Improve iptables detection

This commit is contained in:
Orazio 2019-07-01 11:12:46 +02:00
parent 8e3a951524
commit 7a34dd3704
3 changed files with 101 additions and 36 deletions

View file

@ -974,7 +974,41 @@ confNetwork() {
# else configure iptables
if [[ $noUFW -eq 1 ]]; then
echo 1 > /tmp/noUFW
# Now some checks to detect which rules we need to add. On a newly installed system all policies
# should be ACCEPT, so the only required rule would be the MASQUERADE one.
$SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
# installed but not enabled).
INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')"
FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')"
INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')"
FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
# If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if
# there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the
# chain (using -I).
if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
INPUT_CHAIN_EDITED=1
else
INPUT_CHAIN_EDITED=0
fi
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
FORWARD_CHAIN_EDITED=1
else
FORWARD_CHAIN_EDITED=0
fi
case ${PLAT} in
Ubuntu|Debian|Devuan)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
@ -987,7 +1021,12 @@ confNetwork() {
echo 0 > /tmp/noUFW
fi
echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED
echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
$SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
$SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
$SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
}
confOVPN() {

View file

@ -56,11 +56,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
iptables-restore < /etc/iptables/rules.v4
echo "Done"
fi
fi
if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set"
else
ERR=1
read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
iptables-save > /etc/iptables/rules.v4
echo "Done"
fi
fi
fi
else
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then

View file

@ -1,21 +1,6 @@
#!/usr/bin/env bash
# PiVPN: Uninstall Script
# Must be root to uninstall
if [[ $EUID -eq 0 ]];then
echo "::: You are root."
else
echo "::: Sudo will be used for the uninstall."
# Check if it is actually installed
# If it isn't, exit because the unnstall cannot complete
if [[ $(dpkg-query -s sudo) ]];then
export SUDO="sudo"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
NO_UFW=$(cat /etc/pivpn/NO_UFW)
@ -59,7 +44,7 @@ echo ":::"
while true; do
read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn
case $yn in
[Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
[Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi
if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi
break;;
@ -74,44 +59,57 @@ echo ":::"
# Take care of any additional package cleaning
printf "::: Auto removing remaining dependencies..."
$SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
printf "::: Auto cleaning remaining dependencies..."
$SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
echo ":::"
# Removing pivpn files
echo "::: Removing pivpn system files..."
$SUDO rm -rf /opt/pivpn &> /dev/null
$SUDO rm -rf /etc/.pivpn &> /dev/null
$SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null
rm -rf /opt/pivpn &> /dev/null
rm -rf /etc/.pivpn &> /dev/null
rm -rf /home/$INSTALL_USER/ovpns &> /dev/null
$SUDO rm -rf /var/log/*pivpn* &> /dev/null
$SUDO rm -rf /var/log/*openvpn* &> /dev/null
rm -rf /var/log/*pivpn* &> /dev/null
rm -rf /var/log/*openvpn* &> /dev/null
if [[ $UINST_OVPN = 1 ]]; then
$SUDO rm -rf /etc/openvpn &> /dev/null
rm -rf /etc/openvpn &> /dev/null
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
printf "::: Removing openvpn apt source..."
$SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
$SUDO apt-get -qq update & spinner $!; printf "done!\n";
rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
apt-get -qq update & spinner $!; printf "done!\n";
fi
fi
if [[ $UINST_UNATTUPG = 1 ]]; then
$SUDO rm -rf /var/log/unattended-upgrades
$SUDO rm -rf /etc/apt/apt.conf.d/*periodic
rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic
fi
$SUDO rm -rf /etc/pivpn &> /dev/null
$SUDO rm /usr/local/bin/pivpn &> /dev/null
$SUDO rm /etc/bash_completion.d/pivpn
rm -rf /etc/pivpn &> /dev/null
rm /usr/local/bin/pivpn &> /dev/null
rm /etc/bash_completion.d/pivpn
# Disable IPv4 forwarding
sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
sysctl -p
if [[ $NO_UFW -eq 0 ]]; then
$SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
$SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null
$SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
$SUDO ufw reload >/dev/null
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
ufw delete allow "$PORT"/"$PROTO" >/dev/null
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
ufw reload >/dev/null
else
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
fi
if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
fi
iptables-save > /etc/iptables/rules.v4
fi
echo ":::"