diff --git a/client/server_scripts/awg/start.sh b/client/server_scripts/awg/start.sh index 108e85df..a23d2111 100644 --- a/client/server_scripts/awg/start.sh +++ b/client/server_scripts/awg/start.sh @@ -11,6 +11,11 @@ wg-quick down /opt/amnezia/awg/wg0.conf # start daemons if configured if [ -f /opt/amnezia/awg/wg0.conf ]; then (wg-quick up /opt/amnezia/awg/wg0.conf); fi +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + # Allow traffic on the TUN interface. iptables -A INPUT -i wg0 -j ACCEPT iptables -A FORWARD -i wg0 -j ACCEPT diff --git a/client/server_scripts/openvpn/start.sh b/client/server_scripts/openvpn/start.sh index 4a56b5de..c3a73950 100644 --- a/client/server_scripts/openvpn/start.sh +++ b/client/server_scripts/openvpn/start.sh @@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + # Allow traffic on the TUN interface. iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT diff --git a/client/server_scripts/openvpn_cloak/start.sh b/client/server_scripts/openvpn_cloak/start.sh index d40dafce..ea66ff4c 100644 --- a/client/server_scripts/openvpn_cloak/start.sh +++ b/client/server_scripts/openvpn_cloak/start.sh @@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + # Allow traffic on the TUN interface. iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT diff --git a/client/server_scripts/openvpn_shadowsocks/start.sh b/client/server_scripts/openvpn_shadowsocks/start.sh index f9ab99c4..94664e48 100644 --- a/client/server_scripts/openvpn_shadowsocks/start.sh +++ b/client/server_scripts/openvpn_shadowsocks/start.sh @@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + # Allow traffic on the TUN interface. iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT diff --git a/client/server_scripts/setup_host_firewall.sh b/client/server_scripts/setup_host_firewall.sh index 605de511..2108b226 100644 --- a/client/server_scripts/setup_host_firewall.sh +++ b/client/server_scripts/setup_host_firewall.sh @@ -1,3 +1,8 @@ +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + sudo update-alternatives --set iptables /usr/sbin/iptables-nft +fi + sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -C INPUT -p icmp --icmp-type echo-request -j DROP || sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP diff --git a/client/server_scripts/wireguard/start.sh b/client/server_scripts/wireguard/start.sh index 62d8127c..7d523c67 100644 --- a/client/server_scripts/wireguard/start.sh +++ b/client/server_scripts/wireguard/start.sh @@ -11,6 +11,11 @@ wg-quick down /opt/amnezia/wireguard/wg0.conf # start daemons if configured if [ -f /opt/amnezia/wireguard/wg0.conf ]; then (wg-quick up /opt/amnezia/wireguard/wg0.conf); fi +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + # Allow traffic on the TUN interface. iptables -A INPUT -i wg0 -j ACCEPT iptables -A FORWARD -i wg0 -j ACCEPT diff --git a/client/server_scripts/xray/start.sh b/client/server_scripts/xray/start.sh index 0148552f..5eeb0ca2 100644 --- a/client/server_scripts/xray/start.sh +++ b/client/server_scripts/xray/start.sh @@ -5,6 +5,11 @@ echo "Container startup" #ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up +# check if nf_tables is loaded +if lsmod | grep -qw nf_tables; then + ln -sf /sbin/xtables-nft-multi /sbin/iptables +fi + iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT