left emtpy
Last active
July 26, 2019 15:10
-
-
Save Gowee/a19d258666a17ebfe8205ef0d7f447af to your computer and use it in GitHub Desktop.
tinc split-tunnel with ipset
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -ux | |
logger "tinc down" | |
#if [[ -z $INTERFACE ]]; then | |
# INTERFACE=tinc | |
#fi | |
iptables -t mangle -F rrmark | |
iptables -t mangle -X rrmark | |
iptables -t mangle -D OUTPUT -j rrmark | |
iptables -t mangle -i br0 -D PREROUTING -j rrmark | |
iptables -t mangle -D rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe | |
ip rule del fwmark 0xcafe table rrtable | |
iptables -t nat -o tinc -D POSTROUTING -m mark --mark 0xcafe -j MASQUERADE | |
ip route del default dev tinc table rrtable | |
ip addr del <CLIENT_INTERNAL_IP>/24 dev tinc | |
ip link set tinc down | |
ipset destroy chnroute |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -eux | |
#if [[ -z "$INTERFACE" ]]; then | |
# INTERFACE=tinc | |
#fi | |
logger "tinc up" | |
ip link set tinc up | |
ip addr add <CLIENT_INTERNAL_IP>/24 dev tinc | |
if ipset save chnroute > /dev/null 2>&1; then | |
echo "ipset chnroute exists" | |
else | |
if [[ -f "/tmp/chnroute-ipset.txt" ]]; then | |
cat /tmp/chnroute-ipset.txt | ipset restore | |
echo "recovered ipset chnroute from file" | |
else | |
ipset -N chnroute hash:net maxelem $(wc -l /opt/etc/chnroute.txt | awk '{ print $1 }') | |
for ip in $(cat /opt/etc/chnroute.txt); do | |
ipset add chnroute $ip | |
done | |
ipset save chnroute > /tmp/chnroute-ipset.txt | |
echo "created ipset chnroute from routers" | |
fi | |
fi | |
iptables -t mangle -L rrmark -n > /dev/null 2>&1 || iptables -t mangle -N rrmark | |
iptables -t mangle -A rrmark -d <SERVER_IP> -j RETURN | |
#iptables -t mangle -A rrmark -p tcp -j RETURN | |
iptables -t mangle -A rrmark -d 0.0.0.0/8 -j RETURN | |
iptables -t mangle -A rrmark -d 10.0.0.0/8 -j RETURN | |
iptables -t mangle -A rrmark -d 100.64.0.0/10 -j RETURN | |
iptables -t mangle -A rrmark -d 127.0.0.0/8 -j RETURN | |
iptables -t mangle -A rrmark -d 169.254.0.0/16 -j RETURN | |
iptables -t mangle -A rrmark -d 172.16.0.0/12 -j RETURN | |
iptables -t mangle -A rrmark -d 192.0.0.0/24 -j RETURN | |
iptables -t mangle -A rrmark -d 192.0.2.0/24 -j RETURN | |
iptables -t mangle -A rrmark -d 192.88.99.0/24 -j RETURN | |
iptables -t mangle -A rrmark -d 192.168.0.0/16 -j RETURN | |
iptables -t mangle -A rrmark -d 198.18.0.0/15 -j RETURN | |
iptables -t mangle -A rrmark -d 198.51.100.0/24 -j RETURN | |
iptables -t mangle -A rrmark -d 203.0.113.0/24 -j RETURN | |
iptables -t mangle -A rrmark -d 224.0.0.0/4 -j RETURN | |
iptables -t mangle -A rrmark -d 240.0.0.0/4 -j RETURN | |
iptables -t mangle -A rrmark -d 255.255.255.255/32 -j RETURN | |
iptables -t mangle -A rrmark -m set ! --match-set chnroute dst -j MARK --set-mark 0xcafe | |
#echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter | |
#echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter | |
#echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter | |
echo 2 > /proc/sys/net/ipv4/conf/tinc/rp_filter | |
iptables -t mangle -C OUTPUT -j rrmark || iptables -t mangle -A OUTPUT -j rrmark | |
iptables -t mangle -i br0 -C PREROUTING -j rrmark || iptables -t mangle -i br0 -A PREROUTING -j rrmark | |
grep "rrtable" /etc/iproute2/rt_tables || echo "233 rrtable" > /etc/iproute2/rt_tables | |
ip route add default dev tinc table rrtable | |
ip rule add fwmark 0xcafe table rrtable | |
iptables -t nat -o tinc -A POSTROUTING -m mark --mark 0xcafe -j MASQUERADE | |
echo Done. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. https://bigeagle.me/2016/02/ipset-policy-routing/ | |
4. https://www.tinc-vpn.org/examples/redirect-gateway/ | |
5. https://tinc.tinc-vpn.narkive.com/1JXOnx1C/subnet-specification-for-tinc-node-as-default-gateway | |
2. https://typeblog.net/set-up-shadowsocks-with-iptables-and-ipset-on-archlinux/ | |
3. https://zohead.com/archives/openwrt-openvpn-ipset/ | |
6. https://www.linode.com/docs/networking/vpn/how-to-set-up-tinc-peer-to-peer-vpn/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This file closes down the tap device. | |
set -eux | |
ip addr del <SERVER_INTERNAL_IP>/24 dev $INTERFACE | |
ip link set $INTERFACE down | |
iptables -D FORWARD -i <SERVER_DEVICE_NAME> -j ACCEPT | |
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This file sets up the tap device. | |
# It gives you the freedom to do anything you want with it. | |
# Use the correct name for the tap device: | |
# The environment variable $INTERFACE is set to the right name | |
# on most platforms, but if it doesn't work try to set it manually. | |
# Give it the right ip and netmask. Remember, the subnet of the | |
# tap device must be larger than that of the individual Subnets | |
# as defined in the host configuration file! | |
set -eux | |
ip link set $INTERFACE up | |
ip addr add <SERVER_INTERNAL_IP>/24 dev $INTERFACE | |
iptables -A FORWARD -i <CLIENT_DEVICE_NAME> -j ACCEPT | |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment