API tools faq
paste
View difference between Paste ID: SqReWZnB and 5FRyD55w
SHOW: | | - or go back to the newest paste.
1
#!/bin/sh
2-
# version: 1.0.0, 22-sep-2021, by eibgrad
2+
#DEBUG= # uncomment/comment to enable/disable debug mode
3-
# href: https://tinyurl.com/3ebyzyyu
3+
4
#          name: merlin-ovpn-port-forward.sh

5
#       version: 2.0.0, 22-jul-2022, by eibgrad

6-
SCRIPT="$SCRIPTS_DIR/nat-start"

6+
#       purpose: openvpn client firewall-based killswitch

7
#       type(s): nat-start

8
#          href: https://tinyurl.com/3ebyzyyu

9
#  installation:

10
#    1. enable jffs custom scripts and configs (administration->system)

11-
cat << "EOF" > $SCRIPT

11+
#    2. ssh to router and copy/paste the following command:

12
#         curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s SqReWZnB

13-
set -x # uncomment/comment to enable/disable debug mode

13+
#    3. modify script w/ your preferred options using nano editor:

14
#         nano /jffs/scripts/merlin-ovpn-port-forward.sh

15
#    4. reboot

16
17-
# network-interface source-ip/network protocol external-port internal-ip internal-port

17+
18-
PORT_FORWARDS='

18+
SCRIPT1="$SCRIPTS_DIR/merlin-ovpn-port-forward.sh"

19-
tun11 0.0.0.0/0 tcp 5022 192.168.1.1 22 # router ssh server

19+
SCRIPT2="$SCRIPTS_DIR/nat-start"

20-
tun11 0.0.0.0/0 tcp 5222 192.168.1.100 22 # desktop ssh server

20+
21-
tun12 0.0.0.0/0 tcp 5080 192.168.1.200 80 # laptop webserver

21+
22-
tun12 0.0.0.0/0 tcp 5443 192.168.1.200 443 # laptop webserver

22+
23-
#tun12 188.188.188.188 tcp 5088 192.168.1.210 8088

23+
# ---------------------- begin merlin-ovpn-port-forward ---------------------- #

24-
tun+ 199.199.199.0/24 udp 5999 192.168.1.210 999 # all vpn network interfaces

24+
cat << 'EOF' > $SCRIPT1

25-
'

25+
26
#set -x # comment/uncomment to disable/enable debug mode

27
{

28
# ------------------------------ BEGIN OPTIONS ------------------------------- #

29
30
# interface source-ip/net proto extern-port intern-ip intern-port [comments...]

31
PORT_FORWARDS="

32
tun11 0.0.0.0/0 tcp 10022 $(nvram get lan_ipaddr) 22 router ssh server

33
tun12 0.0.0.0/0 tcp 10080 192.168.1.200 80

34
tun12 0.0.0.0/0 tcp 10443 192.168.1.200 443

35
#tun12 188.188.188.188 tcp 10088 192.168.1.210 8088

36-
         dev="$(echo $pf | awk '{print $1}')"

36+
tun+ 199.199.199.0/24 udp 10999 192.168.1.210 999 all vpn network interfaces

37-
         src="$(echo $pf | awk '{print $2}')"

37+
"

38-
       proto="$(echo $pf | awk '{print $3}')"

38+
39-
    ext_port="$(echo $pf | awk '{print $4}')"

39+
40-
      int_ip="$(echo $pf | awk '{print $5}')"

40+
41-
    int_port="$(echo $pf | awk '{print $6}')"

41+
42
ipt() { iptables ${@/-[IA]/-D} 2>/dev/null; iptables $@; }

43
44-
    iptables -t nat -D PREROUTING -i $dev -s $src -p $proto --dport $ext_port \

44+
45-
        -j DNAT --to $int_ip:$int_port 2>/dev/null

45+
46-
    iptables -t nat -I PREROUTING -i $dev -s $src -p $proto --dport $ext_port \

46+
47-
        -j DNAT --to $int_ip:$int_port

47+
48
    echo $pf | grep -Eq '^[[:space:]]*(#|$)' && continue

49
50
    # parse port forward into separate fields

51
    for i in 1 2 3 4 5 6; do eval f$i="$(echo $pf | cut -d' ' -f$i)"; done

52-
# allow forwarding from vpn to router internal port

52+
53-
iptables -D INPUT   -i tun+ -m conntrack --ctstate DNAT -j ACCEPT 2>/dev/null

53+
54-
iptables -I INPUT   -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

54+
    ipt -t nat -I PREROUTING -i $f1 -s $f2 -p $f3 --dport $f4 \

55
        -j DNAT --to $f5:$f6

56-
# allow forwarding from vpn to internal ip+port

56+
57-
iptables -D FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT 2>/dev/null

57+
58-
iptables -I FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

58+
59
60
# allow routing from vpn to router internal port

61
ipt -I INPUT -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

62-
chmod +x $SCRIPT

62+
63
# allow routing from vpn to lan internal ip+port

64
ipt -I FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

65-
if [ -f $SCRIPT ]; then

65+
66-
    echo "error: $SCRIPT already exists; requires manual installation"

66+
exit 0

67
} 2>&1 | logger -t $(basename $0 .sh)[$$]

68
EOF

69-
    echo 'Done.'

69+
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT1

70-
fi
70+
chmod +x $SCRIPT1

71
echo "installed: $SCRIPT1"

72
# ----------------------- end merlin-ovpn-port-forward ----------------------- #

73
74
# ----------------------------- begin nat-start ------------------------------ #

75
create_script() {

76
cat << 'EOF' > $SCRIPT2

77
#!/bin/sh

78
#set -x # comment/uncomment to disable/enable debug mode

79
{

80
$SCRIPT1

81
} 2>&1 | logger -t $(basename $0)[$$]

82
EOF

83
[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT2

84
sed -i "s:\$SCRIPT1:$SCRIPT1:g" $SCRIPT2

85
chmod +x $SCRIPT2

86
}

87
88
if [ -f $SCRIPT2 ]; then

89
    echo "error: $SCRIPT2 already exists; requires manual installation"

90
else

91
    create_script

92
    echo "installed: $SCRIPT2"

93
fi

94
# ------------------------------ end nat-start ------------------------------- #
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!