skynet-server-cloud/infra/root/setup.sh at a08e855db2e98d204b94a329a88c38abfd273e50

Fork: 0
Skyworks / skynet-server-cloud
Find file
Newer
Older
skynet-server-cloud / infra / root / setup.sh
One on 12 Apr 2022 4 KB clamp tcp mss out tunnels
Raw Blame History
#!/bin/bash

echo_info() {
    GREEN='\033[0;32m'
    NC='\033[0m'
    printf "${GREEN}$1${NC}\n"
}

####################################################################
# Constants
####################################################################

WAN_INTERFACE_V4=eth1
WAN_INTERFACE_V6=eth1
VPN_INTERFACE=wg-cloud

WEB_SERVER_IPV4=10.254.0.2
WEB_SERVER_IPV6=fd99:23eb:1682:fe::2

WEB_SERVER_PORTS=80,443,10000:11000,51820

####################################################################
# wireguard setup
# wireguard -> X forwarding
# wireguard -> $WAN_INTERFACE SNAT
####################################################################

echo_info "Set up wireguard..."

wg-quick down /${VPN_INTERFACE}.conf
wg-quick up /${VPN_INTERFACE}.conf

# default drop
iptables-nft  -P FORWARD DROP
ip6tables-nft -P FORWARD DROP

# allow forward
iptables-nft  -A FORWARD -i ${VPN_INTERFACE} -j ACCEPT
ip6tables-nft -A FORWARD -i ${VPN_INTERFACE} -j ACCEPT

iptables-nft  -A FORWARD -i $WAN_INTERFACE_V4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables-nft -A FORWARD -i $WAN_INTERFACE_V6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# masquerading
iptables-nft  -t nat -A POSTROUTING -o $WAN_INTERFACE_V4 -j MASQUERADE
ip6tables-nft -t nat -A POSTROUTING -o $WAN_INTERFACE_V6 -j MASQUERADE

# clamp tcp MSS of packets out tunnels
iptables-nft  -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip6tables-nft -t mangle -A POSTROUTING -o $VPN_INTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

####################################################################
# Port forwarding
####################################################################

echo_info "Set up port forwarding to web server..."

setup_port_forward() {
    interface_name_v4=$1
    interface_name_v6=$2
    ports=$3
    dst_ipv4=$4
    dst_ipv6=$5

    interface_ipv4=`ip -4 addr show $interface_name_v4 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' -m 1`
    interface_ipv6=`ip -6 addr show $interface_name_v6 | grep -oP '(?<=inet6\s)[\da-f:]+' -m 1`

    # ipv4 forwarding
    iptables-nft -t nat -A PREROUTING  -p tcp  -d $interface_ipv4 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv4
    iptables-nft -A FORWARD -p tcp             -d $dst_ipv4       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables-nft -t nat -A POSTROUTING -p tcp  -d $dst_ipv4       -m multiport --dports $ports -j MASQUERADE
    
    iptables-nft -t nat -A PREROUTING  -p udp  -d $interface_ipv4 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv4
    iptables-nft -A FORWARD -p udp             -d $dst_ipv4       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables-nft -t nat -A POSTROUTING -p udp  -d $dst_ipv4       -m multiport --dports $ports -j MASQUERADE

    # ipv6 forwarding
    ip6tables-nft -t nat -A PREROUTING  -p tcp -d $interface_ipv6 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv6
    ip6tables-nft -A FORWARD -p tcp            -d $dst_ipv6       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    ip6tables-nft -t nat -A POSTROUTING -p tcp -d $dst_ipv6       -m multiport --dports $ports -j MASQUERADE

    ip6tables-nft -t nat -A PREROUTING  -p udp -d $interface_ipv6 -m multiport --dports $ports -j DNAT --to-destination $dst_ipv6
    ip6tables-nft -A FORWARD -p udp            -d $dst_ipv6       -m multiport --dports $ports -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    ip6tables-nft -t nat -A POSTROUTING -p udp -d $dst_ipv6       -m multiport --dports $ports -j MASQUERADE
}

setup_port_forward $WAN_INTERFACE_V4 $WAN_INTERFACE_V6 $WEB_SERVER_PORTS $WEB_SERVER_IPV4 $WEB_SERVER_IPV6

####################################################################
# iptables de-duplicate
####################################################################

echo_info "De-duplicating iptables..."

iptables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
iptables-nft -F
iptables-nft-restore < /tmp/iptables.conf

ip6tables-nft-save | awk '/^COMMIT$/ { delete x; }; !x[$0]++' > /tmp/iptables.conf
ip6tables-nft -F
ip6tables-nft-restore < /tmp/iptables.conf

####################################################################
####################################################################

echo_info "Infra setup complete!"

sleep infinity &

wait