about summary refs log tree commit diff stats
path: root/core/conf
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2019-06-07 23:39:05 +0000
committerSilvino Silva <silvino@bk.ru>2019-06-07 23:39:05 +0000
commit045ea9a3815a56609af07a3c7d9df6fcc18910a5 (patch)
tree29eb52783ec09481a6f6874164789efc1dc42242 /core/conf
parent175b83995519059948b5d2e9da4a76c7ab070bc3 (diff)
downloaddoc-045ea9a3815a56609af07a3c7d9df6fcc18910a5.tar.gz
iptables scripts revision
Diffstat (limited to 'core/conf')
-rw-r--r--core/conf/iptables/ipt-bridge.sh220
-rw-r--r--core/conf/iptables/ipt-conf.sh7
-rw-r--r--core/conf/iptables/ipt-firewall.sh2
-rw-r--r--core/conf/iptables/ipt-server.sh10
-rw-r--r--core/conf/rc.d/iptables76
5 files changed, 161 insertions, 154 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index fa987a5..a54cbf2 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
-
-echo "setting bridge ${BR_IF} network..."
-echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "setting bridge network..."
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
@@ -9,174 +11,126 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-####### NAT Prerouting Chain  ######
+######## NAT Prerouting Chain  ######
 #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
-#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
-
-####### Forward Chain  ######
-$IPT -A FORWARD -j blocker
-$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-# Allow access from bridge to gateway wifi interface
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
 
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
-$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
-
-# allow output from BR_NET to external
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
-
-# allow input from public bridged interface facing Internet 
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
-
-######## Forward TAP2 ssh, http and https  ######
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+######## Forward Chain  ######
+#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 #
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+## Allow all for BR_NET
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 
+## DHCP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp
 
-#Less noise
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+## Allow access from bridge to gateway wifi interface
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
 
+##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
 
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-#
-#
-# Tap1
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
-#
-#
-## Tap3
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
-#
-#
-# Tap1, Tap2 and Tap3 can access external https
-
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
-
+## allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
 
-#
-#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
-#
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+##Less noise
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
 
-#
-####### Input Chain ######
+######## Input Chain ######
 $IPT -A INPUT -j blocker
-#Less noise
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
-$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
-$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp
+##Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j ACCEPT
+#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j ACCEPT
 
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in
-  
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
-$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
 $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
 
-$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
-$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
 
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in
-# hyperbola servers
-$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT
+## PXE server
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT
+#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### Output Chain ######
-$IPT -A OUTPUT -j blocker
+######## Output Chain ######
 
-#Less noise
+##Less noise
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
-$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out
+$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp
+#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
 
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
 
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
-$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp
 
-# Hyperbola servers
-$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-# c2.ank /iso -> c9.ank /srv/qemu/iso
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4  -j srv_http_out
+## PXE Server
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
-####### PostRouting Chain ######
-#Less noise
-#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+######## PostRouting Chain ######
+##Less noise
+##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
 
-$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+## log everything else and drop
+ipt_log
 
-#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+iptables-save > /etc/iptables/bridge.v4
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index 52669dc..c3dac16 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
-TYPE=bridge
-#TYPE=server
+
+IPT="/usr/sbin/iptables"
 
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
@@ -19,4 +19,5 @@ PUB_IF="enp8s0"
 
 # private interface for virtual/internal
 WIFI_IF="wlp7s0"
-WIFI_NET="192.168.1.0/24"
+#WIFI_NET="192.168.1.0/24"
+WIFI_NET="10.0.0.0/8"
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
index 6ea613a..12c3834 100644
--- a/core/conf/iptables/ipt-firewall.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-IPT="/usr/sbin/iptables"
-
 ipt_clear () {
     echo "clear all iptables tables"
 
diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh
index 225fd31..027cd11 100644
--- a/core/conf/iptables/ipt-server.sh
+++ b/core/conf/iptables/ipt-server.sh
@@ -1,10 +1,15 @@
 echo "setting server network..."
+source /etc/iptables/ipt-conf.sh
+source /etc/iptables/ipt-firewall.sh
+ipt_clear
+ipt_tables
 
 # Unlimited on loopback
 $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d 10.255.255.255 -j ACCEPT
 
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
@@ -35,3 +40,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
 
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
 $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
+
+## log everything else and drop
+ipt_log
+
+iptables-save > /etc/iptables/server.v4
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index d4f9ebc..f8896cc 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,38 +1,82 @@
 
-source /etc/iptables/ipt-conf.sh
-source /etc/iptables/ipt-firewall.sh
+IPT="/usr/sbin/iptables"
+TYPE=bridge
+#TYPE=server
+#TYPE=open
+
 
 case $1 in
 	start)
-		ipt_clear
-		ipt_tables
+        echo "clear all iptables tables"
+
+        ${IPT} -F
+        ${IPT} -X
+        ${IPT} -t nat -F
+        ${IPT} -t nat -X
+        ${IPT} -t mangle -F
+        ${IPT} -t mangle -X
+        ${IPT} -t raw -F
+        ${IPT} -t raw -X
+        ${IPT} -t security -F
+        ${IPT} -t security -X
+
+        # Set Default Rules
+        ${IPT} -P INPUT DROP
+        ${IPT} -P FORWARD DROP
+        ${IPT} -P OUTPUT DROP
+
+        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+
 		case $TYPE in
 		    bridge)
 
-            ## load bridge configuration
-			source /etc/iptables/ipt-bridge.sh
-
-			## log everything else and drop
-			ipt_log
+            echo "setting bridge ${BR_IF} network..."
+            echo 1 > /proc/sys/net/ipv4/ip_forward
 
-			iptables-save > /etc/iptables/bridge.v4
+            ## load bridge configuration
+            iptables-restore /etc/iptables/bridge.v4
 
-			;;
+   			;;
 		    server)
 
             ## load server configuration
-			source /etc/iptables/iptables-conf.sh
+            iptables-restore /etc/iptables/server.v4
+
+			;;
+		    open)
 
-			## log everything else and drop
-			ipt_log
+            ## load client configuration
+            iptables-restore /etc/iptables/open.v4
 
-			iptables-save > /etc/iptables/server.v4
 			;;
+
 		esac
 		;;
 	stop)
 
-		ipt_clear
+        echo "clear all iptables tables"
+
+        ${IPT} -F
+        ${IPT} -X
+        ${IPT} -t nat -F
+        ${IPT} -t nat -X
+        ${IPT} -t mangle -F
+        ${IPT} -t mangle -X
+        ${IPT} -t raw -F
+        ${IPT} -t raw -X
+        ${IPT} -t security -F
+        ${IPT} -t security -X
+
+        # Set Default Rules
+        ${IPT} -P INPUT DROP
+        ${IPT} -P FORWARD DROP
+        ${IPT} -P OUTPUT DROP
+
+        ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
 		;;
 	restart)
 		$0 stop