Created
November 8, 2023 23:35
-
-
Save Klice/c074824ab6fe2930e750f444875bb0c7 to your computer and use it in GitHub Desktop.
WireGuard up/down script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Usage | |
# /etc/wireguard/ifscript.sh up %i | |
# /etc/wireguard/ifscript.sh down %i | |
action=$1 | |
interface=$2 | |
local_ips=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 | |
vpn_ip="10.6.6.0/24" | |
int_interface="enp1s0" | |
local_ports="53" | |
[[ "$action" = "up" ]] && action_arg="I" || action_arg="D" | |
log () { | |
[[ "$action" = "up" ]] && local cmd_action="Enabling" || local cmd_action="Disabling" | |
echo "[ifscript.sh] $cmd_action $@" | |
} | |
log "iptables rules for ${interface}" | |
# NAT | |
iptables -t nat -$action_arg POSTROUTING -o $int_interface -j MASQUERADE | |
# Prevent IP Bleed | |
iptables -$action_arg FORWARD -j REJECT -i $interface ! -s $vpn_ip | |
# No access to local IPs or IPv6 | |
iptables -$action_arg FORWARD -d $local_ips -j REJECT -i $interface | |
ip6tables -$action_arg FORWARD -j REJECT -i $interface | |
# Allow some local services | |
iptables -$action_arg INPUT -p udp --dport $local_ports -j ACCEPT -i $interface | |
iptables -$action_arg INPUT -p tcp --dport $local_ports -j ACCEPT -i $interface | |
# No access to local services5 | |
iptables -$action_arg INPUT -j REJECT -i $interface | |
ip6tables -$action_arg INPUT -j REJECT -i $interface |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment