From 5a2f5390c6dffece1b57500cce67a316b8d09dd1 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Fri, 30 Mar 2018 07:52:49 +0000 Subject: [PATCH] OpenMPTCProuter VPS script 0.14 initial commit --- config.json | 14 ++ debian9-x86_64.sh | 163 ++++++++++++++++++++ glorytun-tcp-run | 21 +++ glorytun-tcp@.service.in | 12 ++ glorytun.network | 14 ++ shadowsocks.conf | 46 ++++++ shorewall4/conntrack | 53 +++++++ shorewall4/interfaces | 19 +++ shorewall4/params | 24 +++ shorewall4/policy | 23 +++ shorewall4/rules | 61 ++++++++ shorewall4/shorewall.conf | 295 +++++++++++++++++++++++++++++++++++++ shorewall4/snat | 23 +++ shorewall4/stoppedrules | 18 +++ shorewall4/zones | 19 +++ shorewall6/conntrack | 53 +++++++ shorewall6/interfaces | 19 +++ shorewall6/params | 23 +++ shorewall6/policy | 23 +++ shorewall6/rules | 60 ++++++++ shorewall6/shorewall6.conf | 268 +++++++++++++++++++++++++++++++++ shorewall6/stoppedrules | 18 +++ shorewall6/zones | 19 +++ tun0.glorytun | 5 + 24 files changed, 1293 insertions(+) create mode 100644 config.json create mode 100644 debian9-x86_64.sh create mode 100644 glorytun-tcp-run create mode 100644 glorytun-tcp@.service.in create mode 100644 glorytun.network create mode 100644 shadowsocks.conf create mode 100644 shorewall4/conntrack create mode 100644 shorewall4/interfaces create mode 100644 shorewall4/params create mode 100644 shorewall4/policy create mode 100644 shorewall4/rules create mode 100644 shorewall4/shorewall.conf create mode 100644 shorewall4/snat create mode 100644 shorewall4/stoppedrules create mode 100644 shorewall4/zones create mode 100644 shorewall6/conntrack create mode 100644 shorewall6/interfaces create mode 100644 shorewall6/params create mode 100644 shorewall6/policy create mode 100644 shorewall6/rules create mode 100644 shorewall6/shorewall6.conf create mode 100644 shorewall6/stoppedrules create mode 100644 shorewall6/zones create mode 100644 tun0.glorytun diff --git a/config.json b/config.json new file mode 100644 index 0000000..8f14eb5 --- /dev/null +++ b/config.json @@ -0,0 +1,14 @@ +{ + "server":["[::0]", "0.0.0.0"], + "server_port":65101, + "local_port":1081, + "mode":"tcp_and_udp", + "key":"MySecretKey", + "timeout":120, + "method":"aes-256-cfb", + "verbose":2, + "prefer_ipv6": true, + "fast_open": true, + "reuse_port": true, + "mptcp": true +} \ No newline at end of file diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh new file mode 100644 index 0000000..041fee8 --- /dev/null +++ b/debian9-x86_64.sh @@ -0,0 +1,163 @@ +#!/bin/sh +SHADOWSOCKS_PASS=${SHADOWSOCKS_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} +GLORYTUN_PASS=${GLORYTUN_PASS:-$(od -vN "32" -An -tx1 /dev/urandom | tr '[:lower:]' '[:upper:]' | tr -d " \n")} +#NBCPU=${NBCPU:-$(nproc --all | tr -d "\n")} +NBCPU=${NBCPU:-$(grep -c '^processor' /proc/cpuinfo | tr -d "\n")} +OBFS=${OBFS:-no} +INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")} + +set -e +umask 0022 + +# Install mptcp kernel and shadowsocks +apt-get update +apt-get -y install dirmngr +#apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 379CE192D401AB61 +#echo 'deb http://dl.bintray.com/cpaasch/deb jessie main' >> /etc/apt/sources.list +echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/stretch-backports.list +apt-get update +wget -O /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb http://www.openmptcprouter.com/kernel/linux-image-4.14.24-mptcp-64056fa.amd64.deb +wget -O /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb http://www.openmptcprouter.com/kernel/linux-headers-4.14.24-mptcp-64056fa.amd64.deb +#apt-get -y install linux-mptcp +dpkg -i /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb +dpkg -i /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb + +#apt -t stretch-backports -y install shadowsocks-libev +## Compile Shadowsocks +wget -O /tmp/shadowsocks-libev-3.1.3.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.1.3/shadowsocks-libev-3.1.3.tar.gz +cd /tmp +tar xzf shadowsocks-libev-3.1.3.tar.gz +cd shadowsocks-libev-3.1.3 +wget http://github.com/Ysurac/openmptcprouter-feeds/raw/master/shadowsocks-libev/patches/020-NOCRYPTO.patch +patch -p1 < 020-NOCRYPTO.patch +apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap +apt -y -t stretch-backports install libsodium-dev +mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" +dpkg-buildpackage -b -us -uc +cd .. +dpkg -i shadowsocks-libev_3.1.3-1_amd64.deb + +# Load OLIA Congestion module at boot time +if ! grep -q olia /etc/modules ; then + echo mptcp_olia >> /etc/modules +fi + +# Get shadowsocks optimization +wget -O /etc/sysctl.d/90-shadowsocks.conf http://www.openmptcprouter.com/server/shadowsocks.conf + +# Install shadowsocks config and add a shadowsocks by CPU +wget -O /etc/shadowsocks-libev/config.json http://www.openmptcprouter.com/server/config.json +SHADOWSOCKS_PASS_JSON=$(echo $SHADOWSOCKS_PASS | sed 's/+/-/g; s/\//_/g;') +sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/config.json +#sed -i 's:json:json --mptcp:g' /lib/systemd/system/shadowsocks-libev-server@.service +systemctl disable shadowsocks-libev +systemctl enable shadowsocks-libev-server@config.service +if [ $NBCPU -gt 1 ]; then + for i in $NBCPU; do + ln -fs /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/config$i.json + systemctl enable shadowsocks-libev-server@config$i.service + done +fi +if ! grep -q 'DefaultLimitNOFILE=65536' /etc/systemd/system.conf ; then + echo 'DefaultLimitNOFILE=65536' >> /etc/systemd/system.conf +fi + +# Install simple-obfs +if [ "$OBFS" = "yes" ]; then + cd /tmp + sudo apt-get install -y --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake git ca-certificates + git clone https://github.com/shadowsocks/simple-obfs.git /tmp/simple-obfs + cd /tmp/simple-obfs + git submodule update --init --recursive + ./autogen.sh + ./configure && make + make install + cd /tmp + rm -rf /tmp/simple-obfs + sed -i 's%"mptcp": true%"mptcp": true,\n"plugin": "/usr/local/bin/obfs-server --obfs http --mptcp --fast-open"%' /etc/shadowsocks-libev/config.json +fi + +# Install Glorytun UDP +#apt-get -y install meson pkg-config ca-certificates +#cd /root +#wget https://github.com/angt/glorytun/releases/download/v0.0.93-mud/glorytun-0.0.93-mud.tar.gz +#tar xzf glorytun-0.0.93-mud.tar.gz +#cd glorytun-0.0.93-mud +#meson build +#ninja -C build install +#sed -i 's:EmitDNS=yes:EmitDNS=no:g' /lib/systemd/network/glorytun.network + +# Install Glorytun TCP +apt -t stretch-backports -y install libsodium-dev +apt-get -y install build-essential pkg-config autoconf automake +cd /tmp +wget -O /tmp/glorytun-0.0.35.tar.gz http://github.com/angt/glorytun/releases/download/v0.0.35/glorytun-0.0.35.tar.gz +cd /tmp +tar xzf glorytun-0.0.35.tar.gz +cd glorytun-0.0.35 +./autogen.sh +./configure +make +cp glorytun /usr/local/bin/glorytun-tcp +wget -O /usr/local/bin/glorytun-tcp-run http://www.openmptcprouter.com/server/glorytun-tcp-run +chmod 755 /usr/local/bin/glorytun-tcp-run +wget -O /lib/systemd/system/glorytun-tcp@.service http://www.openmptcprouter.com/server/glorytun-tcp%40.service.in +wget -O /lib/systemd/network/glorytun.network http://www.openmptcprouter.com/server/glorytun.network +mkdir -p /etc/glorytun-tcp +wget -O /etc/glorytun-tcp/tun0 