about summary refs log tree commit diff stats
path: root/html/example1.mu.html
diff options
context:
space:
mode:
Diffstat (limited to 'html/example1.mu.html')
0 files changed, 0 insertions, 0 deletions
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144
#!/bin/bash
echo "setting bridge network..."
source ipt-conf.sh
source ipt-firewall.sh
ipt_clear
ipt_tables

# Unlimited on loopback
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

######## NAT Prerouting Chain  ######
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "

######## Forward Chain  ######
#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#
## Allow all for BR_NET
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT

## DHCP
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp

## Allow access from bridge to gateway wifi interface
#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out

##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out

## allow output from BR_NET to external
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ntp
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -p tcp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j cli_http_in
##Less noise
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 520 --sport 520 -j DROP

######## Input Chain ######
$IPT -A INPUT -j blocker

##Less noise
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT
#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j ACCEPT
#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j ACCEPT

$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j srv_ntp

#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in

## PXE server
#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT
#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT

######## Output Chain ######

##Less noise
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out
$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp
#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_ntp

#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out

#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp

## PXE Server
#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT

######## PostRouting Chain ######
##Less noise
##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "

## log everything else and drop
ipt_log

iptables-save > /etc/iptables/bridge.v4