mirror of
https://github.com/RaspAP/raspap-webgui.git
synced 2024-11-21 23:20:22 +00:00
Added firewall rules for OPENVPN kill switch
This commit is contained in:
frankozland
GitHub
parent
57199def06
commit
62978a7755
1 changed files with 70 additions and 0 deletions
70
OPENVPN_KILL_SWITCH.txt
Normal file
70
OPENVPN_KILL_SWITCH.txt
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
|
||||
#RASPAP KILL SWITCH#
|
||||
#Tested on OPEN VPN#
|
||||
# ***NOTHING*** passes if openvpn tunnel drops.
|
||||
# Previously, masquerade would pass traffic if tunnel disappeared.
|
||||
# These rules stop that
|
||||
|
||||
|
||||
# ***** First: clear every possible user setting ******
|
||||
# Accept all traffic first to avoid ssh lockdown via iptables firewall rules #
|
||||
iptables -P INPUT ACCEPT
|
||||
iptables -P FORWARD ACCEPT
|
||||
iptables -P OUTPUT ACCEPT
|
||||
|
||||
# Flush All Iptables Chains/Firewall rules #
|
||||
iptables -F
|
||||
|
||||
# Delete all Iptables Chains #
|
||||
iptables -X
|
||||
|
||||
# Flush all counters too #
|
||||
iptables -Z
|
||||
# Flush and delete all nat and mangle #
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
iptables -t raw -F
|
||||
iptables -t raw -X
|
||||
|
||||
# **** Now apply tight firewall rules
|
||||
# RASPAP relies on Masquerading - which means forwarding.
|
||||
# Do not allow any forwarded packet that doesnt travel thru a wg+ or tun+ interface
|
||||
|
||||
# lo traffic very ok
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
|
||||
#All local lan traffic ok - assumes 192.168.1.1 to 192.168.255.255
|
||||
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
|
||||
|
||||
#Emergency override - put your mac address here
|
||||
iptables -A INPUT -m mac --mac-source MACADDRESS -j ACCEPT
|
||||
|
||||
#Do not allow tun to tun packets
|
||||
iptables -A FORWARD -i tun+ -o +tun+ -j DROP
|
||||
|
||||
#Do not allow anything from TUN to hit local network - someone is probing when they do this
|
||||
iptables -A FORWARD -s 192.168.0.0/16 -i tun+ -j DROP
|
||||
|
||||
#Very ok - tun to wlan - this is what we want
|
||||
iptables -A FORWARD -i tun+ -o wlan+ -j ACCEPT
|
||||
|
||||
#Very ok wlan to tun
|
||||
iptables -A FORWARD -i wlan+ -o tun+ -j ACCEPT
|
||||
|
||||
#very ok eth to tun
|
||||
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
|
||||
|
||||
#Very ok tun to eth
|
||||
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT
|
||||
|
||||
#very ok - any established connection from tun to wlan
|
||||
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
#very ok all output packets
|
||||
iptables -A OUTPUT -j ACCEPT
|
||||
|
||||
#NAT rules (forwarding)
|
||||
iptables -A POSTROUTING -j MASQUERADE
|
||||
iptables -A POSTROUTING -o tun0 -j MASQUERADE
|
||||
Loading…
Reference in a new issue