mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-25 00:08:47 +00:00
less MASQ
This commit is contained in:
parent
250f71be1c
commit
c750ee5e06
@ -204,6 +204,7 @@ services:
|
||||
environment:
|
||||
- CONFIG=${SF_CRYPTOSTORM_CONFIG:-}
|
||||
- PROVIDER=CryptoStorm
|
||||
- NETWORK=${SF_NET_LG}
|
||||
- DNS=1.1.1.1 # Cryptostorm's DNS is often broken
|
||||
- POST_UP=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-cryptostorm.log up %i
|
||||
- PRE_DOWN=/sf/bin/vpn_wg2status.sh /sf/run/vpn/status-cryptostorm.log down %i
|
||||
@ -297,6 +298,8 @@ services:
|
||||
- NET_ADMIN #required
|
||||
environment:
|
||||
- SF_REDIS_AUTH=${SF_REDIS_AUTH}
|
||||
- NET_LG=${SF_NET_LG:?}
|
||||
- NET_VPN_ROUTER_IP=${SF_NET_VPN_ROUTER_IP:?}
|
||||
- SF_NOVPN_IP=${SF_NOVPN_IP}
|
||||
- SF_DIRECT
|
||||
- SF_DEBUG
|
||||
|
@ -38,9 +38,10 @@ SFVPN_EXIT_IP=\"${exit_ip:-333.1.2.3}\"\n" >"${LOGFNAME}"
|
||||
|
||||
touch "/config/guest/vpn_status.direct"
|
||||
|
||||
ip route add "${NET_LG}" via "${NET_VPN_ROUTER_IP}"
|
||||
# All outgoing needs to be MASQ'ed.
|
||||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
# Keep 1 process alive so that we can use `nsenter` to enter this network namespace
|
||||
[[ -z $SF_DEBUG ]] && exit 0
|
||||
exec -a '[novpn-sleep]' sleep infinity
|
||||
# [[ -z $SF_DEBUG ]] && exit 0
|
||||
exec -a '[novpn-sleep]' sleep infinity
|
||||
|
@ -174,7 +174,7 @@ monitor_failover()
|
||||
{
|
||||
local status_sha
|
||||
|
||||
[[ -z $SF_DIRECT ]] && {
|
||||
[[ -n $SF_DIRECT ]] && {
|
||||
exec -a '[novpn-sleep]' sleep infinity
|
||||
exit 255 # NOT REACHED
|
||||
}
|
||||
@ -425,11 +425,12 @@ iptables -t mangle -A PREROUTING -i "${DEV_LG}" -p udp -d "${NET_LG_ROUTER_IP}"
|
||||
iptables -t mangle -A PREROUTING -i "${DEV_ACCESS}" -p tcp -s "${GSNC_IP}" -j MARK --set-mark 22
|
||||
# -----END GSNC traffic is routed via Internet----
|
||||
|
||||
# MASQ all traffic because the VPN/TOR instances dont know the route back
|
||||
# to sf-guest (169.254.224/20).
|
||||
iptables -t nat -A POSTROUTING -o "${DEV_GW}" -j MASQUERADE
|
||||
# MASQ SSHD's forward to user's server
|
||||
iptables -t nat -A POSTROUTING -s "${SSHD_IP}" -o "${DEV_LG}" -j MASQUERADE
|
||||
# Dont MASQ LG's. FORWARD instead. They are MASQ'ed at VPN endpoints.
|
||||
iptables -A FORWARD -i "${DEV_LG}" -o "${DEV_GW}" -j ACCEPT
|
||||
# DNSMASQ does not know route back to LG => MASQ is here.
|
||||
iptables -t nat -A POSTROUTING -s "${NET_LG}" -d "${NET_VPN_DNS_IP}" -o "${DEV_GW}" -j MASQUERADE
|
||||
# MASQ all traffic from NON-LG's (the VPN/TOR/DNS dont know the route back to them).
|
||||
# iptables -t nat -A POSTROUTING ! -s "${NET_LG}" -o "${DEV_GW}" -j MASQUERADE
|
||||
# MASQ GSNC to (direct) Internet
|
||||
iptables -t nat -A POSTROUTING -s "${GSNC_IP}" -o "${DEV_DIRECT}" -j MASQUERADE
|
||||
# MASQ traffic from TOR to DMZ (nginx)
|
||||
@ -449,7 +450,7 @@ echo -e >&2 "FW: SUCCESS"
|
||||
echo -e >&2 "TC: SUCCESS"
|
||||
|
||||
set +e
|
||||
# By default go via DIRECTO or TOR + VPN until vpn_status exists
|
||||
# By default go via DIRECT or TOR + VPN until vpn_status exists
|
||||
use_other
|
||||
monitor_failover
|
||||
|
||||
|
@ -120,7 +120,9 @@ SFVPN_EXIT_IP=\"${exit_ip:-333.1.2.3}\"\n" >"${LOGFNAME}"
|
||||
|
||||
create_vpn_status
|
||||
|
||||
# For Reverse Port Forward:
|
||||
# Old cryptostorm containers set a network route to default IP.
|
||||
# Remote old one as we need to route to SF_ROUTER_IP instead.
|
||||
ip route del 10.11.0.0/24 2>/dev/null
|
||||
ip route add 10.11.0.0/16 via "${SF_ROUTER_IP}" 2>/dev/null
|
||||
|
||||
# Delete all old port forwards.
|
||||
|
Loading…
Reference in New Issue
Block a user