Merge PR #83 : Remove rc.local and use an iptables systemd service

- Install iptables systemd service for Debian, Ubuntu and CentOS - Fix iptables install for ArcLinux - Remove the use rc.local file - Remove all iptables rules when removing openvpn (cf. #60 )
2025-10-31 05:57:36 +01:00 · 2017-11-12 22:56:02 +01:00
parent 80fd8678a6
commit f47fc795d5
1 changed files with 93 additions and 54 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -23,7 +23,7 @@ if [[ -e /etc/debian_version ]]; then
 	OS="debian"
 	# Getting the version number, to verify that a recent version of OpenVPN is available
 	VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
-	RCLOCAL='/etc/rc.local'
+	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
 	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
 		echo "Your version of Debian/Ubuntu is not supported."
@@ -42,13 +42,11 @@ if [[ -e /etc/debian_version ]]; then
 	fi
 elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
 	OS=centos
-	RCLOCAL='/etc/rc.d/rc.local'
+	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.conf'
-	# Needed for CentOS 7
-	chmod +x /etc/rc.d/rc.local
 elif [[ -e /etc/arch-release ]]; then
 	OS=arch
-	RCLOCAL='/etc/rc.local'
+	IPTABLES='/etc/iptables/iptables.rules'
 	SYSCTL='/etc/sysctl.d/openvpn.conf'
 else
 	echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
@@ -89,7 +87,7 @@ if [[ "$IP" = "" ]]; then
 	IP=$(wget -qO- ipv4.icanhazip.com)
 fi
 # Get Internet network interface with default route
-NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
+NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)

 if [[ -e /etc/openvpn/server.conf ]]; then
 	while :
@@ -162,11 +160,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 					firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
 				fi
 				if iptables -L -n | grep -qE 'REJECT|DROP'; then
-					sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
-					sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
-					sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
+					if [[ "$PROTOCOL" = 'udp' ]]; then
+						iptables -D INPUT -p udp --dport $PORT -j ACCEPT
+					else
+						iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
+					fi
+					iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
+					iptables-save > $IPTABLES
 				fi
-				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
+				iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
+				iptables-save > $IPTABLES
 				if hash sestatus 2>/dev/null; then
 					if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 						if [[ "$PORT" != '1194' ]]; then
@@ -347,9 +350,73 @@ else
 		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
 		# The we install OpenVPN
 		apt-get install openvpn iptables openssl wget ca-certificates curl -y
+		# Install iptables service
+		if [[ ! -e /etc/systemd/system/iptables.service ]]; then
+			mkdir /etc/iptables
+			iptables-save > /etc/iptables/iptables.rules
+			echo "#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+			chmod +x /etc/iptables/flush-iptables.sh
+			echo "[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+			systemctl daemon-reload
+			systemctl enable iptables.service
+		fi
 	elif [[ "$OS" = 'centos' ]]; then
 		yum install epel-release -y
 		yum install openvpn iptables openssl wget ca-certificates curl -y
+		# Install iptables service
+		if [[ ! -e /etc/systemd/system/iptables.service ]]; then
+			mkdir /etc/iptables
+			iptables-save > /etc/iptables/iptables.rules
+			echo "#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+			chmod +x /etc/iptables/flush-iptables.sh
+			echo "[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+			systemctl daemon-reload
+			systemctl enable iptables.service
+			# Disable firewalld to allow iptables to start upon reboot
+			systemctl disable firewalld
+		fi
 	else
 		# Else, the distro is ArchLinux
 		echo ""
@@ -365,39 +432,21 @@ else
 			echo "Ok, bye !"
 			exit 4
 		fi
-
+		
 		if [[ "$OS" = 'arch' ]]; then
-		# Install rc.local
-		echo "[Unit]
-Description=/etc/rc.local compatibility
-
-[Service]
-Type=oneshot
-ExecStart=/etc/rc.local
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
-			chmod +x /etc/rc.local
-			systemctl enable rc-local.service
-			if ! grep '#!' $RCLOCAL; then
-				echo "#!/bin/bash" > $RCLOCAL
-			fi
-		fi
-
-		# Install dependencies
-		pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
-		if [[ "$OS" = 'arch' ]]; then
-			touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
+			# Install dependencies
+			pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
+			iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
+			systemctl daemon-reload
 			systemctl enable iptables
 			systemctl start iptables
 		fi
 	fi
 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
-	        NOGROUP=nogroup
+		NOGROUP=nogroup
 	else
-        	NOGROUP=nobody
+		NOGROUP=nobody
 	fi

 	# An old version of easy-rsa was available by default in some openvpn packages
@@ -503,15 +552,10 @@ verb 3" >> /etc/openvpn/server.conf
 	fi
 	# Avoid an unneeded reboot
 	echo 1 > /proc/sys/net/ipv4/ip_forward
-	# Needed to use rc.local with some systemd distros
- 	if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
- 		echo '#!/bin/sh -e
- exit 0' > $RCLOCAL
-	fi
-	chmod +x $RCLOCAL
 	# Set NAT for the VPN subnet
 	iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
-	sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
+	# Save persitent iptables rules
+	iptables-save > $IPTABLES
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@@ -537,13 +581,8 @@ verb 3" >> /etc/openvpn/server.conf
 		fi
 		iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 		iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-		if [[ "$PROTOCOL" = 'UDP' ]]; then
-			sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
-		elif [[ "$PROTOCOL" = 'TCP' ]]; then
-			sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
-		fi
-		sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
-		sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
+		# Save persitent OpenVPN rules
+        iptables-save > $IPTABLES
 	fi
 	# If SELinux is enabled and a custom port was selected, we need this
 	if hash sestatus 2>/dev/null; then
@@ -603,10 +642,10 @@ verb 3" >> /etc/openvpn/server.conf
 		echo ""
 		echo "Looks like your server is behind a NAT!"
 		echo ""
-                echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
-                echo "then I need to know the address that can be used to access it from outside."
-                echo "If that's not the case, just ignore this and leave the next field blank"
-                read -p "External IP or domain name: " -e USEREXTERNALIP
+        echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
+        echo "then I need to know the address that can be used to access it from outside."
+        echo "If that's not the case, just ignore this and leave the next field blank"
+        read -p "External IP or domain name: " -e USEREXTERNALIP
 		if [[ "$USEREXTERNALIP" != "" ]]; then
 			IP=$USEREXTERNALIP
 		fi
@@ -642,4 +681,4 @@ verb 3" >> /etc/openvpn/client-template.txt
 	echo "Your client config is available at $homeDir/$CLIENT.ovpn"
 	echo "If you want to add more clients, you simply need to run this script another time!"
 fi
-exit 0;
+exit 0;