Last active
July 11, 2022 03:00
-
-
Save WallaceTan/fb74bc66f1f37c77650fe51f1742f78a to your computer and use it in GitHub Desktop.
/jffs/openvpn/firewall-up.v2.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ## Configure NAT to masquerade the source IP of packets sent to tun0 to router's IP | |
| iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE | |
| ## https://www.snbforums.com/threads/openvpn-client-with-2fa.79337/ | |
| ## 1) Unnecessary to allow *outbound* rules with Asuswrt-Merlin, | |
| ## as all *outbound* is allowed from default network (br0) | |
| ## 2) Don't use firmware's user-defined chains 'OVPN' as it may change in future versions. | |
| ## 3) Use INPUT and/or FORWARD chains. | |
| # iptables -I OVPN -o tun0 -j ACCEPT | |
| ## Block inbound from remote site (tun0) | |
| ## Drop NEW connections initiated from remote network | |
| iptables -I FORWARD -i tun0 -m state --state NEW -j logdrop | |
| iptables -I INPUT -i tun0 -m state --state NEW -j logdrop | |
| ## Troubleshoot iptables rule with: | |
| # iptables --line-numbers -vL FORWARD | |
| # iptables -t nat --line-numbers -vL POSTROUTING |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment