New branch

2025-08-10 15:34:34 +02:00 · 2025-08-10 15:34:34 +02:00 · 58d70409b5
commit 58d70409b5
31 changed files with 9093 additions and 0 deletions
--- a/configs/iptables-save.conf
+++ b/configs/iptables-save.conf
@ -0,0 +1,54 @@
+# VPN Gateway IPTables Rules Template
+# This is a template - actual rules are generated by killswitch.sh
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# Loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Established connections
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# LAN (will be replaced with actual interface/network)
+-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
+-A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT
+
+# DNS for root only (for initial VPN connection)
+-A OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j ACCEPT
+-A OUTPUT -p tcp --dport 53 -m owner --uid-owner 0 -j ACCEPT
+
+# VPN Forward
+-A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
+
+# Log dropped packets (optional)
+# -A INPUT -j LOG --log-prefix "DROP-IN: " --log-level 4
+# -A OUTPUT -j LOG --log-prefix "DROP-OUT: " --log-level 4
+# -A FORWARD -j LOG --log-prefix "DROP-FWD: " --log-level 4
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# NAT will be added dynamically when VPN connects
+# -A POSTROUTING -o wg0 -j MASQUERADE
+
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+COMMIT