Friday, May 3, 2013

How to Secure IP Binding for Linux

For more info and other scripts regarding IP binding on linux, please see:



This script allows Secure IP Binding for Linux:

#!/bin/bash

cd `dirname $0`
if $1 == '-l'
then
  curl -s "http://vpn.hidemyass.com/vpnconfig/countries.php"
else
  sudo iptables -F

  COUNTRY=`echo $1 | sed 's/ /+/g'`
  curl -s "http://vpn.hidemyass.com/vpnconfig/client_config.php?win=1&loc=$COUNTRY"
> client.cfg

# Allow traffic to any HMA server.
  for remote in `cat client.cfg | awk '/remote [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { print $2; }'`;
  do
    REMOTE_IP=`echo $remote | cut -d ':' -f 1`
    sudo iptables -A INPUT -s $REMOTE_IP -j ACCEPT
  done


  # Allow local traffic.
  sudo iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
  sudo iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
  sudo iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

  # Disallow everything else.
  sudo iptables -A INPUT ! -i tun+ -j DROP

# Allow traffic from any HMA server.
  for remote in `cat client.cfg | awk '/remote [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { print $2; }'`;
  do
    REMOTE_IP=`echo $remote | cut -d ':' -f 1`
    sudo iptables -A OUTPUT -d $REMOTE_IP -j ACCEPT
  done


  # Allow local traffic.
  sudo iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
  sudo iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
  sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT

  # Disallow everything else.
  sudo iptables -A OUTPUT ! -o tun+ -j DROP

  sudo openvpn --config client.cfg --auth-user-pass client.cred --daemon
fi

Note that this Script requires a username/password auth-user-pass file called "client.cred" in the working directory of the script.

It should be formatted thusly:
YourUserName
YourPassword

Type "man openvpn" for more information.

No comments:

Post a Comment