chtzvt · September 26, 2022 16:00
diff --git a/iptables_rules.sh b/iptables_rules.sh
 SYSTEM_LAN_IFACE="eth0"
 VPN_CLIENT_IFACE="tun0"
 DEST_IP="10.173.204.63"
 FWDED_PORT="22"
 SOURCE_NET_WHITELIST="10.0.2.0/24,10.0.3.0/24"

 get_iface_ip() {
    IP=`ip addr show $1 | grep -o "inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"`
    if [[ $? -ne 0 ]];
    then
        echo "nil"
    else
        echo $IP
    fi
 }

 if [[ "$1" == "up" || "$1" == "down" ]];
 then
    echo "Flushing iptables..."
    # Flush iptables rules prior to applying up rules or when bringing fwd down
    iptables -t nat -F
    iptables -F
 else
   echo "No action specified: $0 [up down]"
   exit
 fi

 if [[ "$1" == "up" ]];
 then
    echo "Enabling IP forwarding..."
    sysctl -w net.ipv4.ip_forward=1

    SYSTEM_LAN_IP=$(get_iface_ip $SYSTEM_LAN_IFACE)
    VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)

    TRIES=1
    MAXTRIES=5
    while [[ $VPN_CLIENT_IP == "nil" && $TRIES -lt $(($MAXTRIES + 1)) ]];
    do
        echo "$VPN_CLIENT_IFACE IP unassigned, sleeping 5s before retrying (attempt $TRIES of $MAXTRIES)..."
        VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)
        TRIES=$((TRIES+1))
        sleep 5
    done

    if [[ $VPN_CLIENT_IP == "nil" || $SYSTEM_LAN_IP == "nil" ]];
    then
        echo "FAILED to get required IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
        exit 1
    else
        echo "Determined IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
    fi

    echo "Allowing incoming traffic on $SYSTEM_LAN_IP:$FWDED_PORT from $SOURCE_NET_WHITELIST..."
    iptables -t filter -A INPUT -s $SOURCE_NET_WHITELIST -p tcp --dport $FWDED_PORT -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport $FWDED_PORT -j REJECT

    echo "Enabling NAT rules ($SYSTEM_LAN_IP:$FWDED_PORT snat-> $VPN_CLIENT_IP:$FWDED_PORT dnat-> $DEST_IP:$FWDED_PORT)"
    iptables -t nat -A PREROUTING -d $SYSTEM_LAN_IP -p tcp --dport $FWDED_PORT -j DNAT --to-dest $DEST_IP:$FWDED_PORT
    iptables -t nat -A POSTROUTING -d $DEST_IP -p tcp --dport $FWDED_PORT -j SNAT --to-source $VPN_CLIENT_IP
 elif [[ "$1" == "down" ]];
 then
    echo "Disabling IP forwarding..."
    sysctl -w net.ipv4.ip_forward=0
 fi
diff --git a/ucf-vpn.env b/ucf-vpn.env
 server="ucfvpn-1.vpn.ucf.edu"
 user=""
 password=""
 group='UCF Students'
diff --git a/ucf-vpn.service b/ucf-vpn.service
 [Unit]
 Description=UCF OpenConnect VPN
 Wants=network.target
 Before=network.target

 [Service]
 Type=forking
 RemainAfterExit=no
 PIDFile=/var/run/ucf-vpn.pid
 Restart=on-failure
 RestartSec=5s
 KillSignal=SIGINT
 EnvironmentFile=/etc/default/ucf-vpn.env
 ExecStart=/bin/bash -c "echo -e \"$group\n$password\" | /usr/sbin/openconnect -u $user -b --pid-file=/var/run/ucf-vpn.pid $server"
 ExecStartPre=-/sbin/ip route add 10.0.3.0/24 via 10.0.2.1
 ExecStartPost=/bin/bash /root/iptables_rules.sh up

