From fa704629f01a862a95c8caed87ca86d79ecc0006 Mon Sep 17 00:00:00 2001 From: hwdsl2 <hwdsl2@users.noreply.github.com> Date: Sat, 25 Jun 2016 10:50:37 -0500 Subject: [PATCH] Improve backup of IPTables rules --- vpnsetup.sh | 7 ++++--- vpnsetup_centos.sh | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 848f890..f9e29e3 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -322,7 +322,6 @@ fi # - If IPTables is "empty", simply write out the new rules. # - If *not* empty, insert new rules and save them with existing ones. if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then -/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$sys_dt" 2>/dev/null service fail2ban stop >/dev/null 2>&1 if [ "$(iptables-save | grep -c '^\-')" = "0" ]; then cat > /etc/iptables.rules <<EOF @@ -343,7 +342,7 @@ cat > /etc/iptables.rules <<EOF -A INPUT -p udp --dport 1701 -j DROP -A INPUT -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP -# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# Uncomment to DROP traffic between VPN clients themselves # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -365,6 +364,8 @@ EOF else +iptables-save > "/etc/iptables.rules.old-$sys_dt" + iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 3 -p udp --dport 1701 -j DROP @@ -374,7 +375,7 @@ iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT -# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# Uncomment to DROP traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -A FORWARD -j DROP diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e156cb1..890a59b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -327,7 +327,6 @@ fi # - If IPTables is "empty", simply write out the new rules. # - If *not* empty, insert new rules and save them with existing ones. if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then -/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$sys_dt" 2>/dev/null service fail2ban stop >/dev/null 2>&1 if [ "$(iptables-save | grep -c '^\-')" = "0" ]; then cat > /etc/sysconfig/iptables <<EOF @@ -348,7 +347,7 @@ cat > /etc/sysconfig/iptables <<EOF -A INPUT -p udp --dport 1701 -j DROP -A INPUT -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP -# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# Uncomment to DROP traffic between VPN clients themselves # -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # -A FORWARD -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -369,6 +368,8 @@ EOF else +iptables-save > "/etc/sysconfig/iptables.old-$sys_dt" + iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 3 -p udp --dport 1701 -j DROP @@ -378,7 +379,7 @@ iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT -# To disallow (DROP) traffic between VPN clients themselves, uncomment these lines: +# Uncomment to DROP traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -A FORWARD -j DROP