about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilvino <silvino@bk.ru>2019-06-26 17:10:12 +0100
committerSilvino <silvino@bk.ru>2019-06-26 17:49:35 +0100
commiteddfa5ed593e67c9b2e6c53382b4fe044663451a (patch)
treed95e5875c53dc3715c75721c2c749de22d643ca4
parent2830b5fb96cce787ca8c7562a968effc3e57bdb1 (diff)
downloaddoc-eddfa5ed593e67c9b2e6c53382b4fe044663451a.tar.gz
core iptables revision
-rw-r--r--core/conf/iptables/bridge.v4220
-rw-r--r--core/conf/iptables/client.v4 (renamed from core/conf/iptables/open.v4)21
-rw-r--r--core/conf/iptables/ipt-bridge.sh4
-rw-r--r--core/conf/iptables/ipt-client.sh (renamed from core/conf/iptables/ipt-open.sh)5
-rw-r--r--core/conf/iptables/ipt-conf.sh16
-rw-r--r--core/conf/iptables/ipt-server.sh2
-rw-r--r--core/conf/rc.d/iptables86
-rw-r--r--core/conf/skel/.bashrc4
8 files changed, 311 insertions, 47 deletions
diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4
new file mode 100644
index 0000000..35bfef4
--- /dev/null
+++ b/core/conf/iptables/bridge.v4
@@ -0,0 +1,220 @@
+# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Wed Jun 26 15:44:59 2019
+# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Wed Jun 26 15:44:59 2019
+# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Wed Jun 26 15:44:59 2019
+# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Wed Jun 26 15:44:59 2019
+# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:cli_dns_in - [0:0]
+:cli_dns_out - [0:0]
+:cli_ftp_in - [0:0]
+:cli_ftp_out - [0:0]
+:cli_git_in - [0:0]
+:cli_git_out - [0:0]
+:cli_gpg_in - [0:0]
+:cli_gpg_out - [0:0]
+:cli_http_in - [0:0]
+:cli_http_out - [0:0]
+:cli_https_in - [0:0]
+:cli_https_out - [0:0]
+:cli_irc_in - [0:0]
+:cli_irc_out - [0:0]
+:cli_pops_in - [0:0]
+:cli_pops_out - [0:0]
+:cli_smtps_in - [0:0]
+:cli_smtps_out - [0:0]
+:cli_ssh_in - [0:0]
+:cli_ssh_out - [0:0]
+:srv_db_in - [0:0]
+:srv_db_out - [0:0]
+:srv_dhcp - [0:0]
+:srv_dns_in - [0:0]
+:srv_dns_out - [0:0]
+:srv_git_in - [0:0]
+:srv_git_out - [0:0]
+:srv_http_in - [0:0]
+:srv_http_out - [0:0]
+:srv_https_in - [0:0]
+:srv_https_out - [0:0]
+:srv_icmp - [0:0]
+:srv_rip - [0:0]
+:srv_ssh_in - [0:0]
+:srv_ssh_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP
+-A INPUT -i br0 -j srv_dhcp
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in
+-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in
+-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT
+-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp
+-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT
+-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in
+-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in
+-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
+-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out
+-A OUTPUT -o br0 -j srv_icmp
+-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out
+-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
+-A cli_dns_in -j RETURN
+-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
+-A cli_dns_out -j RETURN
+-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_in -j RETURN
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A cli_ftp_out -j RETURN
+-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_git_in -j RETURN
+-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_git_out -j RETURN
+-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_gpg_in -j RETURN
+-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_gpg_out -j RETURN
+-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_http_in -j RETURN
+-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_http_out -j RETURN
+-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_https_in -j RETURN
+-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_https_out -j RETURN
+-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_irc_in -j RETURN
+-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_irc_out -j RETURN
+-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_pops_in -j RETURN
+-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_pops_out -j RETURN
+-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_smtps_in -j RETURN
+-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_smtps_out -j RETURN
+-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A cli_ssh_in -j RETURN
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A cli_ssh_out -j RETURN
+-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_db_in -j RETURN
+-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_db_out -j RETURN
+-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT
+-A srv_dhcp -j RETURN
+-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_dns_in -j RETURN
+-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_dns_out -j RETURN
+-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_git_in -j RETURN
+-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_git_out -j RETURN
+-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_http_in -j RETURN
+-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_http_out -j RETURN
+-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A srv_https_in -j RETURN
+-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A srv_https_out -j RETURN
+-A srv_icmp -p icmp -j ACCEPT
+-A srv_icmp -j RETURN
+-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A srv_rip -j RETURN
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH"
+-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_in -j RETURN
+-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A srv_ssh_out -j RETURN
+COMMIT
+# Completed on Wed Jun 26 15:44:59 2019
diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/client.v4
index 30e476d..91b564d 100644
--- a/core/conf/iptables/open.v4
+++ b/core/conf/iptables/client.v4
@@ -1,25 +1,25 @@
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *security
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *raw
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *mangle
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -27,8 +27,8 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
-# Generated by iptables-save v1.8.2 on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
+# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
@@ -97,6 +97,7 @@ COMMIT
 -A OUTPUT -o wlp9s0 -j cli_irc_out
 -A OUTPUT -o wlp9s0 -j cli_ftp_out
 -A OUTPUT -o wlp9s0 -j cli_gpg_out
+-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT
 -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
@@ -207,4 +208,4 @@ COMMIT
 -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A srv_ssh_out -j RETURN
 COMMIT
-# Completed on Sat Jun  8 23:05:15 2019
+# Completed on Thu Jun 20 20:34:21 2019
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index cd93687..6dbeb87 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -67,12 +67,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
-$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
 
 #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
 #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
@@ -133,4 +133,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > bridge.v4
+iptables-save > /etc/iptables/bridge.v4
diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-client.sh
index 3ef1254..65df9e4 100644
--- a/core/conf/iptables/ipt-open.sh
+++ b/core/conf/iptables/ipt-client.sh
@@ -24,6 +24,7 @@ $IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_irc_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in
 $IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT
 
 
 ####### Output Chain ######
@@ -40,8 +41,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out
 $IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT
 
 ## log everything else and drop
 ipt_log
-
-iptables-save > open.v4
+iptables-save > /etc/iptables/client.v4
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index c3dac16..dcea837 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
 
-# public interface to network/internet
+# bridge interface with interface facing gateway
 BR_IF="br0"
+# bridge ip network address
 BR_NET="10.0.0.0/8"
+# network gateway
 GW="10.0.0.1"
-#GW="10.0.0.2"
-#DNS="10.0.0.254"
+# external dns
 DNS="212.55.154.174"
-#DNS="8.8.8.8"
 
+# static machine ip address
 PUB_IP="10.0.0.254"
+
+# public interface facing gateway
 PUB_IF="enp8s0"
 
-# private interface for virtual/internal
+# wifi interface
 WIFI_IF="wlp7s0"
-#WIFI_NET="192.168.1.0/24"
+
+# static wifi ip network address
 WIFI_NET="10.0.0.0/8"
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 370db60..e557193 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
 ## log everything else and drop
 ipt_log
 
-iptables-save > server.v4
+iptables-save > /etc/iptables/server.v4
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index cc7c765..f8b7881 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,35 +1,31 @@
+#!/bin/bash
 
 IPT="/usr/sbin/iptables"
-TYPE=bridge
+#TYPE=bridge
 #TYPE=server
-#TYPE=open
+TYPE=open
+#TYPE=client
 
-echo "clear all iptables tables"
+clear_ipt() {
 
-${IPT} -F
-${IPT} -X
-${IPT} -t nat -F
-${IPT} -t nat -X
-${IPT} -t mangle -F
-${IPT} -t mangle -X
-${IPT} -t raw -F
-${IPT} -t raw -X
-${IPT} -t security -F
-${IPT} -t security -X
+	${IPT} -F
+	${IPT} -X
+	${IPT} -t nat -F
+	${IPT} -t nat -X
+	${IPT} -t mangle -F
+	${IPT} -t mangle -X
+	${IPT} -t raw -F
+	${IPT} -t raw -X
+	${IPT} -t security -F
+	${IPT} -t security -X
 
-# Set Default Rules
-${IPT} -P INPUT DROP
-${IPT} -P FORWARD DROP
-${IPT} -P OUTPUT DROP
-
-${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+}
 
 case $1 in
 	start)
             case $TYPE in
                 bridge)
-
+		    clear_ipt
                     echo "setting bridge network..."
                     echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -38,23 +34,63 @@ case $1 in
 
    		;;
 		server)
-
+		    clear_ipt
                     echo "setting server network..."
                     ## load server configuration
                     iptables-restore /etc/iptables/server.v4
 
 		;;
-		open)
-
+		client)
+		    clear_ipt
                     echo "setting client network..."
                     ## load client configuration
-                    iptables-restore /etc/iptables/open.v4
+                    iptables-restore /etc/iptables/client.v4
+		;;
+		open)
+		    clear_ipt
+                    echo "setting open network..."
+                    ## load client configuration
+
+			${IPT} -P INPUT DROP
+			${IPT} -P FORWARD DROP
+			${IPT} -P OUTPUT ACCEPT
+
+			${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+			${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+			${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+			${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+			${IPT} -A OUTPUT  -j ACCEPT
+
+			${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+			${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+			#${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+
 
 		;;
 	    esac
 	;;
         stop)
+		echo "clear all iptables tables"
+		clear_ipt
+		# Set Default Rules
+		${IPT} -P INPUT DROP
+		${IPT} -P FORWARD DROP
+		${IPT} -P OUTPUT DROP
+
+		${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+		${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+		${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
 
+
+	;;
+	restart)
+		clear_ipt
+        	$0 start
+        ;;
+	status)
+		${IPT} -v
 	;;
 	*)
 	    echo "Usage: $0 [start|stop]"
diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc
index 88cf24c..55d1c78 100644
--- a/core/conf/skel/.bashrc
+++ b/core/conf/skel/.bashrc
@@ -22,12 +22,14 @@ HISTSIZE=1000
 HISTFILESIZE=2000
 
 
+alias diff='diff --color=auto'
+alias grep='grep --color=auto'
+alias ls='ls -ph --color=auto'
 alias rm='rm -i'
 #alias cp='cp -i'
 alias mv='mv -i'
 # Prevents accidentally clobbering files.
 alias mkdir='mkdir -p'
-
 alias h='history'
 alias hg='history | grep'
 alias j='jobs -l'