mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-19 03:10:16 +00:00
Merge pull request #878 from corbolais/ufw-care
take care of /etc/ufw/before.rules nat section. safeguard against acc…
This commit is contained in:
commit
b8cbce304c
1 changed files with 14 additions and 1 deletions
|
@ -1415,7 +1415,20 @@ confNetwork(){
|
|||
USING_UFW=1
|
||||
echo "::: Detected UFW is enabled."
|
||||
echo "::: Adding UFW rules..."
|
||||
### Basic safeguard: if file is empty, there's been something weird going on.
|
||||
### Note: no safeguard against imcomplete content as a result of previous failures.
|
||||
if test -s /etc/ufw/before.rules; then
|
||||
$SUDO cp -f /etc/ufw/before.rules /etc/ufw/before.rules.pre-pivpn
|
||||
else
|
||||
echo "$0: ERR: Sorry, won't touch empty file \"/etc/ufw/before.rules\".";
|
||||
exit 1;
|
||||
fi
|
||||
### If there is already a "*nat" section just add our POSTROUTING MASQUERADE
|
||||
if grep -q "*nat" /etc/ufw/before.rules; then
|
||||
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
|
||||
else
|
||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
fi
|
||||
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
|
||||
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
|
||||
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
|
||||
|
|
Loading…
Reference in a new issue