
- $firewall -A INPUT -i $virtual_interface -j ACCEPT
- $firewall -A OUTPUT -o $virtual_interface -j ACCEPT
- #---------------------------------------------------------------
- # Connection restriction to your IP/hostname
- #---------------------------------------------------------------
- if [[ ! -z $your_hostname_or_ip ]]; then
- hostname_or_ip_count=${#your_hostname_or_ip[@]}
- for (( c = 0; c < $hostname_or_ip_count; c++ ))
- do
- echo "loop"
- $firewall -A INPUT -i $local_interface -p $vpn_connect_protocol -m $vpn_connect_protocol -s ${your_hostname_or_ip[c]} --sport $vpn_connect_port -j ACCEPT
- $firewall -A OUTPUT -o $local_interface -p $vpn_connect_protocol -m $vpn_connect_protocol -d ${your_hostname_or_ip[c]} --dport $vpn_connect_port -j ACCEPT
- done
- else
- $firewall -A INPUT -i $local_interface -p $vpn_connect_protocol -m $vpn_connect_protocol --sport $vpn_connect_port -j ACCEPT
- $firewall -A OUTPUT -o $local_interface -p $vpn_connect_protocol -m $vpn_connect_protocol --dport $vpn_connect_port -j ACCEPT
- fi
- #---------------------------------------------------------------
- # Default Policy - Drop everything
- #---------------------------------------------------------------
- $firewall -P INPUT DROP
- $firewall -P FORWARD DROP
- $firewall -P OUTPUT DROP
- #---------------------------------------------------------------
- # Log all dropped packages, debug only.
- # View in /var/log/syslog or /var/log/messages
- #---------------------------------------------------------------
- sudo iptables -N logging
- sudo iptables -A INPUT -j logging
- sudo iptables -A OUTPUT -j logging
- sudo iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
- sudo iptables -A logging -j DROP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement