diff options
author | Silvino Silva <silvino@bk.ru> | 2019-03-04 14:54:54 +0000 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2019-03-04 14:54:54 +0000 |
commit | d8ca8eb382059b22ae8a8cf17578713241a9a085 (patch) | |
tree | 2d6fba06be991d60fcbbbd2367df2dfc0be7a025 | |
parent | b1a383c919d31f00f591a0b712891c74a7513783 (diff) | |
download | doc-d8ca8eb382059b22ae8a8cf17578713241a9a085.tar.gz |
core iptables scripts revision
-rw-r--r-- | core/conf/iptables/ipt-bridge.sh | 14 | ||||
-rw-r--r-- | core/conf/iptables/ipt-conf.sh | 1 | ||||
-rw-r--r-- | core/conf/iptables/ipt-firewall.sh | 2 | ||||
-rw-r--r-- | core/conf/rc.d/iptables | 4 |
4 files changed, 16 insertions, 5 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index 6ad26fa..fa987a5 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -109,9 +109,11 @@ $IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP $IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in +$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp @@ -129,6 +131,11 @@ $IPT -A INPUT -i ${WIFI_IF} -j cli_http_in $IPT -A INPUT -i ${WIFI_IF} -j cli_git_in $IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in +# c2.ank /iso -> c9.ank /srv/qemu/iso +$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in +# hyperbola servers +$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT + ####### Output Chain ###### $IPT -A OUTPUT -j blocker @@ -139,6 +146,7 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp +$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out @@ -149,7 +157,6 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out - $IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out $IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out @@ -159,7 +166,10 @@ $IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out $IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out $IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out -#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out +# Hyperbola servers +$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +# c2.ank /iso -> c9.ank /srv/qemu/iso +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_http_out ####### PostRouting Chain ###### #Less noise diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index eef0b52..52669dc 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -12,6 +12,7 @@ GW="10.0.0.1" #GW="10.0.0.2" #DNS="10.0.0.254" DNS="212.55.154.174" +#DNS="8.8.8.8" PUB_IP="10.0.0.254" PUB_IF="enp8s0" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index 4697de0..6ea613a 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -197,7 +197,7 @@ ipt_tables () { $IPT -A cli_ftp_in -j RETURN $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ftp_out -p tcp --dport 20 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPT -A cli_ftp_out -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A cli_ftp_out -j RETURN ######## GIT client diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 26a48b4..9471f99 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -13,13 +13,13 @@ case $1 in ## log everything else and drop ipt_log - iptables-save > /etc/iptables/net.v4 + iptables-save > /etc/iptables/bridge.v4 ;; server) source /etc/iptables/iptables-conf.sh ## log everything else and drop - iptables_log + ipt_log iptables-save > /etc/iptables/net.v4 ;; |