-
Notifications
You must be signed in to change notification settings - Fork 2
/
proxy_setup_script.sh
114 lines (90 loc) · 3.36 KB
/
proxy_setup_script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash -e
AUTHORIZE_KEY="${1}"
MY_IP="${2}"
MY_IP6="${3}"
VPN_DMZ_IP="${4}"
VPN_DMZ_IP6="${5}"
VPN_MY_IP="${6}"
VPN_CIDR="${7}"
VPN_MY_IP6="${8}"
VPN_CIDR6="${9}"
MY_PRIVATE_KEY="${10}"
MY_PUBLIC_KEY="${11}"
TARGET_PUBLIC_KEY="${12}"
mkdir -p /root/.ssh && \
echo $AUTHORIZE_KEY > /root/.ssh/authorized_keys
apt-get update && \
apt-get -yq --no-install-recommends --no-install-suggests install ufw wireguard && \
ufw allow 22/tcp && \
ufw allow 1000/udp && \
mkdir -p /etc/wireguard
if [ $? != 0 ]; then
return 1;
fi
mkdir -p /etc/wireguard
cat >/etc/wireguard/hydra.conf <<EOL
[Interface]
PrivateKey = ${MY_PRIVATE_KEY}
Address = ${VPN_MY_IP}/${VPN_CIDR}, ${VPN_MY_IP6}/${VPN_CIDR6}
ListenPort = 1000
Table = off
[Peer]
PublicKey = ${TARGET_PUBLIC_KEY}
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25
EOL
systemctl enable [email protected]
systemctl start [email protected]
cp /etc/ufw/before.rules /etc/ufw/before.rules.bak
cat >>/etc/ufw/before.rules <<EOL
# ---- GENERATED BY proxy_setup_script.sh >>>>
# NAT table
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
# send all incoming tcp/udp traffic to target ip (except traffic for port 22 and 1000)
-A PREROUTING -d ${MY_IP} -p TCP -m multiport ! --dports 22,1000 -j DNAT --to-destination ${VPN_DMZ_IP}
-A PREROUTING -d ${MY_IP} -p UDP -m multiport ! --dports 22,1000 -j DNAT --to-destination ${VPN_DMZ_IP}
# masquerade everything sent to host ip and out of hydra interface (this is needed if the target is not using this host as a default gateway)
-A POSTROUTING --dst ${MY_IP} -o hydra -j MASQUERADE
# masquerade everything sent out of eth0 interface (this is needed for target to use this host as a default gateway)
-A POSTROUTING -o eth0 -j MASQUERADE
# set up reflection
-A POSTROUTING --src ${VPN_DMZ_IP}/${VPN_CIDR} --dst ${VPN_DMZ_IP}/${VPN_CIDR} -o hydra -j MASQUERADE
COMMIT
# <<<< GENERATED BY proxy_setup_script.sh ----
EOL
cp /etc/ufw/before6.rules /etc/ufw/before6.rules.bak
cat >>/etc/ufw/before6.rules <<EOL
# ---- GENERATED BY proxy_setup_script.sh >>>>
# NAT table
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
# send all incoming tcp/udp traffic to target ip (except traffic for port 22 and 1000)
-A PREROUTING -d ${MY_IP6} -p TCP -m multiport ! --dports 22,1000 -j DNAT --to-destination ${VPN_DMZ_IP6}
-A PREROUTING -d ${MY_IP6} -p UDP -m multiport ! --dports 22,1000 -j DNAT --to-destination ${VPN_DMZ_IP6}
# masquerade everything sent to host ip and out of hydra interface (this is needed if the target is not using this host as a default gateway)
-A POSTROUTING --dst ${MY_IP6} -o hydra -j MASQUERADE
# masquerade everything sent out of eth0 interface (this is needed for target to use this host as a default gateway)
-A POSTROUTING -o eth0 -j MASQUERADE
# set up reflection
-A POSTROUTING --src ${VPN_DMZ_IP6}/${VPN_CIDR6} --dst ${VPN_DMZ_IP6}/${VPN_CIDR6} -o hydra -j MASQUERADE
COMMIT
# <<<< GENERATED BY proxy_setup_script.sh ----
EOL
cp /etc/default/ufw /etc/default/ufw.bak
cat >>/etc/default/ufw <<EOL
# ---- GENERATED BY proxy_setup_script.sh >>>>
DEFAULT_FORWARD_POLICY="ACCEPT"
# <<<< GENERATED BY proxy_setup_script.sh ----
EOL
cp /etc/ufw/sysctl.conf /etc/ufw/sysctl.conf.bak
cat >>/etc/ufw/sysctl.conf <<EOL
# ---- GENERATED BY proxy_setup_script.sh >>>>
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
# <<<< GENERATED BY proxy_setup_script.sh ----
EOL
ufw --force enable
ufw reload