Initial commit.

csf/disabled/csfpre.sh

@@ -0,0 +1,25 @@
+# accept pptp traffic
+iptables -A INPUT -i eth0 -p gre -j ACCEPT
+iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+iptables -A INPUT -i eth0 -p 51 -j ACCEPT
+iptables -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+iptables -A INPUT -p udp --dport 1701 -j DROP
+
+#iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
+iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
+iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
+iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT
+
+# Uncomment to DROP traffic between VPN clients themselves
+# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
+# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
+iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source 192.168.1.2
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source 192.168.1.2
+
+###
+iptables -A OUTPUT -p gre -j ACCEPT
+iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
+iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE