From 9f016b1776361096efbfb468ee317c78e82ffab1 Mon Sep 17 00:00:00 2001 From: ckubu Date: Fri, 12 Aug 2022 01:16:53 +0200 Subject: [PATCH] Add support for routing networks through wireguard connections. --- conf/interfaces_ipv4.conf.sample | 7 ++++ conf/interfaces_ipv6.conf.sample | 8 ++++ conf/post_decalrations.conf | 12 ++++++ ip6t-firewall-server | 71 ++++++++++++++++++-------------- ipt-firewall-server | 71 ++++++++++++++++++-------------- 5 files changed, 107 insertions(+), 62 deletions(-) diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample index 31fb1e8..d415edb 100644 --- a/conf/interfaces_ipv4.conf.sample +++ b/conf/interfaces_ipv4.conf.sample @@ -54,3 +54,10 @@ local_2_ip="" # NOT IN USE local_2_ip="" + +# - Devices given in list "nat_devices" will be natted +# - +# - Blank separated list +# - +nat_devices="" + diff --git a/conf/interfaces_ipv6.conf.sample b/conf/interfaces_ipv6.conf.sample index 1937a08..287d464 100644 --- a/conf/interfaces_ipv6.conf.sample +++ b/conf/interfaces_ipv6.conf.sample @@ -53,3 +53,11 @@ local_1_ip="" local_2_ip="" # NOT IN USE local_2_ip="" + + +# - Devices given in list "nat_devices" will be natted +# - +# - Blank separated list +# - +nat_devices="" + diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 417e1ff..c341697 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -5,6 +5,18 @@ # --- Define Arrays # ----------- +# --- +# NAT (Masquerade) Network interfaces +# --- + +declare -a nat_device_arr=() +for _dev in $nat_devices ; do + if ! containsElement $_dev "${nat_device_arr[@]}" ; then + nat_device_arr+=("$_dev") + fi +done + + # --- # - IP Addresses to log # --- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 3782427..24f2439 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -241,6 +241,18 @@ echo_done # Flushing firewall iptable (IPv6).. echo +echononl "\tMasquerade (NAT) interfaces.." +if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev in ${nat_device_arr[@]} ; do + $ip6t -t nat -A POSTROUTING -o $_dev -j MASQUERADE + done + echo_done +else + echo_skipped +fi +echo + + # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules @@ -288,7 +300,6 @@ fi - # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- @@ -302,6 +313,34 @@ case $1 in esac +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ip6t -A INPUT -i $_wg_if -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_wg_if -j ACCEPT + fi +done +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + fi +done +echo_done + + # ------------- # --- Pass through Devices Interfaces (not firewalled) @@ -1008,36 +1047,6 @@ else fi -# --- -# - Permit all traffic through VPN lines -# --- -echononl "\tPermit all traffic through VPN lines.." -for _vpn_if in ${vpn_if_arr[@]} ; do - $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT - fi -done -echo_done - - -# --- -# - Permit all traffic through WireGuard lines -# --- -echononl "\tPermit all traffic through WireGuard lines.." -for _wg_if in ${wg_if_arr[@]} ; do - $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - for _local_dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT - done - fi -done -echo_done - - # --- # - Don't allow traffik into Unique local network (ULA) # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index b91fcaa..13ef0cf 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -301,6 +301,18 @@ echo_done # Flushing firewall iptable (IPv6).. echo +echononl "\tMasquerade (NAT) interfaces.." +if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev in ${nat_device_arr[@]} ; do + $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE + done + echo_done +else + echo_skipped +fi +echo + + # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules @@ -348,7 +360,6 @@ fi - # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- @@ -362,6 +373,34 @@ case $1 in esac +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ipt -A INPUT -i $_wg_if -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_wg_if -j ACCEPT + fi +done +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + fi +done +echo_done + + # ------------- # --- Pass through Devices Interfaces (not firewalled) @@ -1169,36 +1208,6 @@ fi allow_all_outgoing_traffic=false -# --- -# - Permit all traffic through VPN lines -# --- -echononl "\tPermit all traffic through VPN lines.." -for _vpn_if in ${vpn_if_arr[@]} ; do - $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT - fi -done -echo_done - - -# --- -# - Permit all traffic through WireGuard lines -# --- -echononl "\tPermit all traffic through WireGuard lines.." -for _wg_if in ${wg_if_arr[@]} ; do - $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding ; then - for _local_dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT - done - fi -done -echo_done - - # --- # - Don't allow traffic into private networks # ---