mirror of https://github.com/aredn/aredn.git
111 lines
5.2 KiB
Bash
Executable File
111 lines
5.2 KiB
Bash
Executable File
#!/bin/sh
|
|
<<'LICENSE'
|
|
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
|
|
Copyright (C) 2020 Joe Ayers
|
|
Copyright (C) 2015 Conrad Lara and Joe Ayers
|
|
See Contributors file for additional contributors
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation version 3 of the License.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
Additional Terms:
|
|
|
|
Additional use restrictions exist on the AREDN(TM) trademark and logo.
|
|
See AREDNLicense.txt for more info.
|
|
|
|
Attributions to the AREDN Project must be retained in the source code.
|
|
If importing this code into a new or existing project attribution
|
|
to the AREDN project must be added to the source code.
|
|
|
|
You must not misrepresent the origin of the material contained within.
|
|
|
|
Modified versions must be modified to attribute to the original source
|
|
and be marked in reasonable ways as differentiate it from the original
|
|
version.
|
|
|
|
LICENSE
|
|
|
|
if [ "$MESHFW_TUNNELS_ENABLED" != "1" -a "$MESHFW_WG_TUNNELS_ENABLED" != "1" ]; then
|
|
exit 0;
|
|
fi
|
|
|
|
# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct
|
|
nft flush chain ip fw4 forwarding_vpn_rule 2>/dev/null
|
|
nft flush chain ip fw4 input_vpn 2>/dev/null
|
|
nft flush chain ip fw4 accept_vpn 2>/dev/null
|
|
nft flush chain ip fw4 reject_vpn 2>/dev/null
|
|
nft flush chain ip fw4 forward_vpn 2>/dev/null
|
|
nft flush chain ip fw4 accept_to_vpn 2>/dev/null
|
|
nft flush chain ip fw4 reject_to_vpn 2>/dev/null
|
|
nft delete chain ip fw4 forwarding_vpn_rule 2>/dev/null
|
|
nft delete chain ip fw4 input_vpn 2>/dev/null
|
|
nft delete chain ip fw4 accept_vpn 2>/dev/null
|
|
nft delete chain ip fw4 reject_vpn 2>/dev/null
|
|
nft delete chain ip fw4 forward_vpn 2>/dev/null
|
|
nft delete chain ip fw4 accept_to_vpn 2>/dev/null
|
|
nft delete chain ip fw4 reject_to_vpn 2>/dev/null
|
|
|
|
echo " * Adding vtun firewall rules..."
|
|
nft add chain ip fw4 forwarding_vpn_rule
|
|
nft add chain ip fw4 input_vpn
|
|
nft add chain ip fw4 accept_vpn
|
|
nft add chain ip fw4 reject_vpn
|
|
nft add chain ip fw4 forward_vpn
|
|
nft add chain ip fw4 accept_to_vpn
|
|
nft add chain ip fw4 reject_to_vpn
|
|
|
|
nft insert rule ip fw4 forward iifname "tun*" jump forward_vpn
|
|
nft add rule ip fw4 input iifname "tun*" jump input_vpn
|
|
nft add rule ip fw4 output oifname "tun*" jump accept_vpn # instead of creating a output_vpn chain
|
|
nft insert rule ip fw4 forward iifname "wg*" jump forward_vpn
|
|
nft add rule ip fw4 input iifname "wg*" jump input_vpn
|
|
nft add rule ip fw4 output oifname "wg*" jump accept_vpn # instead of creating a output_vpn chain
|
|
nft add rule ip fw4 input_vpn icmp type echo-request accept
|
|
nft add rule ip fw4 input_vpn tcp dport 2222 accept
|
|
nft add rule ip fw4 input_vpn tcp dport 8080 accept
|
|
nft add rule ip fw4 input_vpn tcp dport 80 accept
|
|
nft add rule ip fw4 input_vpn udp dport 698 accept
|
|
nft add rule ip fw4 input_vpn tcp dport 23 accept
|
|
nft add rule ip fw4 input_vpn tcp dport 9090 accept
|
|
nft add rule ip fw4 input_vpn udp dport 161 accept
|
|
nft add rule ip fw4 input_vpn ct status dnat accept comment \"!vtun: Accept port redirections\"
|
|
nft add rule ip fw4 input_vpn jump reject_vpn
|
|
nft insert rule ip fw4 forward_vpn jump forwarding_vpn_rule
|
|
nft add rule ip fw4 forward_vpn jump accept_to_vpn
|
|
if [ "$MESHFW_MESHGW" = "1" ] ; then
|
|
nft insert rule ip fw4 forward_vpn jump accept_to_wan
|
|
fi
|
|
nft add rule ip fw4 forward_vpn ct status dnat accept comment \"!vtun: Accept port forwards\"
|
|
nft add rule ip fw4 forward_vpn jump accept_to_dtdlink
|
|
nft add rule ip fw4 forward_vpn jump accept_to_lan
|
|
nft add rule ip fw4 forward_vpn jump accept_to_wifi
|
|
nft add rule ip fw4 forward_vpn jump reject_to_vpn
|
|
nft add rule ip fw4 accept_vpn oifname "tun*" accept
|
|
nft add rule ip fw4 accept_vpn iifname "tun*" accept
|
|
nft add rule ip fw4 reject_vpn oifname "tun*" reject
|
|
nft add rule ip fw4 reject_vpn iifname "tun*" reject
|
|
nft add rule ip fw4 accept_to_vpn oifname "tun*" accept
|
|
nft add rule ip fw4 reject_to_vpn oifname "tun*" reject
|
|
nft add rule ip fw4 accept_vpn oifname "wg*" accept
|
|
nft add rule ip fw4 accept_vpn iifname "wg*" accept
|
|
nft add rule ip fw4 reject_vpn oifname "wg*" reject
|
|
nft add rule ip fw4 reject_vpn iifname "wg*" reject
|
|
nft add rule ip fw4 accept_to_vpn oifname "wg*" accept
|
|
nft add rule ip fw4 reject_to_vpn oifname "wg*" reject
|
|
nft insert rule ip fw4 forward_dtdlink jump accept_to_vpn
|
|
nft insert rule ip fw4 forward_wifi jump accept_to_vpn
|
|
nft insert rule ip fw4 forward_lan jump accept_to_vpn
|
|
nft add rule ip fw4 mangle_forward iifname "tun*" tcp flags syn tcp option maxseg size set rt mtu
|
|
nft add rule ip fw4 mangle_forward oifname "tun*" tcp flags syn tcp option maxseg size set rt mtu
|
|
nft add rule ip fw4 mangle_forward iifname "wg*" tcp flags syn tcp option maxseg size set rt mtu
|
|
nft add rule ip fw4 mangle_forward oifname "wg*" tcp flags syn tcp option maxseg size set rt mtu
|