check iptables chain policy is drop

build/root/install.sh

@@ -153,6 +153,9 @@ if [[ $VPN_ENABLED == "yes" ]]; then
 	# force removal of mac os resource fork files in ovpn folder
 	rm -rf /config/openvpn/._*.ovpn
 
+	# remove temporary file from previous run, used to confirm all iptables chain policies are set to drop
+	rm -f /tmp/checkiptables || true
+
 	# wildcard search for openvpn config files (match on first result)
 	export VPN_CONFIG=$(find /config/openvpn -maxdepth 1 -name "*.ovpn" -print -quit)
 

run/nobody/watchdog.sh

@@ -44,6 +44,9 @@ while true; do
 		# forcibly set allow anonymous access from localhost to api (used to change incoming port)
 		sed -i 's~^WebUI\\LocalHostAuth=.*~WebUI\\LocalHostAuth=false~g' "${qbittorrent_config}"
 
+		# run script to check iptables chain policy is in place (will block until configured)
+		source /home/nobody/checkiptables.sh
+
 		# run script to check ip is valid for tunnel device (will block until valid)
 		source /home/nobody/getvpnip.sh
 

run/root/iptable.sh

@@ -179,7 +179,7 @@ iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT
 
 echo "[info] iptables defined as follows..."
 echo "--------------------"
-iptables -S
+iptables -S 2>&1 | tee /tmp/checkiptables
 echo "--------------------"
 
 # change iptable 'tcp' to openvpn config compatible 'tcp-client' (this file is sourced)