From 17a9d76ae9186975c3ce4edd320334b2b1ef4ba9 Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 25 Nov 2016 00:59:03 +0100 Subject: [PATCH] Remove ufw and MASQUERADE support Not useful, badly implemented. --- openvpn-install.sh | 37 ++++--------------------------------- 1 file changed, 4 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0096fa3..9ff4e8d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -135,25 +135,19 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) - if hash ufw 2>/dev/null && ufw status | grep -qw active; then - ufw delete allow $PORT/udp - sed -i '/^##OPENVPN_START/,/^##OPENVPN_END/d' /etc/ufw/before.rules - sed -i '/^DEFAULT_FORWARD/{N;s/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before openvpn: /DEFAULT_FORWARD_POLICY=/}' /etc/default/ufw - elif pgrep firewalld; then + if pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/udp firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --remove-port=$PORT/udp firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --zone=trusted --remove-masquerade - firewall-cmd --permanent --zone=trusted --remove-masquerade fi if iptables -L -n | grep -qE 'REJECT|DROP'; then sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL + sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' ]]; then @@ -218,14 +212,6 @@ else echo " 5) Google (Anycast: worldwide)" read -p "DNS [1-6]: " -e -i 2 DNS echo "" - echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT" - echo "Which forwarding method do you want to use [if unsure, leave as default]?" - echo " 1) SNAT (default)" - echo " 2) MASQUERADE" - while [[ $FORWARD_TYPE != "1" && $FORWARD_TYPE != "2" ]]; do - read -p "Forwarding type: " -e -i 1 FORWARD_TYPE - done - echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" @@ -380,13 +366,8 @@ verb 3" >> /etc/openvpn/server.conf # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward # Set NAT for the VPN subnet - if [[ "$FORWARD_TYPE" = '1' ]]; then - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL - else - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL - fi + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP + sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -400,16 +381,6 @@ verb 3" >> /etc/openvpn/server.conf fi firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 - if [[ "$FORWARD_TYPE" = '1' ]]; then - firewall-cmd --zone=trusted --add-masquerade - firewall-cmd --permanent --zone=trusted --add-masquerade - fi - elif hash ufw 2>/dev/null && ufw status | grep -qw active; then - ufw allow $PORT/udp - if [[ "$FORWARD_TYPE" = '1' ]]; then - sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules - sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before openvpn: /' /etc/default/ufw - fi fi if iptables -L -n | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed.