Last active
August 26, 2016 02:06
-
-
Save bensoer/9fec3386a9460c42511bf8fd49b4a6d8 to your computer and use it in GitHub Desktop.
Simple demo script for configuring openvpn firewalls on a TUN setup behind a local LAN router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# README --- | |
# Below is a demo script for setting up an openvpn server. This is specifically configured for TUN setups and for setups where | |
# the VPN Server is located behind a router. The script contains additionaly a section for configuring what traffic can pass | |
# through the VPN and has simple setups so as to allow SSH connections to be made to the VPN server from within the local LAN | |
# network that the VPN server is being hosted within. Additionaly, routing has been included to allow DNS and DHCP protocols | |
# through the firewall so that the VPN server can operate within the local LAN. | |
# PRE-REQUISITS | |
# - Forwarding has been enabled on your server so that the FORWARD table rules will actualy work | |
# - OpenVPN is already configured and running on the VPN Server (this just makes testing easier) | |
# SETUP | |
# Simply change the variabled within the 'User Configuration' section so as to match your network and openvpn configuration. | |
# Then in terminal type: sudo ./openvpnfirewall.sh. Output will display as various steps are executed. The script will | |
# terminate once the firewall settings have complete | |
#DISCLAIMER | |
# This script is a demo / experiment and not recommended for industry / professional use. The following may contain unknown | |
# bugs or errors unknown to me ( comment them and I will update! ). USE AT YOU OWN DISCRETION | |
# END OF README --- | |
# -- USER CONFIGURATION -- | |
echo "Defining User Variables" | |
IPTABLES="/sbin/iptables" | |
# -- names of the nics for the loopback, vpn and general internet of the vpn server | |
ILOOPBACK="lo" | |
IVPN="tun0" | |
IINTERNET="eth0" | |
# -- ip address of vpn within the hosting network | |
IPADDR="192.168.0.99" | |
# -- subnet of the vpn's network (ip range used for assigning IPs to connecting clients) | |
VPN_SUBNET="10.8.0.0/24" | |
# -- subnet of the network the vpn is hosted in | |
LAN_SUBNET="192.168.0.0/24" | |
# -- listening port of openvpn for new connections | |
VPN_SERVER_PORT="1234" | |
# -- ip to the dhcp server. This needs to be the same as configured in openvpn otherwise clients may not be able to ip resolve | |
DHCP_SERVER="192.168.0.1" | |
echo "User Variables Defined" | |
# -- END OF USER CONFIGURATION -- | |
# -- FIREWALL RULES - DO NOT TOUCH -- | |
SSH_PORTS="1020:65535" | |
BROADCAST_SRC="0.0.0.0" | |
BROADCAST_DEST="255.255.255.255" | |
PRIV_PORTS="0:1023" | |
UNPRIV_PORTS="1024:65535" | |
# -- END OF FIREWALL RULES -- | |
# - Drop Everything | |
echo "Clearing Existing Firewall" | |
$IPTABLES -F | |
$IPTABLES -t nat -F | |
$IPTABLES -t mangle -F | |
$IPTABLES -X | |
$IPTABLES -t nat -X | |
$IPTABLES -t mangle -X | |
echo "Clearing Complete" | |
# - Set Defaults | |
echo "Setting Default" | |
$IPTABLES --policy INPUT DROP | |
$IPTABLES --policy OUTPUT DROP | |
$IPTABLES --policy FORWARD DROP | |
echo "Defaults Have Been Set" | |
# -- Allow Loopback as a precaution | |
echo "Applying Loopback Policy" | |
$IPTABLES -A INPUT -i $ILOOPBACK -j ACCEPT | |
$IPTABLES -A OUTPUT -o $ILOOPBACK -j ACCEPT | |
echo "Loopback Policy Applied" | |
# -- Enable DNS | |
echo "Enabling DNS Functionality" | |
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT | |
$IPTABLES -A INPUT -i $IINTERNET -p udp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT | |
# -- In case there is error and must use TCP | |
$IPTABLES -A OUTPUT -o $IINTERNET -p tcp -s $IPADDR --sport $UNPRIV_PORTS --dport 53 -j ACCEPT | |
$IPTABLES -A INPUT -i $IINTERNET -p tcp -d $IPADDR --sport 53 --dport $UNPRIV_PORTS -j ACCEPT | |
echo "Enabled DNS Functionality" | |
# -- Enable DHCP | |
echo "Enabling DHCP Functionality" | |
# -- Initialization or rebinding | |
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 68 --dport 67 -j ACCEPT | |
# -- Incoming DHCP offer from other DHCP servers | |
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $BROADCAST_SRC -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT | |
# -- Rules for lost lease or reboot for client | |
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $BROADCAST_SRC -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT | |
