-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathip_tables.sh
141 lines (108 loc) · 4.89 KB
/
ip_tables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
#############################################################################
##### This script installs PIA VPN using OpenVPN and sets up a killswitch
##### Using iptables
##### This script needs to be run as root
#############################################################################
#############################################################################
################################ VARIABLES ################################
############################# UPDATE AS NEEDED ############################
#############################################################################
# PIA credentials
PIA_USERNAME="USERNAME"
PIA_PASSWORD="PASSWORD"
# Address of the Network (not the machine IP but of the network) with the / number as well
NETWORK_ADDRESS="192.168.1.0/24"
# Network interface name
NETWORK_INTERFACE_NAME="enp0s3"
# UDP Ports that are left open
# Default ports are 53 for DNS and 1197 for VPN which are both UDP
# Ports may change or differ
PORT1_NUMBER="53"
PORT1_TYPE="UDP"
PORT2_NUMBER="1197"
PORT2_TYPE="UDP"
# Name of country filename.
FILENAME="CA Toronto.ovpn"
#############################################################################
############################## SCRIPT ITSELF ##############################
#############################################################################.
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
apt-get install ifupdown -y
apt-get install -f resolvconf -y
# pre download iptables-persistent
apt-get install --download-only iptables-persistent -y
systemctl start resolvconf.service
#systemctl start resolvconf-pull-resolved
systemctl enable resolvconf.service
apt-get install unzip -y
apt-get install openvpn -y
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
unzip openvpn-strong.zip -d /etc/openvpn
rm openvpn-strong.zip
cd /etc/openvpn
echo $PIA_USERNAME >> /etc/openvpn/login
echo $PIA_PASSWORD >> /etc/openvpn/login
chmod og-rx,u+x,a-w login
cp "$FILENAME" vpn.conf
sed -i 's/auth-user-pass/auth-user-pass \/etc\/openvpn\/login/g' vpn.conf
# obtained from https://www.ubuntubuzz.com/2015/09/how-to-fix-openvpn-dns-leak-in-linux.html
echo "script-security 2" >> /etc/openvpn/vpn.conf
echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.conf
echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.conf
# enable openvpn with the config file to start automatically
systemctl enable openvpn@vpn
# This killswitch is based off of a portion of https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/
# Clear out the old rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic.
iptables -A INPUT -s $NETWORK_ADDRESS -j ACCEPT
iptables -A OUTPUT -d $NETWORK_ADDRESS -j ACCEPT
# Allow VPN establishment with only 2 ports open, 1 for DNS and 1 for VPN
# If establishing thru an IP and not DNS, the ones with port 53 can be removed
# Port 1198 may be different depending on the VPN
iptables -A OUTPUT -p $PORT1_TYPE --dport $PORT1_NUMBER -j ACCEPT
iptables -A INPUT -p $PORT1_TYPE --sport $PORT1_NUMBER -j ACCEPT
iptables -A OUTPUT -p $PORT2_TYPE --dport $PORT2_NUMBER -j ACCEPT
iptables -A INPUT -p $PORT2_TYPE --sport $PORT2_NUMBER -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#Set default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
ifconfig $NETWORK_INTERFACE_NAME down
ifconfig $NETWORK_INTERFACE_NAME up
service openvpn stop
sleep 5
service openvpn start
sleep 5
# set default values as yes for v4 and v6 on the iptables-persistent install
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
apt-get install iptables-persistent -y
netfilter-persistent save
systemctl enable netfilter-persistent
#############################################################################
################################# OPTIONAL ##################################
#############################################################################
# just take out the # before to run this part
# apt-get install jq -y
# wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh
# chmod +x dnsleaktest.sh
# ./dnsleaktest.sh
# this will say if dns is leaking and where you are appearing from
# Can also be tested by going to dnsleaktest.com and running extended test
#############################################################################
################################# ENJOY ###################################
#############################################################################