#!/bin/sh <<'LICENSE' Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks Copyright (C) 2020 Joe Ayers Copyright (C) 2015 Conrad Lara and Joe Ayers See Contributors file for additional contributors This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Additional Terms: Additional use restrictions exist on the AREDN(TM) trademark and logo. See AREDNLicense.txt for more info. Attributions to the AREDN Project must be retained in the source code. If importing this code into a new or existing project attribution to the AREDN project must be added to the source code. You must not misrepresent the origin of the material contained within. Modified versions must be modified to attribute to the original source and be marked in reasonable ways as differentiate it from the original version. LICENSE if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then exit 0; fi # In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct nft flush chain ip fw4 forwarding_vpn_rule 2>/dev/null nft flush chain ip fw4 input_vpn 2>/dev/null nft flush chain ip fw4 accept_vpn 2>/dev/null nft flush chain ip fw4 reject_vpn 2>/dev/null nft flush chain ip fw4 forward_vpn 2>/dev/null nft flush chain ip fw4 accept_to_vpn 2>/dev/null nft flush chain ip fw4 reject_to_vpn 2>/dev/null nft delete chain ip fw4 forwarding_vpn_rule 2>/dev/null nft delete chain ip fw4 input_vpn 2>/dev/null nft delete chain ip fw4 accept_vpn 2>/dev/null nft delete chain ip fw4 reject_vpn 2>/dev/null nft delete chain ip fw4 forward_vpn 2>/dev/null nft delete chain ip fw4 accept_to_vpn 2>/dev/null nft delete chain ip fw4 reject_to_vpn 2>/dev/null echo " * Adding vtun firewall rules..." nft add chain ip fw4 forwarding_vpn_rule nft add chain ip fw4 input_vpn nft add chain ip fw4 accept_vpn nft add chain ip fw4 reject_vpn nft add chain ip fw4 forward_vpn nft add chain ip fw4 accept_to_vpn nft add chain ip fw4 reject_to_vpn nft insert rule ip fw4 forward iifname "tun*" counter jump forward_vpn nft add rule ip fw4 input iifname "tun*" counter jump input_vpn nft add rule ip fw4 output oifname "tun*" counter jump accept_vpn # instead of creating a output_vpn chain nft add rule ip fw4 input_vpn icmp type echo-request counter accept nft add rule ip fw4 input_vpn tcp dport 2222 counter accept nft add rule ip fw4 input_vpn tcp dport 8080 counter accept nft add rule ip fw4 input_vpn tcp dport 80 counter accept nft add rule ip fw4 input_vpn udp dport 698 counter accept nft add rule ip fw4 input_vpn tcp dport 23 counter accept nft add rule ip fw4 input_vpn tcp dport 9090 counter accept nft add rule ip fw4 input_vpn udp dport 161 counter accept nft add rule ip fw4 input_vpn ct status dnat counter accept comment \"!vtun: Accept port redirections\" nft add rule ip fw4 input_vpn counter jump reject_vpn nft insert rule ip fw4 forward_vpn counter jump forwarding_vpn_rule nft add rule ip fw4 forward_vpn counter jump accept_to_vpn if [ "$MESHFW_MESHGW" = "1" ] ; then nft insert rule ip fw4 forward_vpn counter jump accept_to_wan fi nft add rule ip fw4 forward_vpn ct status dnat counter accept comment \"!vtun: Accept port forwards\" nft add rule ip fw4 forward_vpn counter jump accept_to_dtdlink nft add rule ip fw4 forward_vpn counter jump accept_to_lan nft add rule ip fw4 forward_vpn counter jump accept_to_wifi nft add rule ip fw4 forward_vpn counter jump reject_to_vpn nft add rule ip fw4 accept_vpn oifname "tun*" counter accept nft add rule ip fw4 accept_vpn iifname "tun*" counter accept nft add rule ip fw4 reject_vpn oifname "tun*" counter reject nft add rule ip fw4 reject_vpn iifname "tun*" counter reject nft add rule ip fw4 accept_to_vpn oifname "tun*" counter accept nft add rule ip fw4 reject_to_vpn oifname "tun*" counter reject nft insert rule ip fw4 forward_dtdlink counter jump accept_to_vpn nft insert rule ip fw4 forward_wifi counter jump accept_to_vpn nft insert rule ip fw4 forward_lan counter jump accept_to_vpn