Skip to content

Commit a5eba59

Browse files
hwdsl2hwdsl2
committed
Improve IPTables rules
- Apply upstream change Nyr/openvpn-install commit 13b0245. - Let IPTables wait for the xtables lock for 5 seconds.
1 parent ecaef49 commit a5eba59

File tree

1 file changed

+16
-15
lines changed

1 file changed

+16
-15
lines changed

openvpn-install.sh

+16-15
Original file line numberDiff line numberDiff line change
@@ -829,24 +829,25 @@ create_firewall_rules() {
829829
ip6tables_path=$(command -v ip6tables-legacy)
830830
fi
831831
echo "[Unit]
832-
Before=network.target
832+
After=network-online.target
833+
Wants=network-online.target
833834
[Service]
834835
Type=oneshot
835-
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
836-
ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
837-
ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT
838-
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
839-
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
840-
ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
841-
ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
842-
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
836+
ExecStart=$iptables_path -w 5 -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
837+
ExecStart=$iptables_path -w 5 -I INPUT -p $protocol --dport $port -j ACCEPT
838+
ExecStart=$iptables_path -w 5 -I FORWARD -s 10.8.0.0/24 -j ACCEPT
839+
ExecStart=$iptables_path -w 5 -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
840+
ExecStop=$iptables_path -w 5 -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
841+
ExecStop=$iptables_path -w 5 -D INPUT -p $protocol --dport $port -j ACCEPT
842+
ExecStop=$iptables_path -w 5 -D FORWARD -s 10.8.0.0/24 -j ACCEPT
843+
ExecStop=$iptables_path -w 5 -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
843844
if [[ -n "$ip6" ]]; then
844-
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j MASQUERADE
845-
ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
846-
ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
847-
ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j MASQUERADE
848-
ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
849-
ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service
845+
echo "ExecStart=$ip6tables_path -w 5 -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j MASQUERADE
846+
ExecStart=$ip6tables_path -w 5 -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
847+
ExecStart=$ip6tables_path -w 5 -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
848+
ExecStop=$ip6tables_path -w 5 -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j MASQUERADE
849+
ExecStop=$ip6tables_path -w 5 -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
850+
ExecStop=$ip6tables_path -w 5 -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service
850851
fi
851852
echo "RemainAfterExit=yes
852853
[Install]

0 commit comments

Comments
 (0)