mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-18 19:00:15 +00:00
Merge pull request #804 from orazioedoardo/ufw-version-check
Handle older UFW version from Jessie
This commit is contained in:
commit
92cbcda66a
3 changed files with 52 additions and 14 deletions
|
@ -971,8 +971,21 @@ confNetwork() {
|
||||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||||
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
|
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
|
||||||
$SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
|
$SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
|
||||||
# Don't forward everything, just the traffic originated from the VPN subnet
|
|
||||||
$SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
|
# https://askubuntu.com/a/712202
|
||||||
|
INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw)
|
||||||
|
MINIMUM_UFW=0.34
|
||||||
|
|
||||||
|
if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then
|
||||||
|
# Don't forward everything, just the traffic originated from the VPN subnet
|
||||||
|
$SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
|
||||||
|
echo 0 > /tmp/OLD_UFW
|
||||||
|
else
|
||||||
|
# This ufw version does not support route command, fallback to policy change
|
||||||
|
$SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
|
||||||
|
echo 1 > /tmp/OLD_UFW
|
||||||
|
fi
|
||||||
|
|
||||||
$SUDO ufw reload >/dev/null
|
$SUDO ufw reload >/dev/null
|
||||||
echo "::: UFW configuration completed."
|
echo "::: UFW configuration completed."
|
||||||
fi
|
fi
|
||||||
|
@ -1035,6 +1048,7 @@ confNetwork() {
|
||||||
echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
|
echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
|
||||||
|
|
||||||
$SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
|
$SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
|
||||||
|
$SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW
|
||||||
$SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
|
$SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
|
||||||
$SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
|
$SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT)
|
||||||
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
|
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
|
||||||
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
|
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
|
||||||
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
|
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
|
||||||
|
NO_UFW=$(cat /etc/pivpn/NO_UFW)
|
||||||
|
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
|
||||||
|
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
|
||||||
|
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
|
||||||
ERR=0
|
ERR=0
|
||||||
|
|
||||||
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
|
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
|
||||||
|
@ -46,7 +50,7 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
|
if [ "$NO_UFW" -eq 1 ]; then
|
||||||
|
|
||||||
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
|
||||||
echo ":: [OK] Iptables MASQUERADE rule set"
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
||||||
|
@ -61,7 +65,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
|
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
|
||||||
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
|
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
|
||||||
echo ":: [OK] Iptables INPUT rule set"
|
echo ":: [OK] Iptables INPUT rule set"
|
||||||
else
|
else
|
||||||
|
@ -75,7 +79,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
|
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||||
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
|
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
|
||||||
echo ":: [OK] Iptables FORWARD rule set"
|
echo ":: [OK] Iptables FORWARD rule set"
|
||||||
else
|
else
|
||||||
|
@ -126,15 +130,30 @@ else
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
if [ "$OLD_UFW" -eq 1 ]; then
|
||||||
echo ":: [OK] Ufw forwarding rule set"
|
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
|
||||||
|
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
|
||||||
|
echo ":: [OK] Ufw forwarding policy is accept"
|
||||||
|
else
|
||||||
|
ERR=1
|
||||||
|
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
|
||||||
|
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||||
|
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
|
||||||
|
ufw reload > /dev/null
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
ERR=1
|
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
||||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
echo ":: [OK] Ufw forwarding rule set"
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
else
|
||||||
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
ERR=1
|
||||||
ufw reload
|
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||||
echo "Done"
|
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
||||||
|
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
||||||
|
ufw reload
|
||||||
|
echo "Done"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
|
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
|
||||||
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
|
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
|
||||||
NO_UFW=$(cat /etc/pivpn/NO_UFW)
|
NO_UFW=$(cat /etc/pivpn/NO_UFW)
|
||||||
|
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
|
||||||
PORT=$(cat /etc/pivpn/INSTALL_PORT)
|
PORT=$(cat /etc/pivpn/INSTALL_PORT)
|
||||||
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
|
PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
|
||||||
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
|
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
|
||||||
|
@ -97,7 +98,11 @@ echo ":::"
|
||||||
if [[ $NO_UFW -eq 0 ]]; then
|
if [[ $NO_UFW -eq 0 ]]; then
|
||||||
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
|
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
|
||||||
ufw delete allow "$PORT"/"$PROTO" >/dev/null
|
ufw delete allow "$PORT"/"$PROTO" >/dev/null
|
||||||
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
|
if [ "$OLD_UFW" -eq 1 ]; then
|
||||||
|
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
|
||||||
|
else
|
||||||
|
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
|
||||||
|
fi
|
||||||
ufw reload >/dev/null
|
ufw reload >/dev/null
|
||||||
else
|
else
|
||||||
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
|
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
|
||||||
|
|
Loading…
Reference in a new issue