Mirrors
/
aredn
mirror of https://github.com/aredn/aredn.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'FixupTunnelFirewall' into release-3.16.1.0 

Various fixes around tunnel firewall rules
This commit is contained in:
Conrad Lara - KG6JEI 2016-01-21 20:40:43 -08:00
parent a7ae3afe4e 29ba1c0419
commit b38309bab5
1 changed files with 48 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
files/etc/local/mesh-firewall/01-tunnels
View File

@ -37,7 +37,17 @@ if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
exit 0; exit 0;
fi fi
# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
if ( $(iptables -L forwarding_vpn 2>/dev/null | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null) ) then
rules_exist=1
else
rules_exist=0
fi
# Do nothing on firewall if tunnels already (or still) exist--set up once.
if [ $rules_exist -eq 0 ] ; then
echo "Adding vtun firewall rules..." echo "Adding vtun firewall rules..."
iptables -N forwarding_vpn
iptables -N zone_vpn_input iptables -N zone_vpn_input
iptables -N zone_vpn_ACCEPT iptables -N zone_vpn_ACCEPT
iptables -N zone_vpn_DROP iptables -N zone_vpn_DROP
@ -53,16 +63,14 @@ iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT iptables -A zone_vpn_input -p udp -m udp --dport 161 -j ACCEPT
iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT iptables -A zone_vpn_input -j zone_vpn_REJECT
iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
if [ "$MESHFW_MESHGW" == "1" ] ; then if [ "$MESHFW_MESHGW" -eq 1 ] ; then
iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
else else
iptables -I zone_vpn_forward -j zone_wan_dest_REJECT iptables -I zone_vpn_forward -j zone_wan_dest_REJECT
fi fi
iptables -A zone_vpn_input -j zone_vpn_ACCEPT
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
iptables -A zone_vpn_DROP -o tun+ -j DROP iptables -A zone_vpn_DROP -o tun+ -j DROP
@ -72,3 +80,14 @@ iptables -A zone_vpn_REJECT -i tun+ -j reject
iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT
iptables -A zone_vpn_forward -j forwarding_vpn
fi
# Rules that modify core tables and as such always need to be executed as they are flushed on reload/restart
iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
iptables -I delegate_input 3 -i tun+ -j zone_vpn_input
iptables -I delegate_output 3 -j zone_vpn_ACCEPT
iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT