185 lines
5.2 KiB
Markdown
185 lines
5.2 KiB
Markdown
## Starting
|
|
|
|
---
|
|
|
|
As with every shell script that we intend to run using Bash
|
|
|
|
#!/bin/bash
|
|
|
|
## reset_iptables ()
|
|
|
|
---
|
|
|
|
A function used to reset the state of iptables so that we are guaranteed no rules that have gone unaccounted for:
|
|
|
|
reset_iptables () {
|
|
iptables -F;
|
|
iptables -X;
|
|
iptables -t nat -F;
|
|
iptables -t nat -X;
|
|
iptables -t mangle -F;
|
|
iptables -t mangle -X;
|
|
iptables -t raw -F;
|
|
iptables -t raw -X;
|
|
iptables -t security -F;
|
|
iptables -t security -X;
|
|
iptables -P INPUT ACCEPT;
|
|
iptables -P FORWARD ACCEPT;
|
|
iptables -P OUTPUT ACCEPT;
|
|
}
|
|
|
|
!!! warning "Potential Security Risk"
|
|
|
|
The above function when called will remove any existing iptables rules in place.
|
|
|
|
### Example
|
|
|
|
---
|
|
|
|
The call to the function is pretty straightforward. Calling it clears any rules defined in iptables.
|
|
|
|
reset_iptables;
|
|
|
|
## forward_internet ()
|
|
|
|
---
|
|
|
|
A function used to forward requests from clients whose gateway is defined as this router's IP address to this machine's own Internet connection interface:
|
|
|
|
forward_internet () {
|
|
CLIENT_NET=$1;
|
|
INET_IFACE=$2;
|
|
|
|
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
|
|
iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
|
|
iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
|
|
}
|
|
|
|
### Examples
|
|
|
|
---
|
|
|
|
To act as a gateway to the Internet for other devices on the network sending packets from `192.168.1.x`:
|
|
|
|
forward_internet 192.168.1.0/24 wlan0;
|
|
|
|
## forward_port ()
|
|
|
|
---
|
|
|
|
A function used to forward incoming connections from an outside interface and port to an inside address & port destination and establish a path back for the response:
|
|
|
|
forward_port () {
|
|
OUTSIDE_INTERFACE=$1;
|
|
OUTSIDE_PORT=$2;
|
|
INSIDE_ADDRESS=$3;
|
|
INSIDE_PORT=$4;
|
|
|
|
sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
|
|
sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
|
|
iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
|
|
iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;
|
|
|
|
echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
|
|
}
|
|
|
|
## Usage
|
|
|
|
---
|
|
|
|
reset_iptables;
|
|
forward_internet 10.44.7.0/24 wlan0;
|
|
forward_port tun0 8006 10.44.7.159 8006;
|
|
forward_port tun0 8007 10.44.7.157 8006;
|
|
forward_port tun0 7860 10.44.7.103 7860;
|
|
forward_port tun0 7861 10.44.7.100 7861;
|
|
forward_port tun0 7862 10.44.7.100 7862;
|
|
forward_port tun0 22001 10.44.7.111 22;
|
|
forward_port tun0 22002 10.44.7.100 22;
|
|
forward_port tun0 22003 10.44.7.105 22;
|
|
forward_port tun0 80 10.44.7.111 80;
|
|
forward_port tun0 443 10.44.7.111 443;
|
|
forward_port tun0 35566 10.44.7.112 35566;
|
|
forward_port wlan0 8006 10.44.7.159 8006;
|
|
forward_port wlan0 8007 10.44.7.157 8006;
|
|
forward_port tun0 8033 10.44.7.114 80;
|
|
forward_port tun0 25 10.44.7.102 25;
|
|
forward_port tun0 587 10.44.7.102 587;
|
|
forward_port tun0 465 10.44.7.102 465;
|
|
|
|
## forward.sh
|
|
|
|
---
|
|
|
|
``` bash title="forward.sh"
|
|
#!/bin/bash
|
|
|
|
reset_iptables () {
|
|
iptables -F;
|
|
iptables -X;
|
|
iptables -t nat -F;
|
|
iptables -t nat -X;
|
|
iptables -t mangle -F;
|
|
iptables -t mangle -X;
|
|
iptables -t raw -F;
|
|
iptables -t raw -X;
|
|
iptables -t security -F;
|
|
iptables -t security -X;
|
|
iptables -P INPUT ACCEPT;
|
|
iptables -P FORWARD ACCEPT;
|
|
iptables -P OUTPUT ACCEPT;
|
|
}
|
|
|
|
forward_internet () {
|
|
CLIENT_NET=$1;
|
|
INET_IFACE=$2;
|
|
|
|
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
|
|
iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
|
|
iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
|
|
}
|
|
|
|
forward_port () {
|
|
OUTSIDE_INTERFACE=$1;
|
|
OUTSIDE_PORT=$2;
|
|
INSIDE_ADDRESS=$3;
|
|
INSIDE_PORT=$4;
|
|
|
|
sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
|
|
sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
|
|
iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
|
|
iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;
|
|
|
|
echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
|
|
}
|
|
|
|
reset_iptables;
|
|
forward_internet 192.168.1.0/24 wlan0;
|
|
forward_port tun0 8006 10.44.7.159 8006;
|
|
forward_port tun0 8007 10.44.7.157 8006;
|
|
forward_port tun0 7860 10.44.7.103 7860;
|
|
forward_port tun0 7861 10.44.7.100 7861;
|
|
forward_port tun0 7862 10.44.7.100 7862;
|
|
forward_port tun0 22001 10.44.7.111 22;
|
|
forward_port tun0 22002 10.44.7.100 22;
|
|
forward_port tun0 22003 10.44.7.105 22;
|
|
forward_port tun0 80 10.44.7.111 80;
|
|
forward_port tun0 443 10.44.7.111 443;
|
|
forward_port tun0 35566 10.44.7.112 35566;
|
|
forward_port wlan0 8006 10.44.7.159 8006;
|
|
forward_port wlan0 8007 10.44.7.157 8006;
|
|
forward_port tun0 8033 10.44.7.114 80;
|
|
forward_port tun0 25 10.44.7.102 25;
|
|
forward_port tun0 587 10.44.7.102 587;
|
|
forward_port tun0 465 10.44.7.102 465;
|
|
|
|
```
|
|
|
|
Devices on any network that have a `192.168.1.x` can make this router a gateway and connect to the Internet:
|
|
|
|
|
|
|
|
Requests made to this router from interface `tun0` for port `8006` will be forwarded to `10.44.7.159:8006`:
|
|
|
|
forward_port tun0 8006 10.44.7.159 8006;
|