firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for routing networks through wireguard connections.

Browse Source
This commit is contained in:
Christoph
2022-08-12 01:16:53 +02:00
parent 0831f26891
commit 9f016b1776
5 changed files with 107 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
ipt-firewall-server
View File

@ -301,6 +301,18 @@ echo_done # Flushing firewall iptable (IPv6)..
echo
echononl "\tMasquerade (NAT) interfaces.."
if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _dev in ${nat_device_arr[@]} ; do
$ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
done
echo_done
else
echo_skipped
fi
echo
# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
@ -348,7 +360,6 @@ fi
# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------
@ -362,6 +373,34 @@ case $1 in
esac
# ---
# - Permit all traffic through WireGuard lines
# ---
echononl "\tPermit all traffic through WireGuard lines.."
for _wg_if in ${wg_if_arr[@]} ; do
$ipt -A INPUT -i $_wg_if -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_wg_if -j ACCEPT
fi
done
echo_done
# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
$ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
fi
done
echo_done
# -------------
# --- Pass through Devices Interfaces (not firewalled)
@ -1169,36 +1208,6 @@ fi
allow_all_outgoing_traffic=false
# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
$ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Permit all traffic through WireGuard lines
# ---
echononl "\tPermit all traffic through WireGuard lines.."
for _wg_if in ${wg_if_arr[@]} ; do
$ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
for _local_dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
# ---
# - Don't allow traffic into private networks
# ---