aredn/files/etc/local/mesh-firewall/01-tunnels

101 lines
4.3 KiB
Bash
Executable File

#!/bin/sh
<<'LICENSE'
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
Copyright (C) 2020 Joe Ayers
Copyright (C) 2015 Conrad Lara and Joe Ayers
See Contributors file for additional contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Additional Terms:
Additional use restrictions exist on the AREDN(TM) trademark and logo.
See AREDNLicense.txt for more info.
Attributions to the AREDN Project must be retained in the source code.
If importing this code into a new or existing project attribution
to the AREDN project must be added to the source code.
You must not misrepresent the origin of the material contained within.
Modified versions must be modified to attribute to the original source
and be marked in reasonable ways as differentiate it from the original
version.
LICENSE
if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
exit 0;
fi
# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct
iptables -D FORWARD -i tun+ -j zone_vpn_forward 2>/dev/null
iptables -D INPUT -i tun+ -j zone_vpn_input 2>/dev/null
iptables -D OUTPUT -o tun+ -j zone_vpn_ACCEPT 2>/dev/null
iptables -F forwarding_vpn_rule 2>/dev/null
iptables -F zone_vpn_input 2>/dev/null
iptables -F zone_vpn_ACCEPT 2>/dev/null
iptables -F zone_vpn_REJECT 2>/dev/null
iptables -F zone_vpn_forward 2>/dev/null
iptables -F zone_vpn_dest_ACCEPT 2>/dev/null
iptables -F zone_vpn_dest_REJECT 2>/dev/null
iptables -X forwarding_vpn_rule 2>/dev/null
iptables -X zone_vpn_input 2>/dev/null
iptables -X zone_vpn_ACCEPT 2>/dev/null
iptables -X zone_vpn_REJECT 2>/dev/null
iptables -X zone_vpn_forward 2>/dev/null
iptables -X zone_vpn_dest_ACCEPT 2>/dev/null
iptables -X zone_vpn_dest_REJECT 2>/dev/null
echo " * Adding vtun firewall rules..."
iptables -N forwarding_vpn_rule
iptables -N zone_vpn_input
iptables -N zone_vpn_ACCEPT
iptables -N zone_vpn_REJECT
iptables -N zone_vpn_forward
iptables -N zone_vpn_dest_ACCEPT
iptables -N zone_vpn_dest_REJECT
iptables -I FORWARD 3 -i tun+ -j zone_vpn_forward
iptables -I INPUT 5 -i tun+ -j zone_vpn_input
iptables -I OUTPUT 4 -o tun+ -j zone_vpn_ACCEPT # instead of creating a zone_vpn_output chain
iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -A zone_vpn_input -p udp -m udp --dport 161 -j ACCEPT
iptables -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port redirections" -j ACCEPT
iptables -A zone_vpn_input -j zone_vpn_REJECT
iptables -I zone_vpn_forward -j forwarding_vpn_rule
iptables -A zone_vpn_forward -j zone_vpn_dest_ACCEPT
if [ "$MESHFW_MESHGW" -eq 1 ] ; then
iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
fi
iptables -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!vtun: Accept port forwards" -j ACCEPT
iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_vpn_dest_REJECT
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
iptables -A zone_vpn_REJECT -o tun+ -j reject
iptables -A zone_vpn_REJECT -i tun+ -j reject
iptables -A zone_vpn_dest_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_dest_REJECT -o tun+ -j reject
iptables -I zone_dtdlink_forward 5 -j zone_vpn_dest_ACCEPT
iptables -I zone_wifi_forward 6 -j zone_vpn_dest_ACCEPT
iptables -I zone_lan_forward 5 -j zone_vpn_dest_ACCEPT