iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK
+ # Block unauthorized WireGuard traffic
+ ipatbles -N WGBLOCK
+ iptables -A INPUT -i wg+ -j WGBLOCK
+ iptables -A FORWARD -i wg+ -j WGBLOCK
+
# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
iptables -A INPUT -i tun+ -j OVPNBLOCK
local keepalive
local _rest
- local subnet
+ local local_subnet
+ local remote_subnet
+
+ # Flush firewall rules
+ iptables -F WGBLOCK
# Flush all previously set routes
ip route flush dev "${INTF}"
# Apply the routes
if [ "${type}" = "net" ]; then
- for subnet in ${remote_subnets//|/,}; do
- ip route add "${subnet}" dev "${INTF}"
+ for remote_subnet in ${remote_subnets//|/,}; do
+ ip route add "${remote_subnet}" dev "${INTF}"
done
fi
fi
if [ -n "${keepalive}" ]; then
echo "PersistentKeepalive = ${keepalive}"
fi
+
+ # Set blocking rules
+ for local_subnet in ${local_subnets//|/ }; do
+ for remote_subnet in ${remote_subnets//|/ }; do
+ iptables -A WGBLOCK \
+ -s "${remote_subnet}" -d "${local_subnet}" -j RETURN
+ done
+ done
done < /var/ipfire/wireguard/peers
+
+ # Block all other traffic
+ iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
}
reload_firewall() {
projects / people / ms / ipfire-2.x.git / commitdiff
