2016-01-09 16:23:48 -07:00
|
|
|
#!/bin/sh
|
|
|
|
<<'LICENSE'
|
|
|
|
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
|
2016-01-16 21:09:23 -07:00
|
|
|
Copyright (C) 2015 Conrad Lara and Joe Ayers
|
2016-01-09 16:23:48 -07:00
|
|
|
See Contributors file for additional contributors
|
|
|
|
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation version 3 of the License.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
Additional Terms:
|
|
|
|
|
|
|
|
Additional use restrictions exist on the AREDN(TM) trademark and logo.
|
|
|
|
See AREDNLicense.txt for more info.
|
|
|
|
|
|
|
|
Attributions to the AREDN Project must be retained in the source code.
|
|
|
|
If importing this code into a new or existing project attribution
|
|
|
|
to the AREDN project must be added to the source code.
|
|
|
|
|
|
|
|
You must not misrepresent the origin of the material conained within.
|
|
|
|
|
|
|
|
Modified versions must be modified to attribute to the original source
|
|
|
|
and be marked in reasonable ways as differentiate it from the original
|
|
|
|
version.
|
|
|
|
|
|
|
|
LICENSE
|
|
|
|
|
|
|
|
if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
|
|
|
|
exit 0;
|
|
|
|
fi
|
|
|
|
|
2016-01-16 20:55:20 -07:00
|
|
|
# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
|
2016-01-16 21:43:40 -07:00
|
|
|
if ( $(iptables -L forwarding_vpn 2>/dev/null | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null) ) then
|
2016-01-16 20:55:20 -07:00
|
|
|
rules_exist=1
|
2016-01-09 16:23:48 -07:00
|
|
|
else
|
2016-01-16 20:55:20 -07:00
|
|
|
rules_exist=0
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Do nothing on firewall if tunnels already (or still) exist--set up once.
|
|
|
|
if [ $rules_exist -eq 0 ] ; then
|
|
|
|
echo "Adding vtun firewall rules..."
|
|
|
|
iptables -N forwarding_vpn
|
2016-01-16 21:09:23 -07:00
|
|
|
iptables -N zone_vpn_input
|
2016-01-16 20:55:20 -07:00
|
|
|
iptables -N zone_vpn_ACCEPT
|
|
|
|
iptables -N zone_vpn_DROP
|
|
|
|
iptables -N zone_vpn_REJECT
|
|
|
|
iptables -N zone_vpn_forward
|
|
|
|
iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
|
2016-02-23 12:20:19 -07:00
|
|
|
iptables -I delegate_input 5 -i tun+ -j zone_vpn_input
|
2016-01-16 20:55:20 -07:00
|
|
|
iptables -I delegate_output 3 -j zone_vpn_ACCEPT
|
2016-01-16 21:09:23 -07:00
|
|
|
iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
|
2016-01-21 21:39:59 -07:00
|
|
|
iptables -A zone_vpn_input -p udp -m udp --dport 161 -j ACCEPT
|
|
|
|
iptables -A zone_vpn_input -j zone_vpn_REJECT
|
2016-01-16 20:55:20 -07:00
|
|
|
iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
|
|
|
|
if [ "$MESHFW_MESHGW" -eq 1 ] ; then
|
2016-01-16 21:09:23 -07:00
|
|
|
iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
|
2016-01-16 20:55:20 -07:00
|
|
|
else
|
2016-01-16 21:09:23 -07:00
|
|
|
iptables -I zone_vpn_forward -j zone_wan_dest_REJECT
|
2016-01-16 20:55:20 -07:00
|
|
|
fi
|
|
|
|
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
|
|
|
|
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
|
|
|
|
iptables -A zone_vpn_DROP -o tun+ -j DROP
|
|
|
|
iptables -A zone_vpn_DROP -i tun+ -j DROP
|
|
|
|
iptables -A zone_vpn_REJECT -o tun+ -j reject
|
|
|
|
iptables -A zone_vpn_REJECT -i tun+ -j reject
|
2016-01-16 21:09:23 -07:00
|
|
|
iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
|
|
|
|
iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
|
|
|
|
iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT
|
2016-01-16 20:55:20 -07:00
|
|
|
iptables -A zone_vpn_forward -j forwarding_vpn
|
2016-01-09 16:23:48 -07:00
|
|
|
fi
|
2016-01-16 21:22:53 -07:00
|
|
|
|
|
|
|
|
|
|
|
# Rules that modify core tables and as such always need to be executed as they are flushed on reload/restart
|
|
|
|
iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
|
2016-02-23 12:20:19 -07:00
|
|
|
iptables -I delegate_input 5 -i tun+ -j zone_vpn_input
|
2016-01-16 21:22:53 -07:00
|
|
|
iptables -I delegate_output 3 -j zone_vpn_ACCEPT
|
|
|
|
iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
|
|
|
|
iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
|
|
|
|
iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
|