diff options
author | Silvino Silva <silvino@bk.ru> | 2019-06-07 23:39:05 +0000 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2019-06-07 23:39:05 +0000 |
commit | 045ea9a3815a56609af07a3c7d9df6fcc18910a5 (patch) | |
tree | 29eb52783ec09481a6f6874164789efc1dc42242 /core/conf | |
parent | 175b83995519059948b5d2e9da4a76c7ab070bc3 (diff) | |
download | doc-045ea9a3815a56609af07a3c7d9df6fcc18910a5.tar.gz |
iptables scripts revision
Diffstat (limited to 'core/conf')
-rw-r--r-- | core/conf/iptables/ipt-bridge.sh | 220 | ||||
-rw-r--r-- | core/conf/iptables/ipt-conf.sh | 7 | ||||
-rw-r--r-- | core/conf/iptables/ipt-firewall.sh | 2 | ||||
-rw-r--r-- | core/conf/iptables/ipt-server.sh | 10 | ||||
-rw-r--r-- | core/conf/rc.d/iptables | 76 |
5 files changed, 161 insertions, 154 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index fa987a5..a54cbf2 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -1,7 +1,9 @@ #!/bin/bash - -echo "setting bridge ${BR_IF} network..." -echo 1 > /proc/sys/net/ipv4/ip_forward +echo "setting bridge network..." +source /etc/iptables/ipt-conf.sh +source /etc/iptables/ipt-firewall.sh +ipt_clear +ipt_tables # Unlimited on loopback $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT @@ -9,174 +11,126 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -####### NAT Prerouting Chain ###### +######## NAT Prerouting Chain ###### #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 -#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 -$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 -#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - -####### Forward Chain ###### -$IPT -A FORWARD -j blocker -$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT - -# Allow access from bridge to gateway wifi interface -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out +##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 +##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " -#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in -#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out - -# allow output from BR_NET to external -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT - -# allow input from public bridged interface facing Internet -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in - -######## Forward TAP2 ssh, http and https ###### -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +######## Forward Chain ###### +#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out +## Allow all for BR_NET +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT +## DHCP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp -#Less noise -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +## Allow access from bridge to gateway wifi interface +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out +##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in +##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -# -# Tap1 -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out -# -# -## Tap3 -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in -# -# -# Tap1, Tap2 and Tap3 can access external https - -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - +## allow output from BR_NET to external +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT -# -# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip -# -# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp -# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp +##Less noise +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP -# -####### Input Chain ###### +######## Input Chain ###### $IPT -A INPUT -j blocker -#Less noise -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP -$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP -$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp -$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp +##Less noise +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT +#$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j ACCEPT -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in -$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in -$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp -$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in -$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in +#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp +#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in +#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in -# c2.ank /iso -> c9.ank /srv/qemu/iso -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in -# hyperbola servers -$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT +## PXE server +#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT -####### Output Chain ###### -$IPT -A OUTPUT -j blocker +######## Output Chain ###### -#Less noise +##Less noise $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp -$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out +$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp +#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out -$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp -# Hyperbola servers -$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -# c2.ank /iso -> c9.ank /srv/qemu/iso -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_http_out +## PXE Server +#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT -####### PostRouting Chain ###### -#Less noise -#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT +######## PostRouting Chain ###### +##Less noise +##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE +##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " -$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE +## log everything else and drop +ipt_log -#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " +iptables-save > /etc/iptables/bridge.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index 52669dc..c3dac16 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -1,6 +1,6 @@ #!/bin/bash -TYPE=bridge -#TYPE=server + +IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" @@ -19,4 +19,5 @@ PUB_IF="enp8s0" # private interface for virtual/internal WIFI_IF="wlp7s0" -WIFI_NET="192.168.1.0/24" +#WIFI_NET="192.168.1.0/24" +WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index 6ea613a..12c3834 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -1,7 +1,5 @@ #!/bin/bash -IPT="/usr/sbin/iptables" - ipt_clear () { echo "clear all iptables tables" diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 225fd31..027cd11 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -1,10 +1,15 @@ echo "setting server network..." +source /etc/iptables/ipt-conf.sh +source /etc/iptables/ipt-firewall.sh +ipt_clear +ipt_tables # Unlimited on loopback $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d 10.255.255.255 -j ACCEPT ####### Input Chain ###### $IPT -A INPUT -j blocker @@ -35,3 +40,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out + +## log everything else and drop +ipt_log + +iptables-save > /etc/iptables/server.v4 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index d4f9ebc..f8896cc 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,38 +1,82 @@ -source /etc/iptables/ipt-conf.sh -source /etc/iptables/ipt-firewall.sh +IPT="/usr/sbin/iptables" +TYPE=bridge +#TYPE=server +#TYPE=open + case $1 in start) - ipt_clear - ipt_tables + echo "clear all iptables tables" + + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X + + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + case $TYPE in bridge) - ## load bridge configuration - source /etc/iptables/ipt-bridge.sh - - ## log everything else and drop - ipt_log + echo "setting bridge ${BR_IF} network..." + echo 1 > /proc/sys/net/ipv4/ip_forward - iptables-save > /etc/iptables/bridge.v4 + ## load bridge configuration + iptables-restore /etc/iptables/bridge.v4 - ;; + ;; server) ## load server configuration - source /etc/iptables/iptables-conf.sh + iptables-restore /etc/iptables/server.v4 + + ;; + open) - ## log everything else and drop - ipt_log + ## load client configuration + iptables-restore /etc/iptables/open.v4 - iptables-save > /etc/iptables/server.v4 ;; + esac ;; stop) - ipt_clear + echo "clear all iptables tables" + + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X + + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ;; restart) $0 stop |