about summary refs log blame commit diff stats
path: root/core/conf/iptables/ipt-bridge.sh
blob: fa987a565d8f07b66f8ebee0e4b9f74915c2f574 (plain) (tree)





















                                                                                                        

                                                                           












                                                          























                                                                                                             



























                                                                                                                            




                                                                                                              








                                                                                                                 






                                                                                      
                                                               
                                                                 
 

                                                                     
                                                                       

                                     














                                                                                 




                                                                                                    








                                                                                      
                                                                
                                                                  









                                                                    








                                                          



                                                                                                         









                                                                                                                                     
#!/bin/bash

echo "setting bridge ${BR_IF} network..."
echo 1 > /proc/sys/net/ipv4/ip_forward

# Unlimited on loopback
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

####### NAT Prerouting Chain  ######
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "

####### Forward Chain  ######
$IPT -A FORWARD -j blocker
$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT

# Allow access from bridge to gateway wifi interface
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out

#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out

# allow output from BR_NET to external
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT

# allow input from public bridged interface facing Internet 
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in

######## Forward TAP2 ssh, http and https  ######
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
#
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out


#Less noise
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP


#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#
# Tap1
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
#
#
## Tap3
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
#
#
# Tap1, Tap2 and Tap3 can access external https

#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in



#
#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
#
#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp

#
####### Input Chain ######
$IPT -A INPUT -j blocker
#Less noise
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in
  
$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in

$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in

# c2.ank /iso -> c9.ank /srv/qemu/iso
$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in
# hyperbola servers
$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT

####### Output Chain ######
$IPT -A OUTPUT -j blocker

#Less noise
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out

$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out

$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out

# Hyperbola servers
$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# c2.ank /iso -> c9.ank /srv/qemu/iso
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4  -j srv_http_out

####### PostRouting Chain ######
#Less noise
#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT

$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE

#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "