Skip to content
Snippets Groups Projects
Commit a68de1c3 authored by Bob Mottram's avatar Bob Mottram
Browse files

mesh firewall for vpn

parent 5ee100c6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/freedombone-mesh-batman
+ 20
28
View file @ a68de1c3
......@@ -158,20 +158,16 @@ function stop {
# SSB/Patchwork
iptables -D INPUT -p udp --dport 8008 -j ACCEPT
iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
# Tunnel over the internet
iptables -D INPUT -p tcp --dport 53 -j ACCEPT
iptables -D INPUT -p udp --dport 53 -j ACCEPT
iptables -D INPUT -p tcp --dport 8942 -j ACCEPT
iptables -D INPUT -p udp --dport 8942 -j ACCEPT
iptables -t nat -D POSTROUTING -o $EIFACE -j MASQUERADE
iptables -D FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -D FORWARD -i $IFACE -o $EIFACE -j ACCEPT
if [ $IFACE_SECONDARY ]; then
iptables -D FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -D FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
fi
# vpn over the internet
iptables -D INPUT -p tcp --dport 553 -j ACCEPT
iptables -D INPUT -p udp --dport 553 -j ACCEPT
iptables -D INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -D INPUT -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -j ACCEPT
iptables -D FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -D OUTPUT -o tun+ -j ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
......@@ -332,20 +328,16 @@ function start {
# SSB/Patchwork
iptables -A INPUT -p udp --dport 8008 -j ACCEPT
iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
# Tunnel over the internet
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 8942 -j ACCEPT
iptables -A INPUT -p udp --dport 8942 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $EIFACE -j MASQUERADE
iptables -A FORWARD -i $EIFACE -o $IFACE -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A FORWARD -i $IFACE -o $EIFACE -j ACCEPT
if [ $hotspot_enabled ]; then
iptables -A FORWARD -i $IFACE -o $IFACE_SECONDARY -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A FORWARD -i $IFACE_SECONDARY -o $IFACE -j ACCEPT
fi
# vpn over the internet
iptables -A INPUT -p tcp --dport 553 -j ACCEPT
iptables -A INPUT -p udp --dport 553 -j ACCEPT
iptables -A INPUT -i ${EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ${EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${EIFACE} -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment