Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-up and post-down for firewall rules? #16

Closed
axelsimon opened this issue Jul 13, 2020 · 3 comments · Fixed by #25
Closed

Post-up and post-down for firewall rules? #16

axelsimon opened this issue Jul 13, 2020 · 3 comments · Fixed by #25

Comments

@axelsimon
Copy link
Contributor

Hi,
I may have missed something in the docs, but is there a way to specify either a command or a script to run when starting the wg interface with dsnet, similar to the PostUp and PostDown fields in the wireguard config files?

I'm thinking on the server side, when looking at a basic centralised VPN set-up with multiple clients.
@naggie
Copy link
Owner

naggie commented Jul 13, 2020

There really should be, I'll implement this when I get time.

@fs111
Copy link
Contributor

fs111 commented Nov 17, 2020

This would be a great addition. What is required to make that work? I took a quick look at the code but could not figure out where that would fit in.

@naggie
Copy link
Owner

naggie commented Nov 17, 2020

I'd suggest in the dsnet up and dsnet down commands -- implemented in the files named as such. I think it should be passed through a shell too, so slightly more complicated commands can be used. /bin/bash is on nearly every system (aside from FreeBSD by default, so we should fall back to /bin/sh in that case, or just use /bin/sh which is commonly dash or bash)

fs111 added a commit to fs111/dsnet that referenced this issue Nov 19, 2020
@fs111
Implements PostUp and PostDown commands using /bin/sh
89f9603 
This introduces PostUp and PostDown in dsnet. PostUp and PostDown allow
the user to run arbitrary commands after the device is up or down. These
are typically used to change the firewall rules via iptables. A working
example would be

...
    "PostUp" : "iptables -A FORWARD -i dsnet -j ACCEPT; iptables -A FORWARD -o dsnet -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE ",
    "PostDown" : "iptables -D FORWARD -i dsnet -j ACCEPT; iptables -D FORWARD -o dsnet -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE ",
...

All commands are executed by `/bin/sh` and no filtering or sandboxing is
applied. Users of this should know what they are doing.

Fixes naggie#16
@fs111 fs111 mentioned this issue Nov 19, 2020
Merged
fs111 added a commit to fs111/dsnet that referenced this issue Nov 19, 2020
@fs111
Implements PostUp and PostDown commands using /bin/sh
e782db3 
This introduces PostUp and PostDown in dsnet. PostUp and PostDown allow
the user to run arbitrary commands after the device is up or down. These
are typically used to change the firewall rules via iptables. A working
example would be

...
    "PostUp" : "iptables -A FORWARD -i dsnet -j ACCEPT; iptables -A FORWARD -o dsnet -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE ",
    "PostDown" : "iptables -D FORWARD -i dsnet -j ACCEPT; iptables -D FORWARD -o dsnet -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE ",
...

All commands are executed by `/bin/sh` and no filtering or sandboxing is
applied. Users of this should know what they are doing.

Fixes naggie#16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implements PostUp and PostDown commands using /bin/sh fs111/dsnet
3 participants
@fs111 @naggie @axelsimon