From 1be7733c0b13bd3b5a257ca47a960c7b1ae8d727 Mon Sep 17 00:00:00 2001
From: DrXala <drxala@free.fr>
Date: Sun, 16 Jul 2017 12:55:09 +0200
Subject: [PATCH] Install iptables systemd service for Debian, Ubuntu and
 Centos. Fix iptables install for ArchLinux.

---
 openvpn-install.sh | 67 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 66 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 3bcd725..0211023 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -23,6 +23,7 @@ if [[ -e /etc/debian_version ]]; then
 	OS="debian"
 	# Getting the version number, to verify that a recent version of OpenVPN is available
 	VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
+  IPTABLES='/etc/iptables/iptables.rules'
 	RCLOCAL='/etc/rc.local'
 	SYSCTL='/etc/sysctl.conf'
 	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
@@ -42,12 +43,14 @@ if [[ -e /etc/debian_version ]]; then
 	fi
 elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
 	OS=centos
+  IPTABLES='/etc/iptables/iptables.rules'
 	RCLOCAL='/etc/rc.d/rc.local'
 	SYSCTL='/etc/sysctl.conf'
 	# Needed for CentOS 7
 	chmod +x /etc/rc.d/rc.local
 elif [[ -e /etc/arch-release ]]; then
 	OS=arch
+  IPTABLES='/etc/iptables/iptables.rules'
 	RCLOCAL='/etc/rc.local'
 	SYSCTL='/etc/sysctl.d/openvpn.conf'
 else
@@ -338,9 +341,71 @@ else
 		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
 		# The we install OpenVPN
 		apt-get install openvpn iptables openssl wget ca-certificates curl -y
+    # Install iptables service
+    if [[ ! -e /etc/systemd/system/iptables.service ]]; then
+      mkdir /etc/iptables
+      iptables-save > /etc/iptables/iptables.rules
+      echo "#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+      chmod +x /etc/iptables/flush-iptables.sh
+      echo "[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+      systemctl daemon-reload
+      systemctl enable iptables.service
+    fi
 	elif [[ "$OS" = 'centos' ]]; then
 		yum install epel-release -y
 		yum install openvpn iptables openssl wget ca-certificates curl -y
+    # Install iptables service
+    if [[ ! -e /etc/systemd/system/iptables.service ]]; then
+      mkdir /etc/iptables
+      iptables-save > /etc/iptables/iptables.rules
+      echo "#!/bin/sh
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+      chmod +x /etc/iptables/flush-iptables.sh
+      echo "[Unit]
+Description=Packet Filtering Framework
+DefaultDependencies=no
+After=systemd-sysctl.service
+Before=sysinit.target
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules
+ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules
+ExecStop=/etc/iptables/flush-iptables.sh
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+      systemctl daemon-reload
+      systemctl enable iptables.service
+    fi
 	else
 		# Else, the distro is ArchLinux
 		echo ""
@@ -379,7 +444,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
 		# Install dependencies
 		pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
 		if [[ "$OS" = 'arch' ]]; then
-			touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
+			iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
 			systemctl enable iptables
 			systemctl start iptables
 		fi