nemo
/
mir3c
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
mir3c/squashfs-root/usr/sbin/traffic.set.firewall

96 lines
2.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
#
#TODO: move rules to /etc/config/firewall
#
export LANG=C
#
. /lib/lib.scripthelper.sh
#
#VPNINTERFACE=tap1
#
checkproclock 30
if [ $? -ne 0 ]
then
dlog "INFO: wait 30 seconds, but already running, pid $(getlockedprocpid))"
exit 0
fi
#
setproclock
#
ctlop="start"
if [ "$1" = 'start' -o "$1" = 'stop' ]
then
ctlop="$1"
fi
if [ "$1" = 'boot' ]
then
ctlop="start"
fi
#clear exist rules
clscnt=0
while [ $clscnt -le 10 ]
do
iptables -D FORWARD -j vpnforward 2>/dev/null
iptables -D INPUT -j vpninput 2>/dev/null
iptables -D POSTROUTING -t nat -j vpnsnat 2>/dev/null
iptables -F vpnforward 2>/dev/null
iptables -F vpninput 2>/dev/null
iptables -F vpnsnat -t nat 2>/dev/null
iptables -X vpnforward 2>/dev/null
iptables -X vpninput 2>/dev/null
iptables -X vpnsnat -t nat 2>/dev/null
let clscnt=$clscnt+1
done
if [ "$ctlop" = 'start' ]
then
if [ ! -s /tmp/vpnclient.env ]
then
#first load
dlog "INFO: traffic.set.firewall, empty /tmp/vpnclient.env."
exit 0
fi
. /tmp/vpnclient.env
if [ -z "$VPNINTERFACE" ]
then
if [ "$ctlop" = 'stop' ]
then
dlog "WARNING: $0, VPNINTERFACE no exported."
exit 0
else
dlog "ERROR: $0, VPNINTERFACE no exported."
exit 1
fi
fi
iptnewchain "-N vpnforward"
iptnewchain "-N vpninput"
iptnewchain "-N vpnsnat -t nat"
iptexec "iptables -I FORWARD -j vpnforward"
iptexec "iptables -I INPUT -j vpninput"
iptexec "iptables -I POSTROUTING -t nat -j vpnsnat"
iptexec "iptables -A vpnforward -o $VPNINTERFACE -j ACCEPT"
iptexec "iptables -A vpnforward -i $VPNINTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
iptexec "iptables -A vpnforward -i $VPNINTERFACE -j DROP"
iptexec "iptables -A vpnforward -j RETURN"
iptexec "iptables -A vpninput ! -i $VPNINTERFACE -j RETURN"
iptexec "iptables -A vpninput -i $VPNINTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
#iptexec "iptables -A vpninput -p udp --dport 67 -j DROP"
#iptexec "iptables -A vpninput -p tcp --dport 67 -j DROP"
#iptexec "iptables -A vpninput -p udp --dport 68 -j DROP"
#iptexec "iptables -A vpninput -p tcp --dport 68 -j DROP"
iptexec "iptables -A vpninput -j DROP"
iptexec "iptables -A vpnsnat -t nat ! -o $VPNINTERFACE -j RETURN"
iptexec "iptables -A vpnsnat -t nat -j MASQUERADE"
fi
#
if [ "$2" != 'renew' -a "$1" != 'stop' -a -n "$2" -o "$ctlop" = 'start' ]
then
dlog "INFO: $0, $1, done"
fi
#
Reference in New Issue View Git Blame Copy Permalink