You are not logged in.

#1 2019-10-24 16:28:25

aquatic7
Member
Registered: 2018-06-25
Posts: 3

What is the right way to make this iptable script work in arch?

I have this iptable script that read all .ovpn files from a folder and make them allowed in iptable, but I have trouble getting it to work in Arch. It works when I directly load the script from root, but when I reboot it doesn't work anymore. I can't connect from any of the saved ip addresses. So I guess something is being dropped and not restored probably.  Also there are instructions for setting up load rules on boot for debian, ubuntu and mint. But it seems like /etc/rc.local doesn't exist and I don't know what that file should contain if I should make it myself. Also I've read that rc.local is old and that systemd should be used instead.

How should this script be changed to work in Arch?

My questions are:
1) are the paths correct for Arch?
2) how do I make them persistent so they load on reboot?

The Load Rules on Reboot instructions for Debian/Ubunt/Mint is:
Add a line with "/root/iptables.sh >/dev/null 2>/dev/null > /root/iptables.log" into "/etc/rc.local" before "exit 0" !
You can review load of rules from file: /root/iptables.log

Are these the correct Paths?

IP4TABLES="/sbin/iptables";
IP6TABLES="/sbin/ip6tables";

IP4TABSSAVE="/sbin/iptables-save";
IP4TRESTORE="/sbin/iptables-restore";
IP4FILESAVE="/root/save.ip4tables.txt";

IP6TABSSAVE="/sbin/ip6tables-save";
IP6TRESTORE="/sbin/ip6tables-restore";
IP6FILESAVE="/root/save.ip6tables.txt";

Full script is as follow:

#!/bin/bash
#
# oVPN.to IPtables Anti-Leak Script v0.1.1
#
# Setup Instructions and ReadMe here: https://github.com/ovpn-to/oVPN.to-IPtables-Anti-Leak

EXTIF="wlan0 wlp3s0 p4p1 eth0 enp2s0 enp3s0 enp4s0 enp0s25";
TUNIF="tun0";
OVPNDIR="/etc/openvpn";
LANRANGESv4="192.168.0.0/16 10.0.123.0/24"
ALLOWLAN="0";

ALLOW_LAN_TCP_PORTS=""
ALLOW_LAN_UDP_PORTS=""

ALLOW_VPN_TCP_PORTFORWARDS=""
ALLOW_VPN_UDP_PORTFORWARDS=""


IP4TABLES="/sbin/iptables";
IP6TABLES="/sbin/ip6tables";

IP4TABSSAVE="/sbin/iptables-save";
IP4TRESTORE="/sbin/iptables-restore";
IP4FILESAVE="/root/save.ip4tables.txt";

IP6TABSSAVE="/sbin/ip6tables-save";
IP6TRESTORE="/sbin/ip6tables-restore";
IP6FILESAVE="/root/save.ip6tables.txt";

DEBUGOUTPUT="0";

##############################

# Check if we're root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root (e.g. sudo $0)";
   exit 1;
fi;

#Doing Backup from existing IPtables
$IP4TABSSAVE > $IP4FILESAVE && echo "Backuped ip4tables to $IP4FILESAVE";
$IP6TABSSAVE > $IP6FILESAVE && echo "Backuped ip6tables to $IP6FILESAVE";

if [ "$1" = "unload" ]; then
$IP4TABLES -F
$IP4TABLES -Z
$IP4TABLES -P INPUT ACCEPT
$IP4TABLES -P FORWARD ACCEPT
$IP4TABLES -P OUTPUT ACCEPT
$IP6TABLES -F
$IP6TABLES -Z
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
echo "Rules unloaded" && exit 0;
fi;

# Select external Interface if defined multiple EXTIF="wlan0 p4p1 eth0";
if [ `echo $EXTIF |wc -w` -gt 1 ]; then
   echo -n "Multiple external Interfaces found, try: ";
    for IF in $EXTIF; do
      echo -n " $IF ";
      ifconfig $IF >/dev/null 2>/dev/null && EXT=$IF && break;
      echo -n "(down),";
    done;
    if [ ! -z $EXT ]; then
       EXTIF=$EXT;
       echo -e "\nUsing $EXTIF as external Interface";
       sleep 3;
    else
       echo -e "\nCould not find Interface, trying from route"
       EXT=`route -n |tr -s ' ' | awk '$3=="0.0.0.0" { print $0 }' | cut -d" " -f8`;
       if [ `echo $EXT |wc -w` -eq 1 ]; then
          EXTIF=$EXT;
          echo "Using $EXTIF as external Interface";
       else
          $IP4TABLES -P INPUT DROP
          $IP4TABLES -P FORWARD DROP
          $IP4TABLES -P OUTPUT DROP
          $IP6TABLES -P INPUT DROP
          $IP6TABLES -P FORWARD DROP
          $IP6TABLES -P OUTPUT DROP
          echo "Error: Could not detect any external Interface: set POLICY DROP!";
          echo "Restore manually: 
          > $IP4TABLES -P INPUT ACCEPT
          > $IP4TABLES -P FORWARD ACCEPT
          > $IP4TABLES -P OUTPUT ACCEPT
          > $IP6TABLES -P INPUT ACCEPT
          > $IP6TABLES -P FORWARD ACCEPT
          > $IP6TABLES -P OUTPUT ACCEPT
          ";
          exit 1;
       fi;
    fi;
fi;

# Flush iptables
$IP4TABLES -F
$IP6TABLES -F
# Zero all packets and counters.
$IP4TABLES -Z
$IP6TABLES -Z
# Set POLICY DROP
$IP4TABLES -P INPUT DROP
$IP4TABLES -P FORWARD DROP
$IP4TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P OUTPUT DROP

# Allow related connections
$IP4TABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A INPUT -i $TUNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IP6TABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A INPUT -i $TUNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback interface to do anything
$IP4TABLES -A INPUT -i lo -j ACCEPT
$IP4TABLES -A OUTPUT -o lo -j ACCEPT

$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

if [ $ALLOWLAN -eq "1" ]; then
# Allow LAN access
for LANRANGEv4 in $LANRANGESv4; do
$IP4TABLES -A INPUT -i $EXTIF -s $LANRANGEv4 -j ACCEPT 
$IP4TABLES -A OUTPUT -o $EXTIF -d $LANRANGEv4 -j ACCEPT
done;
fi;

# Allow OUT over tunIF
$IP4TABLES -A OUTPUT -o $TUNIF -p tcp -j ACCEPT;
$IP4TABLES -A OUTPUT -o $TUNIF -p udp -j ACCEPT;
$IP4TABLES -A OUTPUT -o $TUNIF -p icmp -j ACCEPT;

$IP6TABLES -A OUTPUT -o $TUNIF -p tcp -j ACCEPT;
$IP6TABLES -A OUTPUT -o $TUNIF -p udp -j ACCEPT;
$IP6TABLES -A OUTPUT -o $TUNIF -p ipv6-icmp -j ACCEPT;

# ALLOW OUTPUT to oVPN-IPs over $EXTIF at VPN-Port with PROTO

OVPNCONFIGS=`ls $OVPNDIR/*.ovpn $OVPNDIR/*.conf`;
test $DEBUGOUTPUT -eq "1" && echo -e "DEBUG OVPNCONFIGS=\n$OVPNCONFIGS";

