init: transmission

2025-12-06 17:17:22 +01:00 · 2024-10-05 13:44:55 +02:00 · 2024-10-05 13:44:55 +02:00 · 1e7f25c979
commit 1e7f25c979
parent 3a56b30a91
13 changed files with 971 additions and 26 deletions
--- a/scripts/server1/iptables.sh
+++ b/scripts/server1/iptables.sh
@ -1,8 +1,8 @@
 #! /usr/bin/env bash
 export INTERFACE="tun0"
 export VPNUSER="vpn"
-export LOCALIP="192.168.1.107"
-export NETIF="enp7s0"
+export LOCALIP="192.168.1.2"
+export NETIF="enp3s0"

 # flushes all the iptables rules, if you have other rules to use then add them into the script
 iptables -F -t nat
@ -34,14 +34,7 @@ iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # reject connections from predator IP going over $NETIF
 iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

-VPNIF="tun0"
-VPNUSER="vpn"
-GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
-if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
-ip rule add from all fwmark 0x1 lookup $VPNUSER
-fi
-ip route replace default via $GATEWAYIP table $VPNUSER
-ip route append default via 127.0.0.1 dev lo table $VPNUSER
-ip route flush cache
+# Start routing script
+/etc/openvpn/routing.sh

 exit 0
--- a/scripts/server1/iptables.sh.bak
+++ b/scripts/server1/iptables.sh.bak
@ -0,0 +1,47 @@
+#! /usr/bin/env bash
+export INTERFACE="tun0"
+export VPNUSER="vpn"
+export LOCALIP="192.168.1.2"
+export NETIF="enp3s0"
+
+# flushes all the iptables rules, if you have other rules to use then add them into the script
+iptables -F -t nat
+iptables -F -t mangle
+iptables -F -t filter
+
+# mark packets from $VPNUSER
+iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
+iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
+iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
+
+# allow responses
+iptables -A INPUT -i $INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# block everything incoming on $INTERFACE to prevent accidental exposing of ports
+iptables -A INPUT -i $INTERFACE -j REJECT
+
+# let $VPNUSER access lo and $INTERFACE
+iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
+iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
+
+# all packets on $INTERFACE needs to be masqueraded
+iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
+iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# reject connections from predator IP going over $NETIF
+iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
+
+VPNIF="tun0"
+VPNUSER="vpn"
+GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
+if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
+ip rule add from all fwmark 0x1 lookup $VPNUSER
+fi
+ip route replace default via $GATEWAYIP table $VPNUSER
+ip route append default via 127.0.0.1 dev lo table $VPNUSER
+ip route flush cache
+
+exit 0
--- a/scripts/server1/routing.sh
+++ b/scripts/server1/routing.sh
@ -9,6 +9,6 @@ ip route replace default via $GATEWAYIP table $VPNUSER
 ip route append default via 127.0.0.1 dev lo table $VPNUSER
 ip route flush cache

-bash /etc/openvpn/update-resolv-conf
+/etc/openvpn/update-resolv-conf

 exit 0
--- a/scripts/server1/routing.sh.bak
+++ b/scripts/server1/routing.sh.bak
@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+VPNIF="tun0"
+VPNUSER="vpn"
+GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
+if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
+ip rule add from all fwmark 0x1 lookup $VPNUSER
+fi
+ip route replace default via $GATEWAYIP table $VPNUSER
+ip route append default via 127.0.0.1 dev lo table $VPNUSER
+ip route flush cache
+
+bash /etc/openvpn/update-resolv-conf
+
+exit 0
--- a/scripts/server1/update-resolv-conf.bak
+++ b/scripts/server1/update-resolv-conf.bak
@ -0,0 +1,45 @@
+#! /usr/bin/env bash
+foreign_option_1='dhcp-option DNS 209.222.18.222'
+foreign_option_2='dhcp-option DNS 209.222.18.218'
+foreign_option_3='dhcp-option DNS 8.8.8.8'
+
+[ -x /sbin/resolvconf ] || exit 0
+[ "$script_type" ] || exit 0
+[ "$dev" ] || exit 0
+
+split_into_parts()
+{
+        part1="$1"
+        part2="$2"
+        part3="$3"
+}
+
+case "$script_type" in
+  up)
+        NMSRVRS=""
+        SRCHS=""
+        for optionvarname in ${!foreign_option_*} ; do
+                option="${!optionvarname}"
+                echo "$option"
+                split_into_parts $option
+                if [ "$part1" = "dhcp-option" ] ; then
+                        if [ "$part2" = "DNS" ] ; then
+                                NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
+                        elif [ "$part2" = "DOMAIN" ] ; then
+                                SRCHS="${SRCHS:+$SRCHS }$part3"
+                        fi
+                fi
+        done
+        R=""
+        [ "$SRCHS" ] && R="search $SRCHS
+"
+        for NS in $NMSRVRS ; do
+                R="${R}nameserver $NS
+"
+        done
+        echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
+        ;;
+  down)
+        /sbin/resolvconf -d "${dev}.openvpn"
+        ;;
+esac