From c94bc5e3b44c19342e95a3bdef651b53334a6686 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 23 Mar 2017 18:11:35 +0100 Subject: [PATCH] Multiple firewall bug fixes - When FirewallD is detected, NAT is now applied via FirewallD instead of iptables (fixes #267). - iptables REJECT/DROP/ACCEPT rules where not being properly detected. - iptables rules were applied even when FirewallD was detected and the same rules were being applied via firewall-cmd. --- openvpn-install.sh | 75 ++++++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3342087..02274dd 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -130,24 +130,28 @@ if [[ -e /etc/openvpn/server.conf ]]; then if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) - IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 11) if pgrep firewalld; then + IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 7) # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP + else + IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 11) + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP + sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL + if iptables -L -n | grep -qE '^ACCEPT'; then + iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT + iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL + fi fi - if iptables -L -n | grep -qE 'REJECT|DROP|ACCEPT'; then - iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL - fi - iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then @@ -309,34 +313,39 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf fi # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward - # Needed to use rc.local with some systemd distros - if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then - echo '#!/bin/sh -e -exit 0' > $RCLOCAL - fi - chmod +x $RCLOCAL - # Set NAT for the VPN subnet - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL if pgrep firewalld; then + # Using both permanent and not permanent rules to avoid a firewalld + # reload. # We don't use --add-service=openvpn because that would only work with - # the default port and protocol. Using both permanent and not permanent - # rules to avoid a firewalld reload. + # the default port and protocol. firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 - fi - if iptables -L -n | grep -qE 'REJECT|DROP'; then - # If iptables has at least one REJECT rule, we asume this is needed. - # Not the best approach but I can't think of other and this shouldn't - # cause problems. - iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL + # Set NAT for the VPN subnet + firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP + else + # Needed to use rc.local with some systemd distros + if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then + echo '#!/bin/sh -e +exit 0' > $RCLOCAL + fi + chmod +x $RCLOCAL + # Set NAT for the VPN subnet + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP + sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL + if iptables -L -n | grep -qE '^(REJECT|DROP)'; then + # If iptables has at least one REJECT rule, we asume this is needed. + # Not the best approach but I can't think of other and this shouldn't + # cause problems. + iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT + iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT + iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL + fi fi # If SELinux is enabled and a custom port or TCP was selected, we need this if hash sestatus 2>/dev/null; then