Merge pull request #778 from orazioedoardo/iptables-detection

Improve iptables detection
2024-12-18 19:00:15 +00:00 · 2019-07-02 13:08:44 +01:00 · 2019-07-02 13:08:44 +01:00 · d32aafe61f
commit d32aafe61f
parent a797518968 bcc780546c
3 changed files with 103 additions and 36 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -976,7 +976,41 @@ confNetwork() {
    # else configure iptables
    if [[ $noUFW -eq 1 ]]; then
        echo 1 > /tmp/noUFW
        # Now some checks to detect which rules we need to add. On a newly installed system all policies
        # should be ACCEPT, so the only required rule would be the MASQUERADE one.
        $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
        # Count how many rules are in the INPUT and FORWARD chain. When parsing input from
        # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
        # installed but not enabled).
        INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')"
        FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')"
        INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')"
        FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
        # If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if
        # there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the
        # chain (using -I).
        if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then
            $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
            INPUT_CHAIN_EDITED=1
        else
            INPUT_CHAIN_EDITED=0
        fi
        if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
            $SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
            $SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
            FORWARD_CHAIN_EDITED=1
        else
            FORWARD_CHAIN_EDITED=0
        fi
        case ${PLAT} in
            Ubuntu|Debian|Devuan)
                $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
@ -989,7 +1023,12 @@ confNetwork() {
        echo 0 > /tmp/noUFW
    fi
    echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED
    echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
    $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
    $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
    $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
 }
 confOVPN() {
--- a/scripts/pivpnDebug.sh
+++ b/scripts/pivpnDebug.sh
@ -56,11 +56,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
            iptables -t nat -F
            iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
            iptables-save > /etc/iptables/rules.v4
            iptables-restore < /etc/iptables/rules.v4
            echo "Done"
        fi
    fi
    if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
        if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables INPUT rule set"
        else
            ERR=1
            read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY
            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
                iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
                iptables-save > /etc/iptables/rules.v4
                echo "Done"
            fi
        fi
    fi
    if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
        if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables FORWARD rule set"
        else
            ERR=1
            read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY
            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
                iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
                iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
                iptables-save > /etc/iptables/rules.v4
                echo "Done"
            fi
        fi
    fi
 else
    if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -1,27 +1,14 @@
 #!/usr/bin/env bash
 # PiVPN: Uninstall Script
 # Must be root to uninstall
 if [[ $EUID -eq 0 ]];then
    echo "::: You are root."
 else
    echo "::: Sudo will be used for the uninstall."
  # Check if it is actually installed
  # If it isn't, exit because the unnstall cannot complete
  if [[ $(dpkg-query -s sudo) ]];then
        export SUDO="sudo"
  else
    echo "::: Please install sudo or run this as root."
    exit 1
  fi
 fi
 INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 PLAT=$(cat /etc/pivpn/DET_PLATFORM)
 NO_UFW=$(cat /etc/pivpn/NO_UFW)
 PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
 INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
 FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
 # Find the rows and columns. Will default to 80x24 if it can not be detected.
 screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -59,7 +46,7 @@ echo ":::"
            while true; do
                read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn
                case $yn in
-                    [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
+                    [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
                            if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi
                            if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi
                            break;;
@ -74,44 +61,57 @@ echo ":::"
    # Take care of any additional package cleaning
    printf "::: Auto removing remaining dependencies..."
-    $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
+    apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n";
    printf "::: Auto cleaning remaining dependencies..."
-    $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
+    apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n";
    echo ":::"
    # Removing pivpn files
    echo "::: Removing pivpn system files..."
-    $SUDO rm -rf /opt/pivpn &> /dev/null
+    rm -rf /opt/pivpn &> /dev/null
-    $SUDO rm -rf /etc/.pivpn &> /dev/null
+    rm -rf /etc/.pivpn &> /dev/null
-    $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null
+    rm -rf /home/$INSTALL_USER/ovpns &> /dev/null
-    $SUDO rm -rf /var/log/*pivpn* &> /dev/null
+    rm -rf /var/log/*pivpn* &> /dev/null
-    $SUDO rm -rf /var/log/*openvpn* &> /dev/null
+    rm -rf /var/log/*openvpn* &> /dev/null
    if [[ $UINST_OVPN = 1 ]]; then
-        $SUDO rm -rf /etc/openvpn &> /dev/null
+        rm -rf /etc/openvpn &> /dev/null
        if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
            printf "::: Removing openvpn apt source..."
-            $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
+            rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null
-            $SUDO apt-get -qq update & spinner $!; printf "done!\n";
+            apt-get -qq update & spinner $!; printf "done!\n";
        fi
    fi
    if [[ $UINST_UNATTUPG = 1 ]]; then
-        $SUDO rm -rf /var/log/unattended-upgrades
+        rm -rf /var/log/unattended-upgrades
-        $SUDO rm -rf /etc/apt/apt.conf.d/*periodic
+        rm -rf /etc/apt/apt.conf.d/*periodic
    fi
-    $SUDO rm -rf /etc/pivpn &> /dev/null
+    rm -rf /etc/pivpn &> /dev/null
-    $SUDO rm /usr/local/bin/pivpn &> /dev/null
+    rm /usr/local/bin/pivpn &> /dev/null
-    $SUDO rm /etc/bash_completion.d/pivpn
+    rm /etc/bash_completion.d/pivpn
    # Disable IPv4 forwarding
    sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf
    sysctl -p
    if [[ $NO_UFW -eq 0 ]]; then
-        $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
+        sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
-        $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null
+        ufw delete allow "$PORT"/"$PROTO" >/dev/null
-        $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
+        ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
-        $SUDO ufw reload >/dev/null
+        ufw reload >/dev/null
    else
        iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE
        if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
            iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
        fi
        if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
            iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
            iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
        fi
        iptables-save > /etc/iptables/rules.v4
    fi
    echo ":::"