# Règles IPV4
# Pour permettre aux noeuds du LAN avec des adresses IP privées de communiquer avec les réseaux public externes, configurez le pare-feu pour le masquage d'IP, qui masque les requêtes provenant des noeuds du LAN avec l'adresse IP du périphérique externe du pare-feu (dans ce cas, eth0) :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP ipv4 for eth0"
iptables -A FORWARD -s 10.8.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic ipv4 from clients to eth0"

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP ipv4 for tun0"
iptables -A FORWARD -s 10.8.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv4 from wlan0 clients to tun0"
iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv4 from eth0 clients to tun0"

# Règles IPV6
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP ipv6 for eth0"
ip6tables -A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic ipv6 from clients to eth0"
-
ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP ipv6 for tun0"
ip6tables -A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv6 from wlan0 clients to tun0"
ip6tables -A FORWARD -s 2a01:e34:ee6a:b270:c2:9ff:fe40:f22b/64 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv6 from eth0 clients to tun0"

sudo systemctl restart hostapd
sudo systemctl restart isc-dhcp-server

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip6tables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip6tables -A FORWARD -o tun0 -j ACCEPT
ip6tables -A FORWARD -i tun0 -j ACCEPT

Règles IPV6
/etc/openvpn/iptables.ipv6.nat

# Generated by ip6tables-save v1.4.21 on Tue Dec 27 20:12:22 2016
*filter
:INPUT ACCEPT [1462:138332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [74:5720]
-A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic ipv6 from clients to eth0" -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv6 from wlan0 clients to tun0" -j ACCEPT
# -A FORWARD -s 2a01:e34:ee6a:b270::/64 -i eth0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv6 from eth0 clients to tun0" -j ACCEPT
COMMIT
# Completed on Tue Dec 27 20:12:22 2016
# Generated by ip6tables-save v1.4.21 on Tue Dec 27 20:12:22 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [9:711]
:POSTROUTING ACCEPT [0:0]
# -A POSTROUTING -o eth0 -m comment --comment "Use VPN IP ipv6 for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP ipv6 for tun0" -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 20:12:22 2016

Règles IPV4
/etc/openvpn/iptables.ipv4.nat

# Generated by iptables-save v1.4.21 on Tue Dec 27 20:12:13 2016
*filter
:INPUT ACCEPT [1475:288033]
:FORWARD ACCEPT [859:195723]
:OUTPUT ACCEPT [1715:267328]
-A FORWARD -s 10.8.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic ipv4 from clients to eth0" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 10.8.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv4 from wlan0 clients to tun0" -j ACCEPT
# -A FORWARD -s 192.168.0.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv4 from eth0 clients to tun0" -j ACCEPT
COMMIT
# Completed on Tue Dec 27 20:12:13 2016
# Generated by iptables-save v1.4.21 on Tue Dec 27 20:12:13 2016
*nat
:PREROUTING ACCEPT [36:3145]
:INPUT ACCEPT [5:1258]
:OUTPUT ACCEPT [2:157]
:POSTROUTING ACCEPT [1:48]
# -A POSTROUTING -o eth0 -m comment --comment "Use VPN IP ipv4 for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP ipv4 for tun0" -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 20:12:13 2016

sudo systemctl restart hostapd
sudo systemctl restart isc-dhcp-server

sudo systemctl enable isc-dhcp-server
sudo systemctl enable hostapd

sudo nano /etc/iptables.up.rules

*filter  
:INPUT DROP [0:0]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0]  
-A INPUT -i lo -j ACCEPT  
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT  
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT  
-A INPUT -p udp -m udp --dport 53 -j ACCEPT  
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
COMMIT
*nat  
:PREROUTING ACCEPT [0:0]  
:POSTROUTING ACCEPT [0:0]  
:OUTPUT ACCEPT [0:0]  
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT