From 6bef741324752403be3f8750e154f356537bd5aa Mon Sep 17 00:00:00 2001 From: binhex Date: Mon, 17 Jun 2019 21:43:06 +0100 Subject: [PATCH] check iptables chain policy is drop --- build/root/install.sh | 3 +++ run/nobody/watchdog.sh | 3 +++ run/root/iptable.sh | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/build/root/install.sh b/build/root/install.sh index 2fc5156..62d12d8 100644 --- a/build/root/install.sh +++ b/build/root/install.sh @@ -153,6 +153,9 @@ if [[ $VPN_ENABLED == "yes" ]]; then # force removal of mac os resource fork files in ovpn folder rm -rf /config/openvpn/._*.ovpn + # remove temporary file from previous run, used to confirm all iptables chain policies are set to drop + rm -f /tmp/checkiptables || true + # wildcard search for openvpn config files (match on first result) export VPN_CONFIG=$(find /config/openvpn -maxdepth 1 -name "*.ovpn" -print -quit) diff --git a/run/nobody/watchdog.sh b/run/nobody/watchdog.sh index 136cd61..5185fae 100644 --- a/run/nobody/watchdog.sh +++ b/run/nobody/watchdog.sh @@ -44,6 +44,9 @@ while true; do # forcibly set allow anonymous access from localhost to api (used to change incoming port) sed -i 's~^WebUI\\LocalHostAuth=.*~WebUI\\LocalHostAuth=false~g' "${qbittorrent_config}" + # run script to check iptables chain policy is in place (will block until configured) + source /home/nobody/checkiptables.sh + # run script to check ip is valid for tunnel device (will block until valid) source /home/nobody/getvpnip.sh diff --git a/run/root/iptable.sh b/run/root/iptable.sh index fb793ea..c398f71 100644 --- a/run/root/iptable.sh +++ b/run/root/iptable.sh @@ -179,7 +179,7 @@ iptables -A OUTPUT -o "${VPN_DEVICE_TYPE}" -j ACCEPT echo "[info] iptables defined as follows..." echo "--------------------" -iptables -S +iptables -S 2>&1 | tee /tmp/checkiptables echo "--------------------" # change iptable 'tcp' to openvpn config compatible 'tcp-client' (this file is sourced)