From 347f3fdbfef64d5f48264abd2131f041ca297d55 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 18 Feb 2017 08:53:00 -0600
Subject: [PATCH] Improve IPTables rules

- Improve blocking of unencrypted L2TP without IPsec
- Closes #116. Thanks @ryt51V!
---
 vpnsetup.sh        | 11 ++++++-----
 vpnsetup_centos.sh | 11 ++++++-----
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/vpnsetup.sh b/vpnsetup.sh
index 49f7e5e..dca0e84 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -356,11 +356,12 @@ fi
 if [ "$ipt_flag" = "1" ]; then
   service fail2ban stop >/dev/null 2>&1
   iptables-save > "$IPT_FILE.old-$SYS_DT"
-  iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP
-  iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-  iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT
-  iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-  iptables -I INPUT 5 -p udp --dport 1701 -j DROP
+  iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
+  iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
+  iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+  iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
+  iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+  iptables -I INPUT 6 -p udp --dport 1701 -j DROP
   iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
   iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 4609093..98fbc3c 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -343,11 +343,12 @@ fi
 if [ "$ipt_flag" = "1" ]; then
   service fail2ban stop >/dev/null 2>&1
   iptables-save > "$IPT_FILE.old-$SYS_DT"
-  iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP
-  iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-  iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT
-  iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-  iptables -I INPUT 5 -p udp --dport 1701 -j DROP
+  iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
+  iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
+  iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+  iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
+  iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+  iptables -I INPUT 6 -p udp --dport 1701 -j DROP
   iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
   iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT