54 lines
1.3 KiB
Text
54 lines
1.3 KiB
Text
# VPN Gateway IPTables Rules Template
|
|
# This is a template - actual rules are generated by killswitch.sh
|
|
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT DROP [0:0]
|
|
|
|
# Loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
|
|
# Established connections
|
|
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# LAN (will be replaced with actual interface/network)
|
|
-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
|
|
-A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT
|
|
|
|
# DNS for root only (for initial VPN connection)
|
|
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j ACCEPT
|
|
-A OUTPUT -p tcp --dport 53 -m owner --uid-owner 0 -j ACCEPT
|
|
|
|
# VPN Forward
|
|
-A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
|
|
|
|
# Log dropped packets (optional)
|
|
# -A INPUT -j LOG --log-prefix "DROP-IN: " --log-level 4
|
|
# -A OUTPUT -j LOG --log-prefix "DROP-OUT: " --log-level 4
|
|
# -A FORWARD -j LOG --log-prefix "DROP-FWD: " --log-level 4
|
|
|
|
COMMIT
|
|
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
# NAT will be added dynamically when VPN connects
|
|
# -A POSTROUTING -o wg0 -j MASQUERADE
|
|
|
|
COMMIT
|
|
|
|
*mangle
|
|
:PREROUTING ACCEPT [0:0]
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
COMMIT
|