-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathip_tables.php
270 lines (192 loc) · 10.7 KB
/
ip_tables.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
<?php
########## This script requires preinstallation of php 5.2.0 or higher and pip-zip prior to running
########## This script installs PIA VPN using OpenVPN and sets up a killswitch using iptables
########## This script needs to be run as root.
###################################################################################################################################
############################################################ VARIABLES ############################################################
###################################################################################################################################
$PiaUsername = "username"; // PIA Username
$PiaPassword = "password"; // PIA Password
// Name of the network interface
$NetworkInterfaceName = "enp0s3"; // Network interface name
// UDP Ports that are left open. Default ports are 53 for DNS and 1197 for VPN which are both UDP. Ports may differ
$Port1Number="53";
$Port1Type="UDP";
$Port2Number="1197";
$Port2Type="UDP";
$OpenVpnLocation = "/etc/openvpn/"; // Location where the openvpn files are going to be located
$LocalZipFile = "openvpn-strong.zip"; // Local zip file name
$url = "https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip"; // Online zip file URL
$LocationName="ca_toronto.ovpn"; // Openvpn filename for the country
$VpnConfigFilename = "vpn.conf"; //VPN Config filename
$CredentialFilename = "login"; // Login credentials stored in this file
$OldPattern = "auth-user-pass";
$NewPattern = "auth-user-pass ${OpenVpnLocation}${CredentialFilename}";
//Helps to ensure no DNS leaks
$DataAppend1 = "script-security 2" . "\nup ${OpenVpnLocation}update-resolv-conf" . "\ndown ${OpenVpnLocation}update-resolv-conf";
$LogFileName = dirname(__FILE__) . "/" . basename(__FILE__, ".php") . ".log"; // Most outputs are logged this file
###################################################################################################################################
###################################################################################################################################
###################################################################################################################################
// DateTime outputs
function givemeDateTimeNow() {
$output = "\n************************************\n";
$output .= date('m/d/Y h:i:s a', time());
$output .= "\n************************************\n";
return $output;
}
// Determine if package is installed
function isPackageInstalled($packageName) {
$output = shell_exec("dpkg-query -W --showformat='\${Status}\n' $packageName");
return strpos($output, "install ok installed") !== false;
}
// Runs the command and outputs to the log function
function runThis($thisCommand) {
GLOBAL $LogFileName;
$output = shell_exec($thisCommand);
file_put_contents($LogFileName,$output,FILE_APPEND);
}
// Log function to echo and put text to a file
function logThis($output,$EchoMe) {
GLOBAL $LogFileName;
if ($EchoMe) echo "$output\n";
file_put_contents($LogFileName,"\n$output\n\n",FILE_APPEND);
}
// Installs software using the isPackageInstalled function
function installSoftware($packageName) {
GLOBAL $LogFileName;
if (!isPackageInstalled($packageName)) {
logThis("[Installing $packageName]", true);
$output = shell_exec("apt-get install $packageName -y");
file_put_contents($LogFileName,$output,FILE_APPEND);
}
}
// Start, Stop, or Enable service
function workService($serviceName, $enterState) {
GLOBAL $LogFileName;
logThis("[Running systemctl $enterState $serviceName]",true);
$output = shell_exec("systemctl $enterState $serviceName");
file_put_contents($LogFileName,$output,FILE_APPEND);
}
// Verify if running as root
if (posix_getuid() !== 0) {
exit("Ending script. Not running as root.\n");
};
// Run updates
logThis(givemeDateTimeNow(),false);
logThis("[Running Update]",true);
runThis('apt-get update -y');
logThis("[Running Upgrade]",true);
runThis('apt-get upgrade -y');
// Verify if zip is installed
if (!isPackageInstalled('php-zip')) {
installSoftware('php-zip');
exit("\ust installed php-zip. Restart the script\n");
}
// Install needed software
installSoftware('ifupdown');
installSoftware('openvpn');
installSoftware('resolvconf');
logThis("[PreDownloading iptables-persistent]",true);
runThis('apt-get install --download-only iptables-persistent -y');
// Get VPN zip file
$output = file_get_contents($url);
file_put_contents($LocalZipFile, $output);
// Start and Enable resolvconf service to start on boot
workService('resolvconf.service','start');
workService('resolvconf.service','enable');
// Extract zip file into place
$output = new ZipArchive;
if ($output->open($LocalZipFile) === TRUE) {
logThis("[Unzipping file $LocalZipFile into $OpenVpnLocation]",true);
$output->extractTo($OpenVpnLocation);
$output->close();
} else {
exit ("Exiting script. Unzip failed\n");
}
// Delete the original zip file
logThis("[Deleting Zip File $LocalZipFile]",true);
unlink($LocalZipFile);
// Change directory
logThis("[Changing directory to $OpenVpnLocation]",true);
chdir($OpenVpnLocation);
// Create credential file
$output = fopen($CredentialFilename, "w");
if ($output) {
logThis("[Creating Credential File $CredentialFilename]",true);
fwrite($output, $PiaUsername . PHP_EOL);
fwrite($output, $PiaPassword . PHP_EOL);
fclose($output);
} else {
exit ("Exiting script. Unable to create $CredentialFilename\n");
}
// Update permissions on the credential file
logThis("[Changing permissions on $CredentialFilename]",true);
chmod($CredentialFilename, 0500);
// Copy the openvpn file into the appropriate filename
logThis("[Copying $LocationName to $VpnConfigFilename]",true);
copy($LocationName, $VpnConfigFilename);
// Update to have auth with login in the VpnConfigFilename
logThis("Updating $VpnConfigFilename with login file]",true);
$fileContent = file_get_contents($VpnConfigFilename);
$newFileContent = str_replace($OldPattern, $NewPattern, $fileContent);
file_put_contents($VpnConfigFilename, $newFileContent);
// Helps to ensure no DNS leaks
logThis("[Updating $VpnConfigFilename to help ensure no DNS leaks]",true);
$myfile = file_put_contents($VpnConfigFilename, $DataAppend1.PHP_EOL,FILE_APPEND | LOCK_EX);
// Enable openvpn with the config file to start automatically
$FileNameParts = pathinfo($VpnConfigFilename);
$VpnConfigFileBasename = $FileNameParts['filename']; // filename is only since PHP 5.2.0 //Baasename is the filename without the extension
workService("openvpn@$VpnConfigFileBasename","enable");
// Clearing out old IP tables rules
logThis("[Clear out the old IP tables rules]",true);
runThis("iptables -F");
runThis("iptables -t nat -F");
runThis("iptables -t mangle -F");
runThis("iptables -X");
// Allow loopback device (internal communication)
logThis("[Updating iptables to allow for loopback device (internal communication)]",true);
runThis("iptables -A INPUT -i lo -j ACCEPT");
runThis("iptables -A OUTPUT -o lo -j ACCEPT");
// Allow all local traffic.
logThis("[Updating iptables to allow for all local traffic]",true);
runThis("iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT");
runThis("iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT");
runThis("iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT");
runThis("iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT");
runThis("iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT");
runThis("iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT");
// Allow VPN establishment with only 2 ports open, 1 for DNS and 1 for VPN
// If establishing thru an IP and not DNS, the ones with port 53 can be removed
// Port may be different depending on the VPN
logThis("[Updating iptables to allow for 2 ports of communication]",true);
runThis("iptables -A INPUT -p $Port1Type --sport $Port1Number -j ACCEPT");
runThis("iptables -A OUTPUT -p $Port1Type --dport $Port1Number -j ACCEPT");
runThis("iptables -A INPUT -p $Port2Type --sport $Port2Number -j ACCEPT");
runThis("iptables -A OUTPUT -p $Port2Type --dport $Port2Number -j ACCEPT");
// Accept all TUN connections (tun = VPN tunnel)
logThis("[Updating iptables to allow for all TUN connection traffic]",true);
runThis("iptables -A OUTPUT -o tun+ -j ACCEPT");
runThis("iptables -A INPUT -i tun+ -j ACCEPT");
// Set default policies to drop all communication unless specifically allowed
logThis("[Updating iptable to drop all communication unless specifically allowed]",true);
runThis("iptables -P INPUT DROP");
runThis("iptables -P OUTPUT DROP");
runThis("iptables -P FORWARD DROP");
// Bring up and down the network inteface with pauses
logThis("[Bringin up and down the network interface]",true);
runThis("ip link set $NetworkInterfaceName down");
runThis("ip link set $NetworkInterfaceName up");
// Stopping and starting openvpn service with pauses
workService('openvpn','stop');
sleep(5);
workService('openvpn','start');
sleep(5);
// Installing iptables-persistent to save iptable rules on reboot
runThis("echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections");
runThis("echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections");
installSoftware('iptables-persistent');
// Turning on netfilter-persistent and setting to start on restart
runThis("netfilter-persistent save");
workService('netfilter-persistent','enable');
?>