diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-06-12 00:09:06 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-06-12 00:09:06 +0100 |
| commit | f5a5ccbf1af61c4a70695b01187c32fd5ead2e76 (patch) | |
| tree | 2b73a732dc3f199009e6626e2b599175b7fb16a1 /core/scripts | |
| parent | 39b2bc2174a6a25a0e727ecc12bb0edadaac689f (diff) | |
| download | doc-f5a5ccbf1af61c4a70695b01187c32fd5ead2e76.tar.gz | |
network, iptables, sshd config fix's
Diffstat (limited to 'core/scripts')
| -rw-r--r-- | core/scripts/iptables-conf.sh | 247 | ||||
| -rw-r--r-- | core/scripts/iptables.sh | 364 |
2 files changed, 331 insertions, 280 deletions
diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh index 726539e..478ce08 100644 --- a/core/scripts/iptables-conf.sh +++ b/core/scripts/iptables-conf.sh @@ -1,228 +1,21 @@ #!/bin/bash - - - -iptables_clear () { - echo "clear all iptables tables" - - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X - iptables -N blocker - - iptables -N srv_dhcp - iptables -N srv_rip - iptables -N srv_icmp - iptables -N srv_dns_in - iptables -N srv_dns_out - iptables -N srv_http_in - iptables -N srv_http_out - iptables -N srv_https_in - iptables -N srv_https_out - iptables -N srv_ssh_in - iptables -N srv_ssh_out - iptables -N srv_git_in - iptables -N srv_git_out - iptables -N srv_db_in - iptables -N srv_db_out - - - iptables -N cli_dns_in - iptables -N cli_dns_out - iptables -N cli_http_in - iptables -N cli_http_out - iptables -N cli_https_in - iptables -N cli_https_out - iptables -N cli_ssh_in - iptables -N cli_ssh_out - iptables -N cli_pops_in - iptables -N cli_pops_out - iptables -N cli_smtps_in - iptables -N cli_smtps_out - iptables -N cli_irc_in - iptables -N cli_irc_out - iptables -N cli_ftp_in - iptables -N cli_ftp_out - iptables -N cli_git_in - iptables -N cli_git_out - iptables -N cli_gpg_in - iptables -N cli_gpg_out - - # Set Default Rules - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP -} - -iptables_log () { - ## log everything else and drop - $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -} - - -iptables_tables () { - echo "start adding tables..." - - ####### blocker Chain ###### - ## Block google dns - $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " - $IPT -A blocker -s 8.8.0.0/24 -j DROP - ## Block sync - $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " - $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP - ## Block Fragments - $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " - $IPT -A blocker -f -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " - $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " - $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " - $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " - $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - ## Return to caller - $IPT -A blocker -j RETURN - - ######## DNS Server - #echo "server_in chain: Allow input to DNS Server" - $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_in -j RETURN - #echo "srv_dns_out chain: Allow output from DNS server" - $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_dns_out -j RETURN - - ####### Database Server - $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_db_in -j RETURN - $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_db_out -j RETURN - - ####### SSH Server - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" - - $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP - - $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - - $IPT -A srv_ssh_in -j RETURN - $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A srv_ssh_out -j RETURN - - ####### HTTP Server - $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_http_in -j RETURN - $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_http_out -j RETURN - - ####### HTTPS Server - $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_https_in -j RETURN - $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_https_out -j RETURN - - ###### GIT server - $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A srv_git_in -j RETURN - $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPT -A srv_git_out -j RETURN - - ######## DNS Client - $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_dns_out -j RETURN - $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_dns_in -j RETURN - - ######## HTTP Client - $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_http_in -j RETURN - $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_http_out -j RETURN - - - ######## IRC client - $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_irc_in -j RETURN - $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_irc_out -j RETURN - - ######## FTP client - - $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_in -j RETURN - $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ftp_out -j RETURN - ######## GIT client - $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_git_in -j RETURN - $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_git_out -j RETURN - - ######## POP3S client - $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_pops_in -j RETURN - $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_pops_out -j RETURN - - ######## SMTPS client - $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_in -j RETURN - $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_smtps_out -j RETURN - - ######## HTTPS client - $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_https_in -j RETURN - $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_https_out -j RETURN - - ######## SSH client - $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_in -j RETURN - $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_ssh_out -j RETURN - - ######## GPG key client - $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_in -j RETURN - $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - $IPT -A cli_gpg_out -j RETURN - - ######## DHCP Server - $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT - $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT - $IPT -A srv_dhcp -j RETURN - - ####### RIP Server - $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT - $IPT -A srv_rip -j RETURN - - ####### ICMP Server - $IPT -A srv_icmp -p icmp -j ACCEPT - $IPT -A srv_icmp -j RETURN -} +TYPE=bridge +#TYPE=server + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" + +# public interface to network/internet +BR_IF="br0" +BR_NET="10.0.0.0/8" +GW="10.0.0.1" +#DNS="10.0.0.254" +DNS="212.55.154.174" + +PUB_IP="10.0.0.254" +PUB_IF="enp8s0" + +# private interface for virtual/internal +#PRIV_IF="wlp7s0" +#PRIV_NET="192.168.1.0/24" diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 0f05b1f..2b4d68a 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -1,66 +1,296 @@ #!