http://www.openmptcprouter.com/server/tun0.glorytun +echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key +systemctl enable glorytun-tcp@tun0.service +systemctl enable systemd-networkd.service +cd /tmp +rm -r /tmp/glorytun-0.0.35 + +# Load tun module at boot time +if ! grep -q tun /etc/modules ; then + echo tun >> /etc/modules +fi + + +# Change SSH port to 65222 +sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config +sed -i 's:Port 22:Port 65222:g' /etc/ssh/sshd_config + +# Remove Bind9 if available +#systemctl -q disable bind9 + +# Remove fail2ban if available +#systemctl -q disable fail2ban + +# Install and configure the firewall using shorewall +apt-get -y install shorewall shorewall6 +wget -O /etc/shorewall/openmptcprouter-shorewall.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall.tar.gz +tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall +rm /etc/shorewall/openmptcprouter-shorewall.tar.gz +sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* +systemctl enable shorewall +wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall6.tar.gz +tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6 +rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz +sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/* +systemctl enable shorewall6 + +# Add OpenMPTCProuter VPS script version to /etc/motd +if grep --quiet 'OpenMPTCProuter VPS' /etc/motd; then + sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.14 >:' /etc/motd +else + echo '< OpenMPCTProuter VPS 0.14 >' >> /etc/motd +fi + +# Display important info +echo '================================================================================' +echo 'OpenMPTCProuter VPS is now configured !' +echo 'SSH port: 65222 (instead of port 22)' +echo 'Shadowsocks port: 65101' +echo 'Shadowsocks encryption: aes-256-cfb' +echo 'Your shadowsocks key: ' +echo $SHADOWSOCKS_PASS +echo 'Glorytun port: 65001' +echo 'Glorytun encryption: chacha20' +echo 'Your glorytun key: ' +echo $GLORYTUN_PASS +echo 'You need to reboot to enable MPTCP, shadowsocks, glorytun and shorewall' +echo '================================================================================' diff --git a/glorytun-tcp-run b/glorytun-tcp-run new file mode 100644 index 0000000..9ccbee6 --- /dev/null +++ b/glorytun-tcp-run @@ -0,0 +1,21 @@ +#!/bin/sh + +set -e + +if [ ! -f "$1" ]; then + echo "usage: $(basename "$0") FILE" + exit 1 +fi + +. "$(readlink -f "$1")" + +DEV="gt${HOST:+c}-$(basename "$1")" + +exec glorytun-tcp \ + ${SERVER:+listener} \ + keyfile "$1".key \ + ${DEV:+dev "$DEV"} \ + ${HOST:+host "$HOST"} \ + ${PORT:+port "$PORT"} \ + ${MPTCP:+mptcp} \ + ${OPTIONS:+$OPTIONS} diff --git a/glorytun-tcp@.service.in b/glorytun-tcp@.service.in new file mode 100644 index 0000000..1d9eaa5 --- /dev/null +++ b/glorytun-tcp@.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=Glorytun TCP on %I +After=network.target network-online.target + +[Service] +Type=simple +Restart=always +ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW + +[Install] +WantedBy=multi-user.target diff --git a/glorytun.network b/glorytun.network new file mode 100644 index 0000000..7aac843 --- /dev/null +++ b/glorytun.network @@ -0,0 +1,14 @@ +[Match] +Name=gt-* + +[Network] +Description=Glorytun server device +Address=0.0.0.0/24 +DHCPServer=yes +IPMasquerade=yes + +[DHCPServer] +PoolOffset=2 +PoolSize=1 +EmitDNS=no +DNS=9.9.9.9 \ No newline at end of file diff --git a/shadowsocks.conf b/shadowsocks.conf new file mode 100644 index 0000000..fae949c --- /dev/null +++ b/shadowsocks.conf @@ -0,0 +1,46 @@ +# local sysctl settings can be stored in this directory +# max open files +fs.file-max = 51200 +# max read buffer +net.core.rmem_max = 134217728 +# max write buffer +net.core.wmem_max = 134217728 +# default read buffer +net.core.rmem_default = 65536 +# default write buffer +net.core.wmem_default = 65536 +# max processor input queue +net.core.netdev_max_backlog = 4096 +# max backlog +net.core.somaxconn = 4096 + +# resist SYN flood attacks +net.ipv4.tcp_syncookies = 1 +# reuse timewait sockets when safe +net.ipv4.tcp_tw_reuse = 1 +# turn off fast timewait sockets recycling +net.ipv4.tcp_tw_recycle = 0 +# short FIN timeout +net.ipv4.tcp_fin_timeout = 30 +# short keepalive time +net.ipv4.tcp_keepalive_time = 2400 +# outbound port range +net.ipv4.ip_local_port_range = 10000 65000 +# max SYN backlog +net.ipv4.tcp_max_syn_backlog = 4096 +# max timewait sockets held by system simultaneously +net.ipv4.tcp_max_tw_buckets = 10000 +# turn on TCP Fast Open on both client and server side +net.ipv4.tcp_fastopen = 3 +# TCP receive buffer +net.ipv4.tcp_rmem = 4096 87380 134217728 +# TCP write buffer +net.ipv4.tcp_wmem = 4096 65536 134217728 +# turn on path MTU discovery +net.ipv4.tcp_mtu_probing = 0 + +# for low-latency network, use cubic instead +net.ipv4.tcp_congestion_control = olia + +# Default conntrack is too small +net.netfilter.nf_conntrack_max=131072 diff --git a/shorewall4/conntrack b/shorewall4/conntrack new file mode 100644 index 0000000..5fea6b9 --- /dev/null +++ b/shorewall4/conntrack @@ -0,0 +1,53 @@ +# +# Shorewall -- /etc/shorewall/conntrack +# +# For information about entries in this file, type "man shorewall-conntrack" +# +?FORMAT 3 +###################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH + +?if $AUTOHELPERS && __CT_TARGET + +?if __AMANDA_HELPER +CT:helper:amanda:PO - - udp 10080 +?endif + +?if __FTP_HELPER +CT:helper:ftp:PO - - tcp 21 +?endif + +?if __H323_HELPER +CT:helper:RAS:PO - - udp 1719 +CT:helper:Q.931:PO - - tcp 1720 +?endif + +?if __IRC_HELPER +CT:helper:irc:PO - - tcp 6667 +?endif + +?if __NETBIOS_NS_HELPER +CT:helper:netbios-ns:PO - - udp 137 +?endif + +?if __PPTP_HELPER +CT:helper:pptp:PO - - tcp 1723 +?endif + +?if __SANE_HELPER +CT:helper:sane:PO - - tcp 6566 +?endif + +?if __SIP_HELPER +CT:helper:sip:PO - - udp 5060 +?endif + +?if __SNMP_HELPER +CT:helper:snmp:PO - - udp 161 +?endif + +?if __TFTP_HELPER +CT:helper:tftp:PO - - udp 69 +?endif + +?endif diff --git a/shorewall4/interfaces b/shorewall4/interfaces new file mode 100644 index 0000000..e6771a9 --- /dev/null +++ b/shorewall4/interfaces @@ -0,0 +1,19 @@ +# +# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-interfaces" +############################################################################### +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS +net eth0 dhcp,tcpflags,routefilter,nosmurfs,logmartians,sourceroute=0 +vpn gt-tun0 nosmurfs,routefilter,logmartians,tcpflags + diff --git a/shorewall4/params b/shorewall4/params new file mode 100644 index 0000000..0c50d58 --- /dev/null +++ b/shorewall4/params @@ -0,0 +1,24 @@ +# +# Shorewall -- /etc/shorewall/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs +# +# Example: +# +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter,norfc1918 +# +# Example (/etc/shorewall/interfaces record): +# +# net $NET_IF $NET_BCAST $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 130.252.100.255 routefilter,norfc1918 +# +############################################################################### diff --git a/shorewall4/policy b/shorewall4/policy new file mode 100644 index 0000000..7d12fd2 --- /dev/null +++ b/shorewall4/policy @@ -0,0 +1,23 @@ +# +# Shorewall version 4.0 - Sample Policy File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-policy" +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + +vpn net ACCEPT +vpn fw ACCEPT +fw vpn ACCEPT +fw net ACCEPT +net all DROP info +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT info + diff --git a/shorewall4/rules b/shorewall4/rules new file mode 100644 index 0000000..cd492ef --- /dev/null +++ b/shorewall4/rules @@ -0,0 +1,61 @@ +# +# Shorewall version 4.0 - Sample Rules File for two-interface configuration. +# Copyright (C) 2006-2014,2007 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-rules" +###################################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all tcp +# +# Accept DNS connections from the firewall to the network +# +DNS(ACCEPT) $FW net +# +# Allow Ping from/to the VPN +# +Ping(ACCEPT) vpn $FW +Ping(ACCEPT) $FW vpn +# +# Allow Ping from the firewall to the network +# +Ping(ACCEPT) $FW net +# +# Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. +# +#Ping(DROP) net $FW +Ping(ACCEPT) net $FW +# +# Accept connection from port > 65000 for shadowsocks and glorytun on the firewall +# +ACCEPT net $FW tcp 65000-65535 +ACCEPT net $FW udp 65000-65535 +# +# Accept connection from SSH to the firewall +# +ACCEPT net $FW tcp 65222 +# +# DHCP forward to the VPN from the firewall +# +DHCPfwd(ACCEPT) $FW vpn +# +# Redirect all port from 1 to 64999 to the VPN client from the network +# +#DNAT net vpn:10.0.0.2 tcp 1-64999 +#DNAT net vpn:10.0.0.2 udp 1-64999 diff --git a/shorewall4/shorewall.conf b/shorewall4/shorewall.conf new file mode 100644 index 0000000..670da69 --- /dev/null +++ b/shorewall4/shorewall.conf @@ -0,0 +1,295 @@ +############################################################################### +# +# Shorewall Version 5 -- /etc/shorewall/shorewall.conf +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# P A G E R +############################################################################### + +PAGER= + +############################################################################### +# F I R E W A L L +############################################################################### + +FIREWALL= + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOG_LEVEL= + +INVALID_LOG_LEVEL= + +LOG_BACKEND= + +LOG_MARTIANS=Yes + +LOG_VERBOSITY=2 + +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGLIMIT= + +MACLIST_LOG_LEVEL=info + +RELATED_LOG_LEVEL= + +RPFILTER_LOG_LEVEL=info + +SFILTER_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +STARTUP_LOG=/var/log/shorewall-init.log + +TCP_FLAGS_LOG_LEVEL=info + +UNTRACKED_LOG_LEVEL= + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +ARPTABLES= + +CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE + +IPTABLES= + +IP= + +IPSET= + +LOCKFILE= + +MODULESDIR= + +NFACCT= + +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" + +PERL=/usr/bin/perl + +RESTOREFILE=restore + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK="" + +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADD_IP_ALIASES=No + +ADD_SNAT_ALIASES=No + +ADMINISABSENTMINDED=Yes + +AUTOCOMMENT=Yes + +AUTOHELPERS=Yes + +AUTOMAKE=No + +BASIC_FILTERS=No + +BLACKLIST="NEW,INVALID,UNTRACKED" + +CHAIN_SCRIPTS=Yes + +CLAMPMSS=No + +CLEAR_TC=Yes + +COMPLETE=No + +DEFER_DNS_RESOLUTION=Yes + +DELETE_THEN_ADD=Yes + +DETECT_DNAT_IPADDRS=No + +DISABLE_IPV6=No + +DOCKER=No + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=No + +FORWARD_CLEAR_MARK= + +HELPERS= + +IGNOREUNKNOWNVARIABLES=No + +IMPLICIT_CONTINUE=No + +INLINE_MATCHES=No + +IPSET_WARNINGS=Yes + +IP_FORWARDING=On + +KEEP_RT_TABLES=No + +LOAD_HELPERS_ONLY=Yes + +MACLIST_TABLE=filter + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MAPOLDACTIONS=No + +MARK_IN_FORWARD_CHAIN=No + +MINIUPNPD=No + +MODULE_SUFFIX=ko + +MULTICAST=No + +MUTEX_TIMEOUT=60 + +NULL_ROUTE_RFC1918=No + +OPTIMIZE=0 + +OPTIMIZE_ACCOUNTING=No + +REJECT_ACTION= + +REQUIRE_INTERFACE=No + +RESTART=restart + +RESTORE_DEFAULT_ROUTE=Yes + +RESTORE_ROUTEMARKS=Yes + +RETAIN_ALIASES=No + +ROUTE_FILTER=Yes + +SAVE_ARPTABLES=No + +SAVE_IPSETS=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=No + +TRACK_RULES=No + +USE_DEFAULT_RT=Yes + +USE_PHYSICAL_NAMES=No + +USE_RT_NAMES=No + +VERBOSE_MESSAGES=Yes + +WARNOLDCAPVERSION=Yes + +WORKAROUNDS=No + +ZERO_MARKS=No + +ZONE2ZONE=- + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +INVALID_DISPOSITION=CONTINUE + +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +SFILTER_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP + +UNTRACKED_DISPOSITION=CONTINUE + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 diff --git a/shorewall4/snat b/shorewall4/snat new file mode 100644 index 0000000..4c54bc8 --- /dev/null +++ b/shorewall4/snat @@ -0,0 +1,23 @@ +# +# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration. +# Copyright (C) 2006-2016 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-snat" +# +# See http://shorewall.net/manpages/shorewall-snat.html for more information +########################################################################################################################################### +#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +# +MASQUERADE 10.0.0.0/8,\ + 169.254.0.0/16,\ + 172.16.0.0/12,\ + 192.168.0.0/16 eth0 +# SNAT from VPN server for all VPN clients +SNAT(10.0.0.1) 0.0.0.0/0 gt-tun0 \ No newline at end of file diff --git a/shorewall4/stoppedrules b/shorewall4/stoppedrules new file mode 100644 index 0000000..cc75ac4 --- /dev/null +++ b/shorewall4/stoppedrules @@ -0,0 +1,18 @@ +# +# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration. +# Copyright (C) 2012 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-stoppedrules" +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +ACCEPT gt-tun0 - +ACCEPT - gt-tun0 + diff --git a/shorewall4/zones b/shorewall4/zones new file mode 100644 index 0000000..62fff26 --- /dev/null +++ b/shorewall4/zones @@ -0,0 +1,19 @@ +# +# Shorewall version 4.0 - Sample Zones File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-zones" +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +vpn ipv4 + diff --git a/shorewall6/conntrack b/shorewall6/conntrack new file mode 100644 index 0000000..7e67ea2 --- /dev/null +++ b/shorewall6/conntrack @@ -0,0 +1,53 @@ +# +# Shorewall6 -- /etc/shorewall6/conntrack +# +# For information about entries in this file, type "man shorewall6-conntrack" +# +?FORMAT 3 +############################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH + +?if $AUTOHELPERS && __CT_TARGET + +?if __AMANDA_HELPER +CT:helper:amanda:PO - - udp 10080 +?endif + +?if __FTP_HELPER +CT:helper:ftp:PO - - tcp 21 +?endif + +?if __H323_HELPER +CT:helper:RAS:PO - - udp 1719 +CT:helper:Q.931:PO - - tcp 1720 +?endif + +?if __IRC_HELPER +CT:helper:irc:PO - - tcp 6667 +?endif + +?if __NETBIOS_NS_HELPER +CT:helper:netbios-ns:PO - - udp 137 +?endif + +?if __PPTP_HELPER +CT:helper:pptp:PO - - tcp 1723 +?endif + +?if __SANE_HELPER +CT:helper:sane:PO - - tcp 6566 +?endif + +?if __SIP_HELPER +CT:helper:sip:PO - - udp 5060 +?endif + +?if __SNMP_HELPER +CT:helper:snmp:PO - - udp 161 +?endif + +?if __TFTP_HELPER +CT:helper:tftp:PO - - udp 69 +?endif + +?endif diff --git a/shorewall6/interfaces