Merge pull request #219 from r0p0s3c/iptables
move iptables/nat functionality to a function
This commit is contained in:
Kyle Manna
GitHub
commit
47de917de5
28
bin/ovpn_run
28
bin/ovpn_run
@ -35,6 +35,21 @@ function addArg {
|
||||
fi
|
||||
}
|
||||
|
||||
# set up iptables rules and routing
|
||||
# this allows rules/routing to be altered by supplying this function
|
||||
# in an included file, such as ovpn_env.sh
|
||||
function setupIptablesAndRouting {
|
||||
iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
|
||||
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
|
||||
}
|
||||
for i in "${OVPN_ROUTES[@]}"; do
|
||||
iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
|
||||
iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
addArg "--config" "$OPENVPN/openvpn.conf"
|
||||
|
||||
source "$OPENVPN/ovpn_env.sh"
|
||||
@ -53,14 +68,10 @@ fi
|
||||
|
||||
# Setup NAT forwarding if requested
|
||||
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
|
||||
iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
|
||||
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
|
||||
}
|
||||
for i in "${OVPN_ROUTES[@]}"; do
|
||||
iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
|
||||
iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
|
||||
}
|
||||
done
|
||||
# call function to setup iptables rules and routing
|
||||
# this allows rules to be customized by supplying
|
||||
# a replacement function in, for example, ovpn_env.sh
|
||||
setupIptablesAndRouting
|
||||
fi
|
||||
|
||||
# Use a hacky hardlink as the CRL Needs to be readable by the user/group
|
||||
@ -85,4 +96,3 @@ fi
|
||||
|
||||
echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
|
||||
exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
|
||||
|
||||
|
||||
@ -12,5 +12,6 @@ imageTests+=(
|
||||
basic
|
||||
dual-proto
|
||||
otp
|
||||
iptables
|
||||
'
|
||||
)
|
||||
|
||||
38
test/tests/iptables/run.sh
Executable file
38
test/tests/iptables/run.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
[ -n "${DEBUG+x}" ] && set -x
|
||||
OVPN_DATA=basic-data
|
||||
IMG="kylemanna/openvpn"
|
||||
NAME="ovpn-test"
|
||||
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
|
||||
|
||||
# generate server config including iptables nat-ing
|
||||
docker volume create --name $OVPN_DATA
|
||||
docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP -N
|
||||
docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
|
||||
|
||||
# Fire up the server
|
||||
docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
|
||||
|
||||
# check default iptables rules
|
||||
docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE'
|
||||
|
||||
# append new setupIptablesAndRouting function to config
|
||||
docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh'
|
||||
|
||||
# kill server in preparation to modify config
|
||||
docker kill $NAME
|
||||
docker rm $NAME
|
||||
|
||||
# check that overridden function exists and that test iptables rules is active
|
||||
docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG
|
||||
docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIptablesAndRouting && iptables -t nat -C POSTROUTING -m comment --comment "test"'
|
||||
|
||||
#
|
||||
# kill server
|
||||
#
|
||||
|
||||
docker kill $NAME
|
||||
docker rm $NAME
|
||||
docker volume rm $OVPN_DATA
|
||||
Loading…
Reference in New Issue
Block a user