iptables rules if default policies are DROP, checkserver for ipsec bugfix

9 years ago · 3075a20c6b
parent 655f33b8f2
commit 3075a20c6b
4 changed files with 31 additions and 6 deletions
--- a/ipsec/checkserver.sh
+++ b/ipsec/checkserver.sh
@ -6,7 +6,7 @@ if [ $? -eq 1 ]; then
 	/etc/init.d/xl2tpd restart
 fi

-RET=$(pgrep strongswan)
+RET=$(pgrep starter)

 if [ $? -eq 1 ]; then
 	/etc/init.d/strongswan restart
--- a/ipsec/iptables-setup.sh
+++ b/ipsec/iptables-setup.sh
@ -57,6 +57,9 @@ else
    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
 fi

+# Enable forwarding
+iptables -A FORWARD -j ACCEPT
+
 # MSS Clamping
 iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

@ -65,7 +68,21 @@ iptables -A INPUT -i ppp+ -j ACCEPT
 iptables -A OUTPUT -o ppp+ -j ACCEPT

 # XL2TPD
-iptables -A INPUT -p tcp --dport 1701 -j ACCEPT
+iptables -A INPUT -p tcp -m tcp --dport 1701 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --sport 1701 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT
+
+# IPSEC
+iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
+iptables -A INPUT -p esp -j ACCEPT
+iptables -A OUTPUT -p esp -j ACCEPT
+iptables -A INPUT -p ah -j ACCEPT
+iptables -A OUTPUT -p ah -j ACCEPT
+

 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
 iptables -F
--- a/openvpn/iptables-setup.sh
+++ b/openvpn/iptables-setup.sh
@ -62,6 +62,9 @@ else
    iptables -D FORWARD -i tun+ -o tun+ -j DROP
 fi

+# Enable forwarding
+iptables -A FORWARD -j ACCEPT
+
 # MSS Clamping
 iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu

@ -70,7 +73,8 @@ iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A OUTPUT -o tun+ -j ACCEPT

 # OpenVPN
-iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT

 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
 iptables -F
--- a/pptp/iptables-setup.sh
+++ b/pptp/iptables-setup.sh
@ -55,6 +55,9 @@ else
    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
 fi

+# Enable forwarding
+iptables -A FORWARD -j ACCEPT
+
 # MSS Clamping
 iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

@ -63,11 +66,12 @@ iptables -A INPUT -i ppp+ -j ACCEPT
 iptables -A OUTPUT -o ppp+ -j ACCEPT

 # PPTP
-iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
+iptables -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT

 # GRE
-iptables -A INPUT -p 47 -j ACCEPT
-iptables -A OUTPUT -p 47 -j ACCEPT
+iptables -A INPUT -p gre -j ACCEPT
+iptables -A OUTPUT -p gre -j ACCEPT

 iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
 iptables -F