Re: iptables easy setup shell script and using multiple server IPs

[jessez 3]

Hi all,

Well as it turns out the method I used to make a list of usable AirVPN server addresses is more complicated that I originally knew about, but with lots of research and uncountable reboots of my linux box, I think I have the glitches worked out.

This method has the requirement of the package ipset (sudo yum install ipset)

RHEL 6 and clones (Oracle Linux, ScientificLinux and Centos) do not have a kmod-ipset (That I could find).

The ip_set module has to be loaded manually as none of netfilter, iptables or conntrack call the module themselves. As far as I know some linux distros do have a kmod for ip_set so that would make using the sysconfig/ipset.conf not necessary and also throw a boot-time error (fatal nor not).

Probably just using the /etc/sysconfig/ipset-airvpn.sh and modification to the /init.d/iptables file file would be enough for those distros, but we'll see how testing goes with that (if anyone decides to try testing this on other distros).

The ip_set module has to be loaded and a script run to load the ip_set script (creates and contains the AirVPN server IP addresses)

so that there is a table to be read by the time iptables_restore runs (otherwise iptables_restore throws an error that no ipset "airvpn" exists).

So there are 3 files (The first two I created the last one is a system file that needs a modification):

1)

/etc/sysconfig/ipset.conf

This script file tests to see if the ip_set module is loaded already and loads it into the kernel (modprobe) if not.

2)

/etc/sysconfig/ipset-airvpn.sh

This file creates and fills the ip_set table of AirVPN server addresses. I haven't listed the servers, so that no-one can just open the file and get the server IPs. Add the ones you want where the a.b.c.d 's are. Add or subtract lines as necessary. I think I added enough buffers so that all the servers should be able to go into the table (which lives in RAM while the system is up and is lost at shutdown/re-start). After running the script use:

sudo ipset -L airvpn -to make sure all the servers you added to the script are there (It's easiest just to count the lines if you know how many servers you added in the first place), if not, change the part: hashsize 65536 to the next larger: hashsize 131,072 (doing this obviously eats up RAM, so don't change it unless you need to) and note that the hashsize can start at 1024 and double each time from there if you're only using one or two servers and have a need to conserve RAM, just change it down, re-run the script and sudo ipset -L airvpn again to check all your desired servers are listed and keep doubling it until they are. If anyone is wondering about the -exist, it's there incase of accidental duplication of an ip address, the script won't fail.

3)

/etc/init.d/iptables

This is the system file, so be careful; add 2 new lines that become line 55 and line 56:

# Load /etc/sysconfig/ipset-airvpn.sh to make the airvpn table

sh /etc/sysconfig/ipset-airvpn.sh

4)

Ok, that should be it, iptables and the "airvpn" ipset table should now survive a reboot with no errors. Test by rebooting, and trying internet access of any and /or several kind(s) before starting a VPN connection when the desktop is up. If it's working you will have no internet before starting a VPN connection, and be able to connect to any of the servers you added to ipset-airvpn.sh without open-vpn throwing an error (probably: write UDPv4 []: Operation not permitted (code=1)).

Let me know of any glitches or suggestions. I am familiar with some other linux distros so if anyone needs assistance with an issue on a different one, don't hesitate to ask. This coming week I will be very busy with a family commitment so I may not be able to help in a very timely manner, but I will have time here and there; just so everyone knows...lol

Note: take the .txt extension off of the 2 files and put them in the appropriate folders as listed above.

Regards,

jz

ipset-airvpn.sh.txt