diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-05-06 14:06:13 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-05-06 14:06:13 +0100 |
| commit | 1bfea776374a665e4e2fd70aa74a145976c4034e (patch) | |
| tree | fd15fbb07aa7fbea39b0c37a05434bc2e0a1b532 /core | |
| parent | c440afaf8f47bc53cc841a1587d1c10b12911e64 (diff) | |
| download | doc-1bfea776374a665e4e2fd70aa74a145976c4034e.tar.gz | |
iptables server revision
Diffstat (limited to 'core')
| -rw-r--r-- | core/scripts/iptables-conf.sh | 2 | ||||
| -rw-r--r-- | core/scripts/iptables.sh | 25 |
2 files changed, 21 insertions, 6 deletions
diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh index 04e804b..726539e 100644 --- a/core/scripts/iptables-conf.sh +++ b/core/scripts/iptables-conf.sh @@ -66,8 +66,6 @@ iptables_log () { $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " - $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " } diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 6efdcc6..3824dab 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -1,6 +1,7 @@ #!/bin/bash TYPE=bridge +#TYPE=server IPT="/usr/sbin/iptables" SPAMLIST="blockedip" @@ -10,13 +11,14 @@ SPAMDROPMSG="BLOCKED IP DROP" BR_IF="br0" BR_NET="10.0.0.0/8" GW="10.0.0.1" +DNS="10.0.0.254" PUB_IP="10.0.0.254" PUB_IF="enp8s0" # private interface for virtual/internal -PRIV_IF="wlp7s0" -PRIV_NET="192.168.1.0/24" +#PRIV_IF="wlp7s0" +#PRIV_NET="192.168.1.0/24" #$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT @@ -63,6 +65,8 @@ case $TYPE in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp @@ -76,11 +80,11 @@ case $TYPE in $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp ####### PostRouting Chain ###### - #May 6 11:31:45 c9 kernel: iptables: POSTROUTING: IN= OUT=br0 PHYSIN=tap2 PHYSOUT=enp8s0 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 - $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT @@ -89,6 +93,9 @@ case $TYPE in ## log everything else and drop iptables_log + $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " + $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + iptables-save > /etc/iptables/net.v4 exit 0 ;; @@ -98,9 +105,19 @@ case $TYPE in ####### Input Chain ###### $IPT -A INPUT -j blocker + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + ####### Output Chain ###### $IPT -A OUTPUT -j blocker + $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + ## log everything else and drop iptables_log |