diff options
| author | Silvino Silva <silvino@bk.ru> | 2020-02-17 05:08:15 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2020-02-17 05:08:15 +0000 |
| commit | 36ef4944b852eaf9ef54154c3cccef6c2eb41292 (patch) | |
| tree | fdd6d9740d68ee741c385e7a0a2888d74f4de2de /core/conf/iptables/ipt-firewall.sh | |
| parent | a947a31ede27fdf995e0a63e766fcd68eb491426 (diff) | |
| download | doc-36ef4944b852eaf9ef54154c3cccef6c2eb41292.tar.gz | |
configuration files fix
Diffstat (limited to 'core/conf/iptables/ipt-firewall.sh')
| -rw-r--r-- | core/conf/iptables/ipt-firewall.sh | 50 |
1 files changed, 40 insertions, 10 deletions
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index 086b864..0a947e6 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -14,6 +14,8 @@ ipt_clear () { iptables -t security -F iptables -t security -X iptables -N blocker + iptables -N blockip_in + iptables -N blockip_out iptables -N srv_dhcp iptables -N srv_rip @@ -25,6 +27,8 @@ ipt_clear () { iptables -N srv_http_out iptables -N srv_https_in iptables -N srv_https_out + iptables -N srv_smtp_in + iptables -N srv_smtp_out iptables -N srv_ssh_in iptables -N srv_ssh_out iptables -N srv_git_in @@ -70,6 +74,19 @@ ipt_log () { ipt_tables () { echo "start adding tables..." + # Filter out comments and blank lines + # store each ip or subnet in $ip + egrep -v "^#|^$" x | while IFS= read -r ip + do + # Append everything to droplist + echo "adding ${ip} to blockip" + $IPT -A blockip_in -s $ip -j LOG --log-prefix "${SPAMDROPMSG}" + $IPT -A blockip_in -s $ip -j DROP + $IPT -A blockip_out -d $ip -j LOG --log-prefix "${SPAMDROPMSG}" + $IPT -A blockip_out -d $ip -j DROP + done <"${SPAMLIST}" + + echo "blockip_in and blockip_out added" ####### blocker Chain ###### ## Block google dns @@ -103,6 +120,7 @@ ipt_tables () { #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller $IPT -A blocker -j RETURN @@ -123,6 +141,9 @@ ipt_tables () { $IPT -A srv_db_out -j RETURN ####### SSH Server + + $IPT -A srv_ssh_in -p tcp --dport 2222 -s ${BR_NET} -m state --state NEW -j ACCEPT + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -j LOG --log-prefix "iptables: SSH NEW": $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ @@ -134,22 +155,30 @@ ipt_tables () { $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT + #$IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT - $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent \ + # --update --seconds 60 --hitcount 4 --rttl \ + # --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP + #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \ + # --hitcount 4 --rttl --name SSH -j DROP - $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + #$IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_in -j RETURN + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -d ${BR_NET} -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 2222 -j LOG --log-prefix "iptables: SSH OUT": $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + #$IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A srv_ssh_out -j RETURN + ####### smtp Server + $IPT -A srv_smtp_in -p tcp --dport 25 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_smtp_in -j RETURN + $IPT -A srv_smtp_out -p tcp --sport 25 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_smtp_out -j RETURN + ####### HTTP Server $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A srv_http_in -j RETURN @@ -229,6 +258,9 @@ ipt_tables () { $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A cli_ssh_in -j RETURN + + $IPT -A cli_ssh_out -p tcp -d ${BR_NET} --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --dport 2222 -j LOG --log-prefix "iptables: SSH OUT": $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A cli_ssh_out -j RETURN @@ -258,5 +290,3 @@ ipt_tables () { $IPT -A srv_ntp -j RETURN } - - |