b/shorewall6/interfaces new file mode 100644 index 0000000..4db72ad --- /dev/null +++ b/shorewall6/interfaces @@ -0,0 +1,19 @@ +# +# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-interfaces" +############################################################################### +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS +net eth0 dhcp,tcpflags,nosmurfs,sourceroute=0 +vpn gt-tun0 nosmurfs,tcpflags + diff --git a/shorewall6/params b/shorewall6/params new file mode 100644 index 0000000..cf40b53 --- /dev/null +++ b/shorewall6/params @@ -0,0 +1,23 @@ +# +# Shorewall6 -- /etc/shorewall6/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall6 programs +# +# Example: +# +# NET_IF=eth0 +# NET_OPTIONS=dhcp,nosmurfs +# +# Example (/etc/shorewall6/interfaces record): +# +# net $NET_IF - $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 - dhcp,nosmurfs +# +############################################################################### diff --git a/shorewall6/policy b/shorewall6/policy new file mode 100644 index 0000000..4743cf4 --- /dev/null +++ b/shorewall6/policy @@ -0,0 +1,23 @@ +# +# Shorewall version 4.0 - Sample Policy File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-policy" +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + +vpn net ACCEPT +vpn fw ACCEPT +fw vpn ACCEPT +fw net ACCEPT +net all DROP info +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT info + diff --git a/shorewall6/rules b/shorewall6/rules new file mode 100644 index 0000000..5cd35d7 --- /dev/null +++ b/shorewall6/rules @@ -0,0 +1,60 @@ +# +# Shorewall version 4.0 - Sample Rules File for two-interface configuration. +# Copyright (C) 2006-2014,2007 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-rules" +###################################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER +# PORT PORT(S) DEST LIMIT GROUP +?SECTION ALL +?SECTION ESTABLISHED +?SECTION RELATED +?SECTION INVALID +?SECTION UNTRACKED +?SECTION NEW + +# Don't allow connection pickup from the net +# +Invalid(DROP) net all tcp +# +# Accept DNS connections from the firewall to the network +# +DNS(ACCEPT) $FW net +# +# Allow Ping from/to the VPN +# +Ping(ACCEPT) vpn $FW +Ping(ACCEPT) $FW vpn +# +# Allow Ping from the firewall to the network +# +Ping(ACCEPT) $FW net +# +# Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. +# +#Ping(DROP) net $FW +Ping(ACCEPT) net $FW +# +# Accept connection from port > 65000 for shadowsocks and glorytun on the firewall +# +ACCEPT net $FW tcp 65000-65535 +ACCEPT net $FW udp 65000-65535 +# +# Accept connection from SSH to the firewall +# +ACCEPT net $FW tcp 65222 +# +# DHCP forward to the VPN from the firewall +# +DHCPfwd(ACCEPT) $FW vpn +# +# Redirect all port from 1 to 64999 to the VPN client from the network +# +#DNAT net vpn:10.0.0.2 tcp 1-64999 diff --git a/shorewall6/shorewall6.conf b/shorewall6/shorewall6.conf new file mode 100644 index 0000000..3c18dc3 --- /dev/null +++ b/shorewall6/shorewall6.conf @@ -0,0 +1,268 @@ +############################################################################### +# +# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf +# +# For information about the settings in this file, type "man shorewall6.conf" +# +# Manpage also online at +# http://www.shorewall.net/manpages6/shorewall6.conf.html +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# P A G E R +############################################################################### + +PAGER= + +############################################################################### +# F I R E W A L L +############################################################################### + +FIREWALL= + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOG_LEVEL= + +INVALID_LOG_LEVEL= + +LOG_BACKEND= + +LOG_VERBOSITY=2 + +LOGALLNEW= + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGLIMIT= + +LOGTAGONLY=No + +MACLIST_LOG_LEVEL=info + +RELATED_LOG_LEVEL= + +RPFILTER_LOG_LEVEL=info + +SFILTER_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +STARTUP_LOG=/var/log/shorewall6-init.log + +TCP_FLAGS_LOG_LEVEL=info + +UNTRACKED_LOG_LEVEL= + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE + +IP6TABLES= + +IP= + +IPSET= + +LOCKFILE= + +MODULESDIR= + +NFACCT= + +PERL=/usr/bin/perl + +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" + +RESTOREFILE=restore + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK="" + +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes + +ACCOUNTING_TABLE=filter + +ADMINISABSENTMINDED=Yes + +AUTOCOMMENT=Yes + +AUTOHELPERS=Yes + +AUTOMAKE=No + +BASIC_FILTERS=No + +BLACKLIST="NEW,INVALID,UNTRACKED" + +CHAIN_SCRIPTS=Yes + +CLAMPMSS=No + +CLEAR_TC=No + +COMPLETE=No + +DEFER_DNS_RESOLUTION=Yes + +DELETE_THEN_ADD=Yes + +DONT_LOAD= + +DYNAMIC_BLACKLIST=Yes + +EXPAND_POLICIES=Yes + +EXPORTMODULES=Yes + +FASTACCEPT=No + +FORWARD_CLEAR_MARK=Yes + +HELPERS= + +IGNOREUNKNOWNVARIABLES=No + +IMPLICIT_CONTINUE=No + +INLINE_MATCHES=No + +IPSET_WARNINGS=Yes + +IP_FORWARDING=On + +KEEP_RT_TABLES=Yes + +LOAD_HELPERS_ONLY=Yes + +MACLIST_TABLE=filter + +MACLIST_TTL= + +MANGLE_ENABLED=Yes + +MARK_IN_FORWARD_CHAIN=No + +MODULE_SUFFIX=ko + +MUTEX_TIMEOUT=60 + +OPTIMIZE=1 + +OPTIMIZE_ACCOUNTING=No + +REJECT_ACTION= + +REQUIRE_INTERFACE=No + +RESTART=restart + +RESTORE_ROUTEMARKS=Yes + +SAVE_IPSETS=No + +TC_ENABLED=No + +TC_EXPERT=No + +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + +TRACK_PROVIDERS=No + +TRACK_RULES=No + +USE_DEFAULT_RT=Yes + +USE_PHYSICAL_NAMES=No + +USE_RT_NAMES=No + +VERBOSE_MESSAGES=Yes + +WARNOLDCAPVERSION=Yes + +WORKAROUNDS=No + +ZERO_MARKS=No + +ZONE2ZONE=- + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +INVALID_DISPOSITION=CONTINUE + +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT + +SFILTER_DISPOSITION=DROP + +RPFILTER_DISPOSITION=DROP + +SMURF_DISPOSITION=DROP + +TCP_FLAGS_DISPOSITION=DROP + +UNTRACKED_DISPOSITION=CONTINUE + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 + +#LAST LINE -- DO NOT REMOVE diff --git a/shorewall6/stoppedrules b/shorewall6/stoppedrules new file mode 100644 index 0000000..cc75ac4 --- /dev/null +++ b/shorewall6/stoppedrules @@ -0,0 +1,18 @@ +# +# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration. +# Copyright (C) 2012 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-stoppedrules" +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +ACCEPT gt-tun0 - +ACCEPT - gt-tun0 + diff --git a/shorewall6/zones b/shorewall6/zones new file mode 100644 index 0000000..b103bc4 --- /dev/null +++ b/shorewall6/zones @@ -0,0 +1,19 @@ +# +# Shorewall version 4.0 - Sample Zones File for two-interface configuration. +# Copyright (C) 2006-2014 by the Shorewall Team +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# See the file README.txt for further details. +#------------------------------------------------------------------------------ +# For information about entries in this file, type "man shorewall-zones" +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv6 +vpn ipv6 + diff --git a/tun0.glorytun b/tun0.glorytun new file mode 100644 index 0000000..cdd4501 --- /dev/null +++ b/tun0.glorytun @@ -0,0 +1,5 @@ +PORT=65001 +DEV=tun0 +SERVER=true +MPTCP=true +OPTIONS="chacha20 multiqueue keepalive" \ No newline at end of file