Add support for WireGuard.

2021-11-22 18:35:58 +01:00
parent 1d2d6a6fae
commit b464b0c039
8 changed files with 310 additions and 0 deletions
--- a/100
+++ b/100
@ -808,6 +808,21 @@ done
 echo_done


+# ---
+# - Permit all traffic through WireGuard lines
+# ---
+echononl "\tPermit all traffic through WireGuard lines.."
+for _wg_if in ${wg_if_arr[@]} ; do
+   $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      for _local_dev in ${local_if_arr[@]} ; do
+         $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
+      done
+   fi
+done
+echo_done
+
+

 # ---
 # - Telefon Systems
@ -1949,6 +1964,91 @@ else
 fi


+# ---
+# - WireGuard Service only out
+# ---
+
+echononl "\t\tWireGuard Service only out"
+
+if $allow_wg_out && [[ ${#wg_out_port_arr[@]} -gt 0 ]]; then
+   for _dev in ${ext_if_arr[@]} ; do
+      for _port in ${wg_out_port_arr[@]} ; do
+         $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+         if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
+            $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+         fi
+      done
+   done
+
+   for _wg_if in ${wg_if_arr[@]} ; do
+      $ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_forward_between_interfaces ; then
+         $ip6t -A FORWARD -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - WireGuard Service Gateway
+# ---
+
+echononl "\t\tWireGuard Service Gateway"
+
+if $local_wg_service ; then
+
+   # - Cconnection establishment
+   # -
+   for _port in ${wg_gw_port_arr[@]} ; do
+      $ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+   done
+   echo_done
+
+else
+   echo_skipped
+fi
+
+
+# ---
+# - WireGuard Service DMZ
+# ---
+
+echononl "\t\tWireGuard Service DMZ"
+unset no_if_for_ip_arr
+declare -a no_if_for_ip_arr
+
+if [[ ${#wg_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
+   for _ip in ${!wg_server_dmz_arr[@]} ; do
+
+      # - Skip if no interface is given
+      # -
+      if [[ -z "${wg_server_dmz_arr[$_ip]}" ]] ; then
+         no_if_for_ip_arr+=("$_ip")
+         continue
+      fi
+
+      for _port in ${wg_local_net_port_arr[@]} ; do
+         $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+
+   if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
+      echo_warning
+      for _ip in ${no_if_for_ip_arr[@]} ; do
+         warn "No Interface given for ip '$_ip'"
+      done
+   else
+      echo_done
+   fi
+
+else
+   echo_skipped
+fi
+
+
 # ---
 # - HTTP(S) OUT
 # ---