L=0;
while read CONFIGFILE; do 
 test $DEBUGOUTPUT -eq "1" && echo "$CONFIGFILE";
 REMOTE=`grep "remote\ " "$CONFIGFILE"`;
 test $DEBUGOUTPUT -eq "1" && echo "$REMOTE";
 getPROTO=`echo $REMOTE|cut -d" " -f4`;
 IPDATA=`echo $REMOTE|cut -d" " -f2`;
 IPPORT=`echo $REMOTE|cut -d" " -f3`;
 test $DEBUGOUTPUT -eq "1" && echo "DEBUG: wc -m `echo $getPROTO | wc -m`";
 if [ `echo $getPROTO | wc -m` -eq "4" ]&&([ $getPROTO = "udp" ]||[ $getPROTO = "tcp" ]||[ $getPROTO = "UDP" ]||[ $getPROTO = "TCP" ]); then
  PROTO=$getPROTO;
 else
  PROTO=`grep "proto\ " "$CONFIGFILE" | cut -d" " -f2`;
 fi;
 test $DEBUGOUTPUT -eq "1" && echo "$IPDATA $IPPORT $PROTO";
 if ([ $PROTO = "udp6" ]||[ $PROTO = "tcp6" ]); then
   test $PROTO = "udp6" && $PROTO="udp";
   test $PROTO = "tcp6" && $PROTO="tcp";
   $IP6TABLES -A OUTPUT -o $EXTIF -d $IPDATA -p $PROTO --dport $IPPORT -j ACCEPT;
 else
  $IP4TABLES -A OUTPUT -o $EXTIF -d $IPDATA -p $PROTO --dport $IPPORT -j ACCEPT;
 fi;


 L=$(expr $L + 1);
done < <(echo "$OVPNCONFIGS");

if [ $L -gt "0" ]; then
 echo "LOADED $L IPs TO TRUSTED IP-POOL";
else
 echo "ERROR: COULD NOT LOAD IPs FROM CONFIGS. RESTORING FROM BACKUP";
 $IP4TRESTORE $IP4TABSSAVE && echo "FAILED: reloaded from backup: $IP4FILESAVE";
 $IP6TRESTORE $IP6TABSSAVE && echo "FAILED: reloaded from backup: $IP6FILESAVE";
 exit 1
fi;

for PORT in $ALLOW_LAN_TCP_PORTS; do
 $IP4TABLES -A INPUT -i $EXTIF -p tcp --dport $PORT -j ACCEPT;
 $IP6TABLES -A INPUT -i $EXTIF -p tcp --dport $PORT -j ACCEPT;
done

for PORT in $ALLOW_LAN_UDP_PORTS; do
 $IP4TABLES -A INPUT -i $EXTIF -p udp --dport $PORT -j ACCEPT;
 $IP6TABLES -A INPUT -i $EXTIF -p udp --dport $PORT -j ACCEPT;
done

for PORT in $ALLOW_VPN_TCP_PORTFORWARDS; do
 $IP4TABLES -A INPUT -i $TUNIF -p tcp --dport $PORT -j ACCEPT;
 $IP6TABLES -A INPUT -i $TUNIF -p tcp --dport $PORT -j ACCEPT;
done

for PORT in $ALLOW_VPN_UDP_PORTFORWARDS; do
 $IP4TABLES -A INPUT -i $TUNIF -p udp --dport $PORT -j ACCEPT;
 $IP6TABLES -A INPUT -i $TUNIF -p udp --dport $PORT -j ACCEPT;
done

# STATUS
$IP4TABLES -nvL
$IP6TABLES -nvL

Kind regards and thank you for your help in advance. smile

Offline

#2 2019-10-24 16:47:23

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 3,493

Re: What is the right way to make this iptable script work in arch?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#3 2019-10-24 17:11:35

aquatic7
Member
Registered: 2018-06-25
Posts: 3

Re: What is the right way to make this iptable script work in arch?

Slithery wrote:

Yes I have and I have tried to change the path from:

IP4TABLES="/sbin/iptables";
IP6TABLES="/sbin/ip6tables";

to

IP4TABLES="/etc/iptables";
IP6TABLES="/etc/ip6tables";

but then it says: "./iptables.sh: line 170: /etc/iptables: Is a directory" when I run the script with su.

and I have tried to change it to

IP4TABLES="/etc/iptables/iptables.rules";
IP6TABLES="/etc/ip6tables/ip6tables.rules";

but then it says: "./iptables.sh: line 170: /etc/iptables/iptables.rules: Permission denied" when I run the script with su.

Last edited by aquatic7 (2019-10-24 17:11:58)

Offline

#4 2019-10-24 17:15:01

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 3,493

Re: What is the right way to make this iptable script work in arch?

The paths were already correct, you just need to start and enable the service.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

Board footer

Powered by FluxBB