Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] With ikev2 only mode, is all the iptables rules required #1524

Closed
chiragrajk opened this issue Jan 31, 2024 · 1 comment
Closed

[Question] With ikev2 only mode, is all the iptables rules required #1524

chiragrajk opened this issue Jan 31, 2024 · 1 comment

Comments

@chiragrajk
Copy link

For context I am trying to setup vpn with ikev2 mode only on AWS EC2 Ubuntu instance. Are all iptables rules setup in vpnsetup_ubuntu.sh:578 required for ikev2 only mode?
@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 31, 2024
edited

@chiragrajk Hello! For IKEv2 only mode, some IPTables rules are not required: 1. Rules related to UDP port 1701. 2. Rules related to "ppp+". 3. Rule containing "L2TP_NET". Removing them is not necessary for IKEv2 only mode to work, but you can if you want. Note that the IPTables commands are numbered, so you will need to update the rule numbers accordingly.

The relevant part of the script is:

setup-ipsec-vpn/vpnsetup_ubuntu.sh

Lines 576 to 614 in b7b3fc3

update_iptables() {
bigecho "Updating IPTables rules..."
IPT_FILE=/etc/iptables.rules
IPT_FILE2=/etc/iptables/rules.v4
ipt_flag=0
if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then
ipt_flag=1
fi
ipi='iptables -I INPUT'
ipf='iptables -I FORWARD'
ipp='iptables -t nat -I POSTROUTING'
res='RELATED,ESTABLISHED'
if [ "$ipt_flag" = 1 ]; then
service fail2ban stop >/dev/null 2>&1
iptables-save > "$IPT_FILE.old-$SYS_DT"
$ipi 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP
$ipi 2 -m conntrack --ctstate INVALID -j DROP
$ipi 3 -m conntrack --ctstate "$res" -j ACCEPT
$ipi 4 -p udp -m multiport --dports 500,4500 -j ACCEPT
$ipi 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
$ipi 6 -p udp --dport 1701 -j DROP
$ipf 1 -m conntrack --ctstate INVALID -j DROP
$ipf 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate "$res" -j ACCEPT
$ipf 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT
$ipf 4 -i ppp+ -o ppp+ -j ACCEPT
$ipf 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate "$res" -j ACCEPT
$ipf 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT
$ipf 7 -s "$XAUTH_NET" -o ppp+ -j ACCEPT
iptables -A FORWARD -j DROP
$ipp -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE
$ipp -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE
echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE"
iptables-save >> "$IPT_FILE"
if [ -f "$IPT_FILE2" ]; then
conf_bk "$IPT_FILE2"
/bin/cp -f "$IPT_FILE" "$IPT_FILE2"
fi
fi
}

@hwdsl2 hwdsl2 closed this as completed Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chiragrajk @hwdsl2