 ExecStopPre=-/bin/bash /root/iptables_rules.sh down

 [Install]
 WantedBy=multi-user.target
	SYSTEM_LAN_IFACE="eth0"
	VPN_CLIENT_IFACE="tun0"
	DEST_IP="10.173.204.63"
	FWDED_PORT="22"
	SOURCE_NET_WHITELIST="10.0.2.0/24,10.0.3.0/24"

	get_iface_ip() {
	IP=`ip addr show $1 \| grep -o "inet [0-9]\.[0-9]\.[0-9]\.[0-9]" \| grep -o "[0-9]\.[0-9]\.[0-9]\.[0-9]"`
	if [[ $? -ne 0 ]];
	then
	echo "nil"
	else
	echo $IP
	fi
	}

	if [[ "$1" == "up" \|\| "$1" == "down" ]];
	then
	echo "Flushing iptables..."
	# Flush iptables rules prior to applying up rules or when bringing fwd down
	iptables -t nat -F
	iptables -F
	else
	echo "No action specified: $0 [up down]"
	exit
	fi

	if [[ "$1" == "up" ]];
	then
	echo "Enabling IP forwarding..."
	sysctl -w net.ipv4.ip_forward=1

	SYSTEM_LAN_IP=$(get_iface_ip $SYSTEM_LAN_IFACE)
	VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)

	TRIES=1
	MAXTRIES=5
	while [[ $VPN_CLIENT_IP == "nil" && $TRIES -lt $(($MAXTRIES + 1)) ]];
	do
	echo "$VPN_CLIENT_IFACE IP unassigned, sleeping 5s before retrying (attempt $TRIES of $MAXTRIES)..."
	VPN_CLIENT_IP=$(get_iface_ip $VPN_CLIENT_IFACE)
	TRIES=$((TRIES+1))
	sleep 5
	done

	if [[ $VPN_CLIENT_IP == "nil" \|\| $SYSTEM_LAN_IP == "nil" ]];
	then
	echo "FAILED to get required IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
	exit 1
	else
	echo "Determined IPs: system[$SYSTEM_LAN_IP] vpn[$VPN_CLIENT_IP]"
	fi

	echo "Allowing incoming traffic on $SYSTEM_LAN_IP:$FWDED_PORT from $SOURCE_NET_WHITELIST..."
	iptables -t filter -A INPUT -s $SOURCE_NET_WHITELIST -p tcp --dport $FWDED_PORT -j ACCEPT
	iptables -t filter -A INPUT -p tcp --dport $FWDED_PORT -j REJECT

	echo "Enabling NAT rules ($SYSTEM_LAN_IP:$FWDED_PORT snat-> $VPN_CLIENT_IP:$FWDED_PORT dnat-> $DEST_IP:$FWDED_PORT)"
	iptables -t nat -A PREROUTING -d $SYSTEM_LAN_IP -p tcp --dport $FWDED_PORT -j DNAT --to-dest $DEST_IP:$FWDED_PORT
	iptables -t nat -A POSTROUTING -d $DEST_IP -p tcp --dport $FWDED_PORT -j SNAT --to-source $VPN_CLIENT_IP
	elif [[ "$1" == "down" ]];
	then
	echo "Disabling IP forwarding..."
	sysctl -w net.ipv4.ip_forward=0
	fi
	server="ucfvpn-1.vpn.ucf.edu"
	user=""
	password=""
	group='UCF Students'
	[Unit]
	Description=UCF OpenConnect VPN
	Wants=network.target
	Before=network.target

	[Service]
	Type=forking
	RemainAfterExit=no
	PIDFile=/var/run/ucf-vpn.pid
	Restart=on-failure
	RestartSec=5s
	KillSignal=SIGINT
	EnvironmentFile=/etc/default/ucf-vpn.env
	ExecStart=/bin/bash -c "echo -e \"$group\n$password\" \| /usr/sbin/openconnect -u $user -b --pid-file=/var/run/ucf-vpn.pid $server"
	ExecStartPre=-/sbin/ip route add 10.0.3.0/24 via 10.0.2.1
	ExecStartPost=/bin/bash /root/iptables_rules.sh up

	ExecStopPre=-/bin/bash /root/iptables_rules.sh down

	[Install]
	WantedBy=multi-user.target