about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2019-03-04 14:54:54 +0000
committerSilvino Silva <silvino@bk.ru>2019-03-04 14:54:54 +0000
commitd8ca8eb382059b22ae8a8cf17578713241a9a085 (patch)
tree2d6fba06be991d60fcbbbd2367df2dfc0be7a025
parentb1a383c919d31f00f591a0b712891c74a7513783 (diff)
downloaddoc-d8ca8eb382059b22ae8a8cf17578713241a9a085.tar.gz
core iptables scripts revision
-rw-r--r--core/conf/iptables/ipt-bridge.sh14
-rw-r--r--core/conf/iptables/ipt-conf.sh1
-rw-r--r--core/conf/iptables/ipt-firewall.sh2
-rw-r--r--core/conf/rc.d/iptables4
4 files changed, 16 insertions, 5 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index 6ad26fa..fa987a5 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -109,9 +109,11 @@ $IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
 $IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
 $IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in
   
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
 $IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
@@ -129,6 +131,11 @@ $IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
 $IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
 $IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
 
+# c2.ank /iso -> c9.ank /srv/qemu/iso
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in
+# hyperbola servers
+$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
 ####### Output Chain ######
 $IPT -A OUTPUT -j blocker
 
@@ -139,6 +146,7 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
+$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp
 
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
@@ -149,7 +157,6 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
 
-
 $IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
@@ -159,7 +166,10 @@ $IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
 $IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
 $IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
 
-#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
+# Hyperbola servers
+$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+# c2.ank /iso -> c9.ank /srv/qemu/iso
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4  -j srv_http_out
 
 ####### PostRouting Chain ######
 #Less noise
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index eef0b52..52669dc 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -12,6 +12,7 @@ GW="10.0.0.1"
 #GW="10.0.0.2"
 #DNS="10.0.0.254"
 DNS="212.55.154.174"
+#DNS="8.8.8.8"
 
 PUB_IP="10.0.0.254"
 PUB_IF="enp8s0"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
index 4697de0..6ea613a 100644
--- a/core/conf/iptables/ipt-firewall.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -197,7 +197,7 @@ ipt_tables () {
     $IPT -A cli_ftp_in -j RETURN
     $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
     $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-    $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+    $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
     $IPT -A cli_ftp_out -j RETURN
 
     ######## GIT client
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index 26a48b4..9471f99 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -13,13 +13,13 @@ case $1 in
 			## log everything else and drop
 			ipt_log
 
-			iptables-save > /etc/iptables/net.v4
+			iptables-save > /etc/iptables/bridge.v4
 			;;
 		    server)
 			source /etc/iptables/iptables-conf.sh
 
 			## log everything else and drop
-			iptables_log
+			ipt_log
 
 			iptables-save > /etc/iptables/net.v4
 			;;