-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathip_tables.sh
More file actions
121 lines (93 loc) · 4.38 KB
/
ip_tables.sh
File metadata and controls
121 lines (93 loc) · 4.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/bin/bash
#############################################################################
##### This script installs PIA VPN using OpenVPN and sets up a killswitch
##### Using iptables
##### This script needs to be run as root
#############################################################################
#############################################################################
################################ VARIABLES ################################
############################# UPDATE AS NEEDED ############################
#############################################################################
# PIA credentials
PIA_USERNAME="USERNAME"
PIA_PASSWORD="PASSWORD"
# Address of the Network (not the machine IP but of the network) with the / number as well
NETWORK_ADDRESS="192.168.1.0/24"
# Network interface name
NETWORK_INTERFACE_NAME="enp0s3"
# UDP Ports that are left open
# Default ports are 53 for DNS and 1197 for VPN which are both UDP
# Ports may change or differ
PORT1_NUMBER="1197"
PORT1_TYPE="UDP"
# Name of country filename.
FILENAME="CA Toronto.ovpn"
#############################################################################
############################## SCRIPT ITSELF ##############################
#############################################################################.
systemctl start resolvconf.service
#systemctl start resolvconf-pull-resolved
systemctl enable resolvconf.service
apt-get install unzip -y
apt-get install openvpn -y
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
unzip openvpn-strong.zip -d /etc/openvpn
rm openvpn-strong.zip
cd /etc/openvpn
echo $PIA_USERNAME >> /etc/openvpn/login
echo $PIA_PASSWORD >> /etc/openvpn/login
chmod og-rx,u+x,a-w login
cp "$FILENAME" vpn.conf
sed -i 's/auth-user-pass/auth-user-pass \/etc\/openvpn\/login/g' vpn.conf
# obtained from https://www.ubuntubuzz.com/2015/09/how-to-fix-openvpn-dns-leak-in-linux.html
echo "script-security 2" >> /etc/openvpn/vpn.conf
echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.conf
echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.conf
# enable openvpn with the config file to start automatically
systemctl enable openvpn@vpn
# This killswitch is based off of a portion of https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/
# Clear out the old rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic.
iptables -A INPUT -s $NETWORK_ADDRESS -j ACCEPT
iptables -A OUTPUT -d $NETWORK_ADDRESS -j ACCEPT
# Allow VPN establishment with only 2 ports open, 1 for DNS and 1 for VPN
# If establishing thru an IP and not DNS, the ones with port 53 can be removed
# Port 1198 may be different depending on the VPN
iptables -A OUTPUT -p $PORT1_TYPE --dport $PORT1_NUMBER -j ACCEPT
iptables -A INPUT -p $PORT1_TYPE --sport $PORT1_NUMBER -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#Set default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
ifconfig $NETWORK_INTERFACE_NAME down
ifconfig $NETWORK_INTERFACE_NAME up
service openvpn stop
sleep 5
service openvpn start
sleep 5
# set default values as yes for v4 and v6 on the iptables-persistent install
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
#############################################################################
################################# OPTIONAL ##################################
#############################################################################
# check to see if DNS is leaking
apt-get install jq -y
wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh
chmod +x dnsleaktest.sh
./dnsleaktest.sh
# this will say if dns is leaking and where you are appearing from
# Can also be tested by going to dnsleaktest.com and running extended test
#############################################################################
################################# ENJOY ###################################
#############################################################################