API tools faq
paste
Advertisement
mr_canoehead

VPN Client Gateway port forwarding example

mr_canoehead
May 4th, 2018
18
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.64 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env bash
  2.  
  3. working_path="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
  4. script_name=`basename "$0"`
  5. if ! [ $(id -u) = 0 ]; then
  6.   printf "This script must be run as root, e.g.:\n'sudo %s/%s'\n" $working_path $script_name
  7.   exit 1
  8. fi
  9.  
  10. printf "Configuring firewall rules...\n"
  11.  
  12. # OpenVPN ports used by major providers:
  13. OPENVPN_UDP_PORTS="53,1194,1195,1196,1197,1198,1301,1302"
  14.  
  15. # delete all existing rules
  16. iptables -Z
  17. iptables --flush
  18. iptables --delete-chain
  19. iptables -t nat -F
  20.  
  21. # default drop policy:
  22. iptables --policy INPUT   DROP;
  23. iptables --policy OUTPUT  DROP;
  24. iptables --policy FORWARD DROP;
  25.  
  26. # establish logging chain:
  27. iptables -N LOGGING
  28. iptables -N BADPKT_LOGGING
  29.  
  30. # allow loopback:
  31. iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
  32. iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
  33.  
  34. # local network access rules:
  35.  
  36. # allow incoming from lan, outgoing thru vpn:
  37. iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
  38. iptables -I INPUT -i eth0 -m comment --comment "In from eth0" -j ACCEPT
  39.  
  40. # allow outbound services:
  41. iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
  42. iptables -A OUTPUT -o eth0 -p udp -m multiport --dports $OPENVPN_UDP_PORTS -m comment --comment "openvpn" -j ACCEPT
  43. iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
  44. iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
  45. iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
  46. iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
  47. iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
  48.  
  49. # rule chain for forwarding via VPN:
  50. iptables -N forward_rules_vpn
  51. iptables -t filter -A forward_rules_vpn -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  52. iptables -t filter -A forward_rules_vpn -i eth0 -o tun+ -m comment --comment "eth0 out to VPN" -j ACCEPT
  53.  
  54.  
  55. ############### port forwarding rules
  56.  
  57. # prerouting rule:
  58. iptables -A PREROUTING -t nat -i tun+ -p tcp --dport 43691 -j DNAT --to 10.1.2.10:8080
  59.  
  60. # create port forwarding rule chain:
  61. iptables -N port_forwarding_vpn
  62. iptables -t filter -A port_forwarding_vpn -i tun+ -p tcp -d 10.1.2.10 --dport 8080 -j ACCEPT
  63.  
  64. # add port forwarding rule chain to the vpn forwarding rule chain
  65. iptables -A forward_rules_vpn -j port_forwarding_vpn
  66.  
  67. ###############
  68.  
  69. # rule chain for forwarding via LAN
  70. iptables -N forward_rules_lan
  71. iptables -t filter -A forward_rules_lan -i eth0 -o eth0 -m comment --comment "eth0 forwarding" -j ACCEPT
  72.  
  73.  
  74. # turn on forwarding via VPN
  75. iptables -A FORWARD -j forward_rules_vpn
  76.  
  77. # nat the gateway
  78. iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
  79. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  80.  
  81. iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
  82. # TCP sessions must start with SYN, drop bad packets:
  83. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j BADPKT_LOGGING
  84. iptables -A INPUT -m state --state INVALID -j BADPKT_LOGGING
  85. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADPKT_LOGGING
  86. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADPKT_LOGGING
  87. iptables -A INPUT -f -m comment --comment "Drop FRAGS" -j BADPKT_LOGGING
  88. iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j BADPKT_LOGGING
  89. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADPKT_LOGGING
  90. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADPKT_LOGGING
  91.  
  92. # accept inbound vpn initiated traffic
  93.  
  94. # accept outbound lan initiated traffic
  95. iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  96.  
  97. # killswitch rule chains
  98. iptables -N killswitch_on
  99. iptables -t filter -A killswitch_on -j RETURN
  100. iptables -N killswitch_off
  101. iptables -t filter -A killswitch_off -o eth0 -j ACCEPT
  102.  
  103. # create killswitch rule chain, turn the killswitch on
  104. iptables -N killswitch
  105. iptables -t filter -A killswitch  -j killswitch_on
  106.  
  107. # add killswitch chain to OUTPUT chain:
  108. iptables -t filter -A OUTPUT -j killswitch
  109.  
  110. # logging for dropped traffic
  111. iptables -A INPUT -m comment --comment "LOG and DROP" -j LOGGING
  112. iptables -A OUTPUT -m comment --comment "LOG and DROP" -j LOGGING
  113.  
  114. # logging chain
  115. iptables -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
  116. iptables -A LOGGING -j DROP
  117.  
  118. # logging badpackets chain
  119. iptables -A BADPKT_LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables- BADPACKETS: " --log-level 4
  120. iptables -A BADPKT_LOGGING -j DROP
  121.  
  122. # save the firewall rules
  123. iptables-save > /etc/iptables/rules.v4
  124.  
  125. printf "Firewall rules have been configured.\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!