free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

mesh firewall for vpn

Bob Mottram 7 years ago
parent
5ee100c67d
commit
a68de1c30c
1 changed files with 20 additions and 28 deletions
Split View Show Diff Stats
  1. 20
    28
      src/freedombone-mesh-batman

+ 20
- 28
src/freedombone-mesh-batman View File 

@@ -158,20 +158,16 @@ function stop {
158 158 
     # SSB/Patchwork
159 159 
     iptables -D INPUT -p udp --dport 8008 -j ACCEPT
160 160 
     iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
161 
-    # Tunnel over the internet
162 
-    iptables -D INPUT -p tcp --dport 53 -j ACCEPT
163 
-    iptables -D INPUT -p udp --dport 53 -j ACCEPT
164 
-    iptables -D INPUT -p tcp --dport 8942 -j ACCEPT
165 
-    iptables -D INPUT -p udp --dport 8942 -j ACCEPT
166 
-
167 
-    iptables -t nat -D POSTROUTING -o $EIFACE -j MASQUERADE
168 
-    iptables -D FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
169 
-    iptables -D FORWARD -i $IFACE -o $EIFACE -j ACCEPT
170 
-
171 
-    if [ $IFACE_SECONDARY ]; then
172 
-        iptables -D FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
173 
-        iptables -D FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
174 
-    fi
161 
+    # vpn over the internet
162 
+    iptables -D INPUT -p tcp --dport 553 -j ACCEPT
163 
+    iptables -D INPUT -p udp --dport 553 -j ACCEPT
164 
+    iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
165 
+    iptables -D INPUT -i tun+ -j ACCEPT
166 
+    iptables -D FORWARD -i tun+ -j ACCEPT
167 
+    iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
168 
+    iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
169 
+    iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
170 
+    iptables -D OUTPUT -o tun+ -j ACCEPT
175 171
176 172 
     echo 0 > /proc/sys/net/ipv4/ip_forward
177 173 
     sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
 
@@ -332,20 +328,16 @@ function start {
332 328 
     # SSB/Patchwork
333 329 
     iptables -A INPUT -p udp --dport 8008 -j ACCEPT
334 330 
     iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
335 
-    # Tunnel over the internet
336 
-    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
337 
-    iptables -A INPUT -p udp --dport 53 -j ACCEPT
338 
-    iptables -A INPUT -p tcp --dport 8942 -j ACCEPT
339 
-    iptables -A INPUT -p udp --dport 8942 -j ACCEPT
340 
-
341 
-    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $EIFACE -j MASQUERADE
342 
-    iptables -A FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
343 
-    iptables -A FORWARD -i $IFACE -o $EIFACE -j ACCEPT
344 
-
345 
-    if [ $hotspot_enabled ]; then
346 
-        iptables -A FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
347 
-        iptables -A FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
348 
-    fi
331 
+    # vpn over the internet
332 
+    iptables -A INPUT -p tcp --dport 553 -j ACCEPT
333 
+    iptables -A INPUT -p udp --dport 553 -j ACCEPT
334 
+    iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
335 
+    iptables -A INPUT -i tun+ -j ACCEPT
336 
+    iptables -A FORWARD -i tun+ -j ACCEPT
337 
+    iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
338 
+    iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
339 
+    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
340 
+    iptables -A OUTPUT -o tun+ -j ACCEPT
349 341
350 342 
     echo 1 > /proc/sys/net/ipv4/ip_forward
351 343 
     sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf