aredn/files/etc/local/mesh-firewall/01-tunnels

#!/bin/sh
<<'LICENSE'
  Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
  Copyright (C) 2020 Joe Ayers
  Copyright (C) 2015 Conrad Lara and Joe Ayers
   See Contributors file for additional contributors

  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation version 3 of the License.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.

  Additional Terms:

  Additional use restrictions exist on the AREDN(TM) trademark and logo.
    See AREDNLicense.txt for more info.

  Attributions to the AREDN Project must be retained in the source code.
  If importing this code into a new or existing project attribution
  to the AREDN project must be added to the source code.

  You must not misrepresent the origin of the material contained within.

  Modified versions must be modified to attribute to the original source
  and be marked in reasonable ways as differentiate it from the original
  version.

LICENSE

if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
        exit 0;
fi

# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct

iptables -D FORWARD -i tun+ -j zone_vpn_forward 2>/dev/null
iptables -D INPUT -i tun+ -j zone_vpn_input 2>/dev/null
iptables -D OUTPUT -o tun+ -j zone_vpn_ACCEPT 2>/dev/null
iptables -F forwarding_vpn_rule 2>/dev/null
iptables -F zone_vpn_input 2>/dev/null
iptables -F zone_vpn_ACCEPT 2>/dev/null
iptables -F zone_vpn_REJECT 2>/dev/null
iptables -F zone_vpn_forward 2>/dev/null
iptables -F zone_vpn_dest_ACCEPT 2>/dev/null
iptables -F zone_vpn_dest_REJECT 2>/dev/null
iptables -X forwarding_vpn_rule 2>/dev/null
iptables -X zone_vpn_input 2>/dev/null
iptables -X zone_vpn_ACCEPT  2>/dev/null
iptables -X zone_vpn_REJECT 2>/dev/null
iptables -X zone_vpn_forward 2>/dev/null
iptables -X zone_vpn_dest_ACCEPT 2>/dev/null
iptables -X zone_vpn_dest_REJECT 2>/dev/null

echo " * Adding vtun firewall rules..."
iptables -N forwarding_vpn_rule
iptables -N zone_vpn_input
iptables -N zone_vpn_ACCEPT
iptables -N zone_vpn_REJECT
iptables -N zone_vpn_forward
iptables -N zone_vpn_dest_ACCEPT
iptables -N zone_vpn_dest_REJECT
iptables -I FORWARD 3 -i tun+ -j zone_vpn_forward
iptables -I INPUT 5 -i tun+ -j zone_vpn_input
iptables -I OUTPUT 4 -o tun+ -j zone_vpn_ACCEPT # instead of creating a zone_vpn_output chain
iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -A zone_vpn_input -p udp -m udp --dport 161 -j ACCEPT
iptables -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port redirections" -j ACCEPT
iptables -A zone_vpn_input -j zone_vpn_REJECT
iptables -I zone_vpn_forward -j forwarding_vpn_rule
iptables -A zone_vpn_forward -j zone_vpn_dest_ACCEPT 
if [ "$MESHFW_MESHGW" -eq 1 ] ; then
        iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
fi
iptables -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port forwards" -j ACCEPT
iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_vpn_dest_REJECT
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
iptables -A zone_vpn_REJECT -o tun+ -j reject
iptables -A zone_vpn_REJECT -i tun+ -j reject
iptables -A zone_vpn_dest_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_dest_REJECT -o tun+ -j reject
iptables -I zone_dtdlink_forward 5 -j zone_vpn_dest_ACCEPT
iptables -I zone_wifi_forward 6 -j zone_vpn_dest_ACCEPT
iptables -I zone_lan_forward 5 -j zone_vpn_dest_ACCEPT
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work. 2016-01-09 16:23:48 -07:00			`#!/bin/sh`
			`<<'LICENSE'`
			`Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks`
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic. 2020-04-29 19:54:29 -06:00			`Copyright (C) 2020 Joe Ayers`
bugfix: Tunnel firewall rule chain names are incorrect. Based on previously reverted commit 646702aab92ea75b8be1b11298ac15d261e8ab33 2016-01-16 21:09:23 -07:00			`Copyright (C) 2015 Conrad Lara and Joe Ayers`
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work. 2016-01-09 16:23:48 -07:00			`See Contributors file for additional contributors`

			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation version 3 of the License.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`Additional Terms:`

			`Additional use restrictions exist on the AREDN(TM) trademark and logo.`
			`See AREDNLicense.txt for more info.`

			`Attributions to the AREDN Project must be retained in the source code.`
			`If importing this code into a new or existing project attribution`
			`to the AREDN project must be added to the source code.`

Sourcecode license text spelling correction. Inside the source files the word "contained" was mispelled as "conained" The website currently lists this correctly as "contained" This was an error in the intial stamping of the source files in changeset:5c3ee1d0686c6e6f2907fe4fc393d86d6c5a69b5/aredn_ar71xx Line is part of "Additional Conditions" permitted by GPLv3. Line does not impact coders prior to the AREDN setup date as it was added by the AREDN team. Change-Id: I3bc09aea548100f35c08aebe8686b8d4808d56d8 Signed-off-by: Conrad Lara - KG6JEI <KG6JEI@amsat.org> Signed-off-by: Joe Ayers <ae6xe@arrl.net> Signed-off-by: Darryl Quinn <k5dlq@arrl.net> Signed-off-by: Trevor Paskett - K7FPV <snoopytjp@gmail.com> 2016-12-23 22:23:58 -07:00			`You must not misrepresent the origin of the material contained within.`
feature: FirewallIncludes: Migrate tunnel firewal rules to new include format. These rules setup chains that may be needed by other firewall rules as such we need to set them up early to be sure includes work. 2016-01-09 16:23:48 -07:00
			`Modified versions must be modified to attribute to the original source`
			`and be marked in reasonable ways as differentiate it from the original`
			`version.`

