Skip to content

Instantly share code, notes, and snippets.

@pagxir

pagxir/ifup-tun0-old.sh

Last active September 23, 2017 04:02
Show Gist options
  • Save pagxir/23bbd13aef090d269f2e6dd8371f44ec to your computer and use it in GitHub Desktop.
Save pagxir/23bbd13aef090d269f2e6dd8371f44ec to your computer and use it in GitHub Desktop.
Download ZIP
toy to vpn client startup config script
Raw
ifup-tun0-old.sh
#!/bin/bash
PATH=${PATH}:/sbin:/usr/sbin
ip6tables -F FORWARD
iptables -t raw -F PREROUTING
#iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -F OUTPUT
#iptables -t raw -A OUTPUT -j NOTRACK
iptables -t mangle -N TOYVPN
iptables -t mangle -F TOYVPN
iptables -t mangle -A TOYVPN -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A TOYVPN -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A TOYVPN -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A TOYVPN -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A TOYVPN -d 240.0.0.0/4 -j RETURN
#iptables -t mangle -A TOYVPN -p udp -j MARK --set-mark 0x30
#iptables -t mangle -A TOYVPN -p udp -m owner --uid-owner 0 -j MARK --set-mark 0x0
iptables -t mangle -A TOYVPN -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A TOYVPN -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A TOYVPN -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A TOYVPN -p tcp -j MARK --set-mark 0x30
iptables -t mangle -N TOYOUT
iptables -t mangle -F TOYOUT
iptables -A TOYOUT -t mangle -m state --state NEW -j CONNMARK --set-mark 0x30
iptables -A TOYOUT -t mangle -m state --state ESTABLISHED,RELATED -m connmark ! --mark 0x30 -j RETURN
iptables -A TOYOUT -t mangle -j TOYVPN
iptables -F OUTPUT -t mangle
#iptables -A OUTPUT -t mangle -p tcp -d 192.157.226.149 -j TOYOUT
#iptables -A OUTPUT -t mangle -m owner --uid-owner 1001 -j TOYOUT
iptables -A OUTPUT -t mangle -p tcp --dport 443 -j TOYVPN
#iptables -A OUTPUT -t mangle -p tcp --dport 80 -j TOYVPN
iptables -F POSTROUTING -t nat
#iptables -A POSTROUTING -t nat -o tun0 -j SNAT --to 10.3.0.1
#iptables -A PREROUTING -t mangle -p tcp -j TOYVPN
#iptables -A PREROUTING -t mangle -p udp --dport 53 -j TOYVPN
tun_dev="tun0";
#phy_dev="usb0";
phy_dev=$(ip -4 addr|sed -n '/eth[0-9]$/s/.*global //p');
phy_addr=$(ip -4 addr|sed -n "/eth[0-9]$/s/.*inet \([0-9.]*\)[ /].*/\1/p")
#tc qdisc add dev ${phy_dev} root handle 10: htb
#tc filter add dev ${phy_dev} parent 10: protocol ip prio 10 u32 match ip dst 172.25.1.51/32 action nat egress ${phy_addr}/32 172.25.1.52
#toyclient -s ./ifup-tun0.sh -t tun0 -r $(ip -4 addr|sed -n "/eth[0-9]$/s/.*inet \([0-9.]*\)[ /].*/\1/p") 172.25.1.51:3389
if ! [ X$1 = X"" ]; then
tun_dev=$1;
fi;
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv4.conf.all.rp_filter=0;
sysctl -w net.ipv4.conf.${tun_dev}.rp_filter=0;
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.default.forwarding=1
ip -4 addr add 10.3.0.1/24 dev ${tun_dev}
#ip -6 addr add 2001:c0a8:2b01::1/64 dev ${tun_dev}
#ip -6 route add default dev ${tun_dev} metric 256 proto static
ip link set dev ${tun_dev} mtu 1500 up
ip route flush table 30
#ip route add 10.3.0.0/24 dev ${tun_dev} table 30
ip route add 10.3.0.0/24 dev ${tun_dev} proto kernel scope link src 10.3.0.1
ip route add default dev ${tun_dev} src 10.3.0.1 table 30
#ip route add default dev ${tun_dev} table 30
#ip -6 addr add 2001:c0a8:2b01::1/64 dev ${tun_dev}
ip route add 1.0.0.0/24 dev ${tun_dev}
ip rule del fwmark 0x30 table 30 pref 999
ip rule add fwmark 0x30 table 30 pref 999
ip rule del from 10.3.0.1 table 30 pref 999
ip rule add from 10.3.0.1 table 30 pref 999
Raw
ifup-tun0.sh
#!/bin/sh
tun_dev=tun0
ip address add 10.24.0.1/24 dev ${tun_dev}
ip link set dev ${tun_dev} up
ip -6 addr add 2001:c0a8:2b01:cfcc::1/64 dev ${tun_dev}
ip -6 route add default dev ${tun_dev} metric 256 proto static
ip route flush table 30
ip route show|grep -v -e wwan0 -e tun|sed 's/dev/table 30 dev/g' |tr '\n' '\0'|xargs -n 1 -0 -r echo ip route add|sh
ip route add default dev ${tun_dev} table 30
ip rule del fwmark 0x2010 pref 2010 goto 32766
ip rule add fwmark 0x2010 pref 2010 goto 32766
ip rule del fwmark 0x2010 pref 2011 lookup 66
ip rule add fwmark 0x2010 pref 2011 lookup 66
ip rule del lookup 30 pref 2030
ip rule add lookup 30 pref 2030
iptables -t raw -N delegate_notrack && iptables -t raw -A PREROUTING -j delegate_notrack
iptables -t raw -F delegate_notrack
iptables -t raw -A delegate_notrack -p udp --dport 138 -j RETURN
iptables -t raw -A delegate_notrack -p icmp -j RETURN
iptables -t raw -A delegate_notrack -i ${tun_dev} -d 192.168.8.0/24 -j RETURN
iptables -t raw -A delegate_notrack -i ${tun_dev} -d 192.168.0.0/16 -j CT --notrack
iptables -t raw -A delegate_notrack -i br-lan -d 192.168.0.0/16 -j RETURN
iptables -t raw -A delegate_notrack -i br-lan -j CT --notrack
iptables -t mangle -N VPNTAG
iptables -t mangle -F VPNTAG
iptables -t mangle -A VPNTAG -d 8.8.0.0/16 -j RETURN
iptables -t mangle -A VPNTAG -p icmp -j MARK --set-mark 0x2010
iptables -t mangle -A VPNTAG -p udp --dport 53 -j MARK --set-mark 0x2010
iptables -t mangle -A VPNTAG -p udp --dport 138 -j MARK --set-mark 0x2010
iptables -t mangle -A VPNTAG -d 1.1.1.1 -j MARK --set-mark 0x2010
iptables -t mangle -A VPNTAG -d 192.168.0.0/16 -j MARK --set-mark 0x2010
iptables -D OUTPUT -t mangle -j VPNTAG
iptables -A OUTPUT -t mangle -j VPNTAG
iptables -D PREROUTING -t mangle -i br-lan -j VPNTAG
iptables -A PREROUTING -t mangle -i br-lan -j VPNTAG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment