|
|
|
|
@ -3,6 +3,8 @@ |
|
|
|
|
DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
|
|
|
|
source $DIR/env.sh |
|
|
|
|
|
|
|
|
|
COMMENT=" -m comment --comment \"IPSEC\"" |
|
|
|
|
|
|
|
|
|
if [[ ! -e $IPTABLES ]]; then |
|
|
|
|
touch $IPTABLES |
|
|
|
|
fi |
|
|
|
|
@ -38,11 +40,11 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP |
|
|
|
|
if [ "$STATIC" == "$ANSIP" ]; then |
|
|
|
|
# SNAT |
|
|
|
|
sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG |
|
|
|
|
iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP |
|
|
|
|
eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT |
|
|
|
|
else |
|
|
|
|
# MASQUERADE |
|
|
|
|
sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG |
|
|
|
|
iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE |
|
|
|
|
eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
DROP="yes" |
|
|
|
|
@ -51,37 +53,37 @@ read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP |
|
|
|
|
|
|
|
|
|
if [ "$DROP" == "$ANSDROP" ]; then |
|
|
|
|
# disable forwarding |
|
|
|
|
iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP |
|
|
|
|
eval iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT |
|
|
|
|
else |
|
|
|
|
echo "Deleting DROP rule if exists..." |
|
|
|
|
iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP |
|
|
|
|
eval iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP $COMMENT |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
# Enable forwarding |
|
|
|
|
iptables -A FORWARD -j ACCEPT |
|
|
|
|
eval iptables -A FORWARD -j ACCEPT $COMMENT |
|
|
|
|
|
|
|
|
|
# MSS Clamping |
|
|
|
|
iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
|
|
|
|
eval iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $COMMENT |
|
|
|
|
|
|
|
|
|
# PPP |
|
|
|
|
iptables -A INPUT -i ppp+ -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -o ppp+ -j ACCEPT |
|
|
|
|
eval iptables -A INPUT -i ppp+ -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -o ppp+ -j ACCEPT $COMMENT |
|
|
|
|
|
|
|
|
|
# XL2TPD |
|
|
|
|
iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT |
|
|
|
|
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT |
|
|
|
|
eval iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT $COMMENT |
|
|
|
|
|
|
|
|
|
# IPSEC |
|
|
|
|
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT |
|
|
|
|
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT |
|
|
|
|
iptables -A INPUT -p esp -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p esp -j ACCEPT |
|
|
|
|
iptables -A INPUT -p ah -j ACCEPT |
|
|
|
|
iptables -A OUTPUT -p ah -j ACCEPT |
|
|
|
|
eval iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A INPUT -p esp -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p esp -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A INPUT -p ah -j ACCEPT $COMMENT |
|
|
|
|
eval iptables -A OUTPUT -p ah -j ACCEPT $COMMENT |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES |
|
|
|
|
|
bedefaced
9 years ago