			`LICENSE`

			`if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then`
			`exit 0;`
			`fi`

bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic. 2020-04-29 19:54:29 -06:00			`# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct`
bugfix: On firewall reload some tunnel rules were not being inserted into the default chains which are flushed on both reload and restart of firewall by OpenWRT fw scripts. 2016-01-16 21:22:53 -07:00
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic. 2020-04-29 19:54:29 -06:00			`iptables -D FORWARD -i tun+ -j zone_vpn_forward 2>/dev/null`
			`iptables -D INPUT -i tun+ -j zone_vpn_input 2>/dev/null`
			`iptables -D OUTPUT -o tun+ -j zone_vpn_ACCEPT 2>/dev/null`
			`iptables -F forwarding_vpn_rule 2>/dev/null`
			`iptables -F zone_vpn_input 2>/dev/null`
			`iptables -F zone_vpn_ACCEPT 2>/dev/null`
			`iptables -F zone_vpn_REJECT 2>/dev/null`
			`iptables -F zone_vpn_forward 2>/dev/null`
			`iptables -F zone_vpn_dest_ACCEPT 2>/dev/null`
			`iptables -F zone_vpn_dest_REJECT 2>/dev/null`
			`iptables -X forwarding_vpn_rule 2>/dev/null`
			`iptables -X zone_vpn_input 2>/dev/null`
			`iptables -X zone_vpn_ACCEPT 2>/dev/null`
			`iptables -X zone_vpn_REJECT 2>/dev/null`
			`iptables -X zone_vpn_forward 2>/dev/null`
			`iptables -X zone_vpn_dest_ACCEPT 2>/dev/null`
			`iptables -X zone_vpn_dest_REJECT 2>/dev/null`
bugfix: On firewall reload some tunnel rules were not being inserted into the default chains which are flushed on both reload and restart of firewall by OpenWRT fw scripts. 2016-01-16 21:22:53 -07:00
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic. 2020-04-29 19:54:29 -06:00			`echo " * Adding vtun firewall rules..."`
			`iptables -N forwarding_vpn_rule`
			`iptables -N zone_vpn_input`
			`iptables -N zone_vpn_ACCEPT`
			`iptables -N zone_vpn_REJECT`
			`iptables -N zone_vpn_forward`
			`iptables -N zone_vpn_dest_ACCEPT`
			`iptables -N zone_vpn_dest_REJECT`
aredn: tunnel firewall rules upgrade to openwrt 18.06 fixes: #68 2018-07-14 22:23:10 -06:00			`iptables -I FORWARD 3 -i tun+ -j zone_vpn_forward`
			`iptables -I INPUT 5 -i tun+ -j zone_vpn_input`
bugfix: aredn firewall blocking traffic when using tunnel feature (#524) fixes #522 tested by: Matthew KB9OIV <Matthew.annen@gmail.com> tested by: Chris K3ADA <sutehk.cs@gmail.com> Resolves 2 issues with tunnel iptable rules. A rule needed to be shifted down by 1 position in chain given upgrade to openwrt 19.07. Reload of rules was not correctly retaining chain order and creating duplicate entries, inadvertantly blocking intended traffic. 2020-04-29 19:54:29 -06:00			`iptables -I OUTPUT 4 -o tun+ -j zone_vpn_ACCEPT # instead of creating a zone_vpn_output chain`
			`iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT`
			`iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT`
			`iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT`
			`iptables -A zone_vpn_input -p tcp -m tcp --dport 80 -j ACCEPT`
			`iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT`
			`iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT`
			`iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT`
			`iptables -A zone_vpn_input -p udp -m udp --dport 161 -j ACCEPT`
			`iptables -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port redirections" -j ACCEPT`
			`iptables -A zone_vpn_input -j zone_vpn_REJECT`
			`iptables -I zone_vpn_forward -j forwarding_vpn_rule`
			`iptables -A zone_vpn_forward -j zone_vpn_dest_ACCEPT`
			`if [ "$MESHFW_MESHGW" -eq 1 ] ; then`
			`iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT`
			`fi`
			`iptables -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port forwards" -j ACCEPT`
			`iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT`
			`iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT`
			`iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT`
			`iptables -A zone_vpn_forward -j zone_vpn_dest_REJECT`
			`iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT`
			`iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT`
			`iptables -A zone_vpn_REJECT -o tun+ -j reject`
			`iptables -A zone_vpn_REJECT -i tun+ -j reject`
			`iptables -A zone_vpn_dest_ACCEPT -o tun+ -j ACCEPT`
			`iptables -A zone_vpn_dest_REJECT -o tun+ -j reject`
			`iptables -I zone_dtdlink_forward 5 -j zone_vpn_dest_ACCEPT`
			`iptables -I zone_wifi_forward 6 -j zone_vpn_dest_ACCEPT`
			`iptables -I zone_lan_forward 5 -j zone_vpn_dest_ACCEPT`