/bin/bash -TYPE=bridge -#TYPE=server - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" - -# public interface to network/internet -BR_IF="br0" -BR_NET="10.0.0.0/8" -GW="10.0.0.1" -DNS="10.0.0.254" - -PUB_IP="10.0.0.254" -PUB_IF="enp8s0" - -# private interface for virtual/internal -#PRIV_IF="wlp7s0" -#PRIV_NET="192.168.1.0/24" - -#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT - -#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT - -source iptables-conf.sh - -iptables_clear -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - -iptables_tables +source /etc/iptables/iptables-conf.sh + +iptables_clear () { + echo "clear all iptables tables" + + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + iptables -N blocker + + iptables -N srv_dhcp + iptables -N srv_rip + iptables -N srv_icmp + iptables -N srv_dns_in + iptables -N srv_dns_out + iptables -N srv_http_in + iptables -N srv_http_out + iptables -N srv_https_in + iptables -N srv_https_out + iptables -N srv_ssh_in + iptables -N srv_ssh_out + iptables -N srv_git_in + iptables -N srv_git_out + iptables -N srv_db_in + iptables -N srv_db_out + + + iptables -N cli_dns_in + iptables -N cli_dns_out + iptables -N cli_http_in + iptables -N cli_http_out + iptables -N cli_https_in + iptables -N cli_https_out + iptables -N cli_ssh_in + iptables -N cli_ssh_out + iptables -N cli_pops_in + iptables -N cli_pops_out + iptables -N cli_smtps_in + iptables -N cli_smtps_out + iptables -N cli_irc_in + iptables -N cli_irc_out + iptables -N cli_ftp_in + iptables -N cli_ftp_out + iptables -N cli_git_in + iptables -N cli_git_out + iptables -N cli_gpg_in + iptables -N cli_gpg_out + + # Set Default Rules + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP +} + +iptables_log () { + ## log everything else and drop + $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +} + + +iptables_tables () { + echo "start adding tables..." + + ####### blocker Chain ###### + ## Block google dns + $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " + $IPT -A blocker -s 8.8.0.0/24 -j DROP + ## Block sync + $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " + $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP + ## Block Fragments + $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " + $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " + $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP + #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP + #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + ## Return to caller + $IPT -A blocker -j RETURN + + ######## DNS Server + #echo "server_in chain: Allow input to DNS Server" + $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_in -j RETURN + #echo "srv_dns_out chain: Allow output from DNS server" + $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_dns_out -j RETURN + + ####### Database Server + $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_db_in -j RETURN + $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_db_out -j RETURN + + ####### SSH Server + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + + $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ + --hitcount 4 --rttl --name SSH -j DROP + + $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + + $IPT -A srv_ssh_in -j RETURN + $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A srv_ssh_out -j RETURN + + ####### HTTP Server + $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_http_in -j RETURN + $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_http_out -j RETURN + + ####### HTTPS Server + $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_https_in -j RETURN + $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_https_out -j RETURN + + ###### GIT server + $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A srv_git_in -j RETURN + $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + $IPT -A srv_git_out -j RETURN + + ######## DNS Client + $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_dns_out -j RETURN + $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_dns_in -j RETURN + + ######## HTTP Client + #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP + + $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_http_in -j RETURN + $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_http_out -j RETURN + + ######## IRC client + $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_irc_in -j RETURN + $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_irc_out -j RETURN + + ######## FTP client + + $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_in -j RETURN + $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ftp_out -j RETURN + ######## GIT client + $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_git_in -j RETURN + $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_git_out -j RETURN + + ######## POP3S client + $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_pops_in -j RETURN + $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_pops_out -j RETURN + + ######## SMTPS client + $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_in -j RETURN + $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_smtps_out -j RETURN + + ######## HTTPS client + $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_https_in -j RETURN + $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_https_out -j RETURN + + ######## SSH client + $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_in -j RETURN + $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_ssh_out -j RETURN + + ######## GPG key client + $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_in -j RETURN + $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPT -A cli_gpg_out -j RETURN + + ######## DHCP Server + $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -j RETURN + + ####### RIP Server + $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT + $IPT -A srv_rip -j RETURN + + ####### ICMP Server + $IPT -A srv_icmp -p icmp -j ACCEPT + $IPT -A srv_icmp -j RETURN +} case $TYPE in bridge) + iptables_clear + iptables_tables - echo "Setting bridge network..." + echo "setting bridge network..." echo 1 > /proc/sys/net/ipv4/ip_forward - + # Unlimited on loopback + $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + ####### NAT Prerouting Chain ###### - #PREROUTING: IN=br0 OUT= PHYSIN=tap2 MAC=ff:ff:ff:ff:ff:ff:54:60:be:ef:5c:14:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 ####### Forward Chain ###### $IPT -A FORWARD -j blocker $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_in - $IPT -A FORWARD -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT + + # Tap1 can access external http + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + ####### Forward TAP2 ssh and https ###### + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + # + # #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + # + # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + # $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + # Tap1 and Tap2 can access external https $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in + + #Less noise + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP + ####### Input Chain ###### $IPT -A INPUT -j blocker #Less noise @@ -69,45 +299,61 @@ case $TYPE in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp ####### Output Chain ###### $IPT -A OUTPUT -j blocker #Less noise $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 80 --sport 1024:65535 -j DROP - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.3 -j srv_dns_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp - $IPT -A OUTPUT -o ${BR_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_dns_out - + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out ####### PostRouting Chain ###### - $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + #Less noise + #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE ## log everything else and drop iptables_log - $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + #$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " + # $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " iptables-save > /etc/iptables/net.v4 exit 0 ;; + server) + iptables_clear + iptables_tables + + echo "setting server network..." + + # Unlimited on loopback + $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - echo "Setting server network..." ####### Input Chain ###### $IPT -A INPUT -j blocker @@ -115,16 +361,28 @@ case $TYPE in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in ####### Output Chain ###### $IPT -A OUTPUT -j blocker $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out + + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out ## log everything else and drop iptables_log |