aredn/files/etc/local/mesh-firewall/01-tunnels

98 lines
4.3 KiB
Bash
Executable File

#!/bin/sh
<<'LICENSE'
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
Copyright (C) 2020 Joe Ayers
Copyright (C) 2015 Conrad Lara and Joe Ayers
See Contributors file for additional contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Additional Terms:
Additional use restrictions exist on the AREDN(TM) trademark and logo.
See AREDNLicense.txt for more info.
Attributions to the AREDN Project must be retained in the source code.
If importing this code into a new or existing project attribution
to the AREDN project must be added to the source code.
You must not misrepresent the origin of the material contained within.
Modified versions must be modified to attribute to the original source
and be marked in reasonable ways as differentiate it from the original
version.
LICENSE
if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
exit 0;
fi
# In all cases - restart, flush, clear -- it is necessary to clean up any remenant rules to ensure chain order is correct
nft flush chain ip fw4 forwarding_vpn_rule 2>/dev/null
nft flush chain ip fw4 input_vpn 2>/dev/null
nft flush chain ip fw4 accept_vpn 2>/dev/null
nft flush chain ip fw4 reject_vpn 2>/dev/null
nft flush chain ip fw4 forward_vpn 2>/dev/null
nft flush chain ip fw4 accept_to_vpn 2>/dev/null
nft flush chain ip fw4 reject_to_vpn 2>/dev/null
nft delete chain ip fw4 forwarding_vpn_rule 2>/dev/null
nft delete chain ip fw4 input_vpn 2>/dev/null
nft delete chain ip fw4 accept_vpn 2>/dev/null
nft delete chain ip fw4 reject_vpn 2>/dev/null
nft delete chain ip fw4 forward_vpn 2>/dev/null
nft delete chain ip fw4 accept_to_vpn 2>/dev/null
nft delete chain ip fw4 reject_to_vpn 2>/dev/null
echo " * Adding vtun firewall rules..."
nft add chain ip fw4 forwarding_vpn_rule
nft add chain ip fw4 input_vpn
nft add chain ip fw4 accept_vpn
nft add chain ip fw4 reject_vpn
nft add chain ip fw4 forward_vpn
nft add chain ip fw4 accept_to_vpn
nft add chain ip fw4 reject_to_vpn
nft insert rule ip fw4 forward iifname "tun*" jump forward_vpn
nft add rule ip fw4 input iifname "tun*" jump input_vpn
nft add rule ip fw4 output oifname "tun*" jump accept_vpn # instead of creating a output_vpn chain
nft add rule ip fw4 input_vpn icmp type echo-request counter accept
nft add rule ip fw4 input_vpn tcp dport 2222 counter accept
nft add rule ip fw4 input_vpn tcp dport 8080 counter accept
nft add rule ip fw4 input_vpn tcp dport 80 counter accept
nft add rule ip fw4 input_vpn udp dport 698 counter accept
nft add rule ip fw4 input_vpn tcp dport 23 counter accept
nft add rule ip fw4 input_vpn tcp dport 9090 counter accept
nft add rule ip fw4 input_vpn udp dport 161 counter accept
nft add rule ip fw4 input_vpn ct status dnat accept comment \"!vtun: Accept port redirections\"
nft add rule ip fw4 input_vpn jump reject_vpn
nft insert rule ip fw4 forward_vpn jump forwarding_vpn_rule
nft add rule ip fw4 forward_vpn jump accept_to_vpn
if [ "$MESHFW_MESHGW" = "1" ] ; then
nft insert rule ip fw4 forward_vpn jump accept_to_wan
fi
nft add rule ip fw4 forward_vpn ct status dnat accept comment \"!vtun: Accept port forwards\"
nft add rule ip fw4 forward_vpn jump accept_to_dtdlink
nft add rule ip fw4 forward_vpn jump accept_to_lan
nft add rule ip fw4 forward_vpn jump accept_to_wifi
nft add rule ip fw4 forward_vpn jump reject_to_vpn
nft add rule ip fw4 accept_vpn oifname "tun*" accept
nft add rule ip fw4 accept_vpn iifname "tun*" accept
nft add rule ip fw4 reject_vpn oifname "tun*" reject
nft add rule ip fw4 reject_vpn iifname "tun*" reject
nft add rule ip fw4 accept_to_vpn oifname "tun*" accept
nft add rule ip fw4 reject_to_vpn oifname "tun*" reject
nft insert rule ip fw4 forward_dtdlink jump accept_to_vpn
nft insert rule ip fw4 forward_wifi jump accept_to_vpn
nft insert rule ip fw4 forward_lan jump accept_to_vpn