-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathredirection
194 lines (159 loc) · 6.03 KB
/
redirection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/bin/bash
# chkconfig: 2345 08 92
# description: Starts and stops redirection
#
### BEGIN INIT INFO
# Provides: redirection
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop redirection
# Description: Start and stop redirection
### END INIT INFO
VPN_PORT=43653
CONFIG_DIR=/etc
IPTABLES=$(which iptables)
if [ "$IPTABLES" == "" ]; then
echo -e "\niptables not found\n"
exit 1
fi
PROC_IPTABLES_NAMES=/proc/net/ip_tables_names
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
validIP()
{
case $1 in
"" | *[!0-9.]* | *[!0-9]) return 1 ;;
esac
local IFS=.
set -- $1
[ $# -eq 4 ] && [ ${1:-256} -le 255 ] && [ ${2:-256} -le 255 ] && [ ${3:-256} -le 255 ] && [ ${4:-256} -le 255 ]
}
initialize()
{
# Read configuration file
if [ -r ${CONFIG_DIR}/redirect.conf ]; then
. ${CONFIG_DIR}/redirect.conf
else
echo "ERROR: Configuration not found in $CONFIG_DIR"
return 2
fi
# Parameter Validation
if [ ! -d /proc/sys/net/ipv4/conf/$outside_interface ];then
echo "Outside interface \"$outside_interface\" not found."
return 1
fi
if [ ! -d /proc/sys/net/ipv4/conf/$inside_interface ];then
echo "Inside interface \"$inside_interface\" not found."
return 1
fi
if ! validIP "$PRIVATE_IP"; then
echo "$PRIVATE_IP is an invalid IP address."
return 1
fi
if ! validIP "$PUBLIC_IP"; then
echo "$PUBLIC_IP is an invalid IP address."
return 1
fi
if ! validIP "$TUNNEL_IP"; then
echo "$TUNNEL_IP is an invalid IP address."
return 1
fi
# Default policy (DROP)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F INPUT
$IPTABLES -F PREROUTING -t nat
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -A INPUT -p tcp --dport $ADMIN_PORT -m state --state NEW -j LOG --log-prefix "Inbound Admin Connection: " --log-level 4
$IPTABLES -A INPUT -p tcp --dport $ADMIN_PORT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $ADMIN_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT
}
start() {
initialize
# INPUT
if [ "$DEBUG" == "1" ]; then
$IPTABLES -A INPUT -i $tunnel_interface -p icmp -j ACCEPT
fi
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT
$IPTABLES -A INPUT -s $PRIVATE_IP -p tcp --sport $VPN_PORT -j ACCEPT
# DNAT and FORWARDING
## DNS NOT YET TESTED
if [ $VDNS_SERVER ]; then
$IPTABLES -t nat -A PREROUTING -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport 53 -j DNAT --to-destination ${TUNNEL_IP}:$VDNS_PORT
$IPTABLES -A FORWARD -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport 53 -m state --state NEW -j LOG --log-prefix "DNS FORWARD: " --log-level 4
$IPTABLES -A FORWARD -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $outside_interface -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport $VDNS_PORT -j DNAT --to-destination $TUNNEL_IP:$VDNS_PORT
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VDNS_PORT -m state --state NEW -j LOG --log-prefix "DNS FORWARD: " --log-level 4
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VDNS_PORT -m state --state NEW -j ACCEPT
fi
if [ $VHTTP_PORT ] ; then
$IPTABLES -t nat -A PREROUTING -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport 80 -j DNAT --to-destination ${TUNNEL_IP}:$VHTTP_PORT
$IPTABLES -t nat -A PREROUTING -i $outside_interface -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport $VHTTP_PORT -j DNAT --to-destination $TUNNEL_IP:$VHTTP_PORT
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VHTTP_PORT -m state --state NEW -j LOG --log-prefix "HTTP FORWARD: " --log-level 4
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VHTTP_PORT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $tunnel_interface -o $outside_interface -p tcp --dport 1024:65535 -s $TUNNEL_IP --sport $VHTTP_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
## HTTPS NOT YET TESTED
if [ $VHTTPS_PORT ] ; then
$IPTABLES -t nat -A PREROUTING -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport 443 -j DNAT --to-destination ${TUNNEL_IP}:$VHTTPS_PORT
$IPTABLES -t nat -A PREROUTING -i $outside_interface -p tcp --sport 1024:65535 -d $PUBLIC_IP --dport $VHTTPS_PORT -j DNAT --to-destination $TUNNEL_IP:$VHTTPS_PORT
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VHTTPS_PORT -m state --state NEW -j LOG --log-prefix "HTTPS FORWARD: " --log-level 4
$IPTABLES -A FORWARD -i $outside_interface -o $tunnel_interface -p tcp --sport 1024:65535 -d $TUNNEL_IP --dport $VHTTPS_PORT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $tunnel_interface -o $outside_interface -p tcp --dport 1024:65535 -s $TUNNEL_IP --sport $VHTTPS_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
# SNAT
$IPTABLES -t nat -A POSTROUTING -o $tunnel_interface -j MASQUERADE
# OUTPUT
if [ "$DEBUG" == "1" ]; then
$IPTABLES -A OUTPUT -o $tunnel_interface -p icmp -j ACCEPT
#$IPTABLES -A OUTPUT -o $inside_interface -p tcp --dport $VPN_PORT -m state --state NEW -j LOG --log-prefix "Tunnel Initiation: " --log-level 4
#$IPTABLES -A OUTPUT -o $inside_interface -p tcp --dport $VPN_PORT -m state --state NEW -j ACCEPT
fi
sysctl -w net.ipv4.ip_forward=1 > /dev/null
return 0
}
stop() {
initialize
return 0
}
case "$1" in
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
restart|force-reload)
stop
start
RETVAL=$?
;;
reload)
# unimplemented
RETVAL= 3
;;
status)
clear
for table in $NF_TABLES; do
echo -e "TABLE: $table\n"
$IPTABLES -t $table -nvxL --line-number
echo -e "\n\n"
done
;;
zero)
for table in $NF_TABLES; do
$IPTABLES -t $table -Z
done
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|restart|status|zero}"
RETVAL=2
;;
esac
exit $RETVAL