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $BROADCAST_DEST --sport 67 --dport 68 -j ACCEPT | |
# -- Variances in DHCP Response | |
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT | |
# -- -- Lease Renewal | |
$IPTABLES -A OUTPUT -o $IINTERNET -p udp -s $IPADDR -d $DHCP_SERVER --sport 68 --dport 67 -j ACCEPT | |
$IPTABLES -A INPUT -i $IINTERNET -p udp -s $DHCP_SERVER -d $IPADDR --sport 67 --dport 68 -j ACCEPT | |
echo "Enabled DHCP Functionality" | |
# -- Allow VPN Connections To Occur | |
echo "Creating VPN Forwarding Traffic Chain" | |
$IPTABLES -N vpn_forwarding_traffic | |
echo "Applying VPN Forwarding Policy" | |
# ********************************************************************************** | |
# * -- INSERT DROP RULES HERE TO RESTRICT WHAT KIND OF TRAFFIC GOES THROUGH VPN -- * | |
# * -- ANYTHING NOT DROPPED WILL BE ACCEPTED IF VALID ETH->VPN OR VPN->ETH -- * | |
# ********************************************************************************** | |
# -- Example: Drop All HTTP Data | |
# $IPTABLES -A vpn_forwarding_traffic -p tcp --sport 80 -j DROP | |
# $IPTABLES -A vpn_forwarding_traffic -p tcp --dport 80 -j DROP | |
# -- End Of Example | |
# -- don't let vpn users use the router admin page | |
$IPTABLES -A vpn_forwarding_traffic -d $DHCP_SERVER -p tcp --dport 80 -j DROP | |
$IPTABLES -A vpn_forwarding_traffic -s $DHCP_SERVER -p tcp --sport 80 -j DROP | |
$IPTABLES -A vpn_forwarding_traffic -d $DHCP_SERVER -p tcp --dport 443 -j DROP | |
$IPTABLES -A vpn_forwarding_traffic -s $DHCP_SERVER -p tcp --sport 443 -j DROP | |
# ********************************************************************************** | |
# * -- END OF DROP RULES -- * | |
# ********************************************************************************** | |
# - Stateful Routing Options - UNTESTED | |
#$IPTABLES -I FORWARD -i $IVPN -o $IINTERNET -s $VPN_SUBNET -m conntrack --ctstate NEW -j ACCEPT #accept new connections | |
#$IPTABLES -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
# - Stateless Routing Options | |
$IPTABLES -A vpn_forwarding_traffic -i $IVPN -o $IINTERNET -s $VPN_SUBNET -j ACCEPT | |
$IPTABLES -A vpn_forwarding_traffic -i $IINTERNET -d $VPN_SUBNET -o $IVPN -j ACCEPT | |
echo "Applied VPN Forwarding Policy" | |
echo "Applying VPN Forwarding Traffic Routing Rules" | |
$IPTABLES -A FORWARD -i $IVPN -j vpn_forwarding_traffic | |
$IPTABLES -A FORWARD -o $IVPN -j vpn_forwarding_traffic | |
echo "Applied VPN Forwarding Traffic Routing Rules" | |
echo "Applying Listening Rules For New Connections on OpenVPN's Listening Port" | |
# - Allow VPN Data Through The OpenVPN's Listening Port | |
$IPTABLES -A INPUT -i $IINTERNET -p udp --dport $VPN_SERVER_PORT -j ACCEPT | |
$IPTABLES -A OUTPUT -o $IINTERNET -p udp --sport $VPN_SERVER_PORT -j ACCEPT | |
echo "Applied Listening Rules For New Connections on OpenVPN's Listening Port" | |
# - Masquerading For VPN -- don't need this if you tell router to recirect all VPN traffic to the VPN server | |
echo "Applying Masquerading Rules For VPN" | |
$IPTABLES -t nat -A POSTROUTING -s $VPN_SUBNET -o $IINTERNET -j MASQUERADE | |
echo "Applied Masquerading Rules For VPN" | |
# - Enable SSH Connections | |
echo "Creating SSH Input Traffic Rules For Incoming SSH Connections" | |
$IPTABLES -N ssh_input_traffic | |
# -- allow incoming connections only from the same subnet as the VPN Server is hosted in | |
$IPTABLES -A ssh_input_traffic -i $IINTERNET -p tcp -d $IPADDR -s $LAN_SUBNET --sport $SSH_PORTS --dport 22 -j ACCEPT | |
echo "Created SSH Input Traffic Rules For Incoming SSH Connections" | |
echo "Creating SSH Input Chain" | |
$IPTABLES -A INPUT -p tcp --sport 22 -j ssh_input_traffic | |
$IPTABLES -A INPUT -p tcp --dport 22 -j ssh_input_traffic | |
echo "Created SSH Input Chain" | |
echo "SSH Input Settings Complete" | |
echo "Creating SSH Output Trafic Rules For Incoming SSH Connections" | |
$IPTABLES -N ssh_output_traffic | |
# -- allow outgoing ssh data only to the same subnet as the VPN Server is hosted in | |
$IPTABLES -A ssh_output_traffic -o $IINTERNET -p tcp ! --syn -s $IPADDR -d $LAN_SUBNET --sport 22 --dport $SSH_PORTS -j ACCEPT | |
echo "Created SSH Output Traffic Rules For Incoming SSH Connections" | |
echo "Creating SSH Output Chain" | |
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ssh_output_traffic | |
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ssh_output_traffic | |
echo "Created SSH Output Chain" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment