diff options
author | root <root@samizdat> | 2021-09-29 12:24:32 -0400 |
---|---|---|
committer | root <root@samizdat> | 2021-09-29 12:24:32 -0400 |
commit | dfdc54af819c6ce9b4e150c30913967365bc7f32 (patch) | |
tree | 3e3fae22eaa3c3ccaabd7d09e2a3ef6360be60ef | |
parent | 1943a248f84a1ea05ac79a29d52ab4f2e975e3d5 (diff) |
working static config into template
-rwxr-xr-x | disable-outgoing-tcp-connections-through-ipv6-tunnel.sh | 2 | ||||
-rw-r--r-- | keycopy.sh | 49 |
2 files changed, 48 insertions, 3 deletions
diff --git a/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh b/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh index 51123d6..842cc0f 100755 --- a/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh +++ b/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh | |||
@@ -21,6 +21,6 @@ mark=22 | |||
21 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j MARK --set-mark $mark | 21 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j MARK --set-mark $mark |
22 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j CONNMARK --save-mark | 22 | ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j CONNMARK --save-mark |
23 | ip6tables_add OUTPUT -t mangle -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark | 23 | ip6tables_add OUTPUT -t mangle -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark |
24 | ip6rule_add fwmark $mark unreachable | 24 | ip6rule_add fwmark $mark prohibit |
25 | ip6rule_add fwmark $mark table main | 25 | ip6rule_add fwmark $mark table main |
26 | exit $? | 26 | exit $? |
@@ -23,11 +23,56 @@ nocomments() | |||
23 | sed 's/#.*//; /^ *$/d' | 23 | sed 's/#.*//; /^ *$/d' |
24 | } | 24 | } |
25 | 25 | ||
26 | |||
27 | write_config() | ||
28 | { | ||
29 | conn=$1 | ||
30 | remote_addrs=$2 | ||
31 | id=$3 | ||
32 | cat > /etc/swanctl/conf.d/"$conn".conf <<END | ||
33 | connections { | ||
34 | ${conn} { | ||
35 | remote_addrs = ${remote_addrs} | ||
36 | vips = :: | ||
37 | local { | ||
38 | pubkeys = ssh_host_rsa_key.pub | ||
39 | auth = pubkey | ||
40 | id = ${id} | ||
41 | } | ||
42 | remote { | ||
43 | id = "${remote_addrs}" | ||
44 | pubkeys = ${conn}.pub | ||
45 | auth = pubkey | ||
46 | } | ||
47 | children { | ||
48 | child { | ||
49 | remote_ts = 0::0/0 | ||
50 | mode = tunnel | ||
51 | dpd_action = restart | ||
52 | } | ||
53 | } | ||
54 | } | ||
55 | } | ||
56 | secrets { | ||
57 | private1 { | ||
58 | file = ssh_host_rsa_key | ||
59 | } | ||
60 | } | ||
61 | END | ||
62 | } | ||
63 | |||
26 | test_new_config() | 64 | test_new_config() |
27 | { | 65 | { |
28 | ipsec stop | 66 | ipsec stop |
29 | cp andy.conf /etc/swanctl/conf.d/ | 67 | |
30 | nocomments < andy.conf | 68 | yourip=68.48.18.140 |
69 | iface=$(ip -oneline route get "$yourip" | sed -ne 's/.* dev \([^ ]*\) .*/\1/p') | ||
70 | [ "$iface" ] || return | ||
71 | mymac=$(ip -oneline -6 addr show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p') | ||
72 | [ "$mymac" ] || return | ||
73 | |||
74 | write_config andy "$yourip" "$mymac" | ||
75 | |||
31 | ipsec start | 76 | ipsec start |
32 | sleep 2 | 77 | sleep 2 |
33 | swanctl -c | 78 | swanctl -c |