Skip to content

Instantly share code, notes, and snippets.

@SlavaKatiukha

SlavaKatiukha/iptables-custom.ejs

Last active March 9, 2021 17:16
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save SlavaKatiukha/5a8025001e8ec13a84c63f32ba17ce9e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save SlavaKatiukha/5a8025001e8ec13a84c63f32ba17ce9e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables-custom.ejs
<% privateNetworks = privateNetworks ? privateNetworks.split(/\s*,\s*/) : [] %>
# BOF OpenVPN
*mangle
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
*nat
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -i as0t+ -j ACCEPT
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o venet0 -j MASQUERADE
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
<% for (var i = 0, n = privateNetworks.length; i < n; i++) {%>
-A AS0_NAT_PRE -d <%= privateNetworks[i] %> -j AS0_NAT_TEST
<%}%>
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
*filter
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 53 -j AS0_ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -d <%= publicIP %>/32 -p udp -m state --state NEW -m udp --dport <%= ovpnPortUDP %> -j AS0_ACCEPT
-A INPUT -d <%= publicIP %>/32 -p tcp -m state --state NEW -m tcp --dport <%= ovpnPortTCP %> -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -d <%= publicIP %>/32 -p tcp -m state --state NEW -m tcp --dport <%= webUiPort %> -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
<% for (var i = 0, n = privateNetworks.length; i < n; i++) {%>
-A AS0_IN_POST -d <%= privateNetworks[i] %> -j ACCEPT
<%}%>
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A AS0_IN_PRE -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
<% for (var i = 0, n = privateNetworks.length; i < n; i++) {%>
-A AS0_IN_PRE -d <%= privateNetworks[i] %> -j AS0_IN
<%}%>
-A AS0_IN_PRE -j <%= privateNetworks.length ? "DROP" : "ACCEPT" %>
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# EOF OpenVPN
<% return { result: 0, body: ___ViewO.join('') }; %>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment