about summary refs log tree commit diff stats
path: root/core
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2018-04-11 17:01:15 +0100
committerSilvino Silva <silvino@bk.ru>2018-04-11 17:01:15 +0100
commit4f0a749494c7d31b8d203490ec008918c8bacc87 (patch)
tree6d690512d0724d8b8386d8ae36715d03fd75fe56 /core
parent50f9d4a5d286fff80b4df38136c45bde5abcd4c4 (diff)
downloaddoc-4f0a749494c7d31b8d203490ec008918c8bacc87.tar.gz
iptables moved to core
Diffstat (limited to 'core')
-rw-r--r--core/conf/iptables/br-lan.v4136
-rw-r--r--core/conf/iptables/net.v4 (renamed from core/conf/iptables/rules.v4)0
-rw-r--r--core/conf/rc.d/iptables17
-rw-r--r--core/network.html42
-rw-r--r--core/scripts/iptables-br.sh (renamed from core/conf/iptables/iptables-lan.sh)214
-rw-r--r--core/scripts/iptables.sh (renamed from core/conf/iptables/iptables.sh)3
6 files changed, 272 insertions, 140 deletions
diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4
new file mode 100644
index 0000000..61da499
--- /dev/null
+++ b/core/conf/iptables/br-lan.v4
@@ -0,0 +1,136 @@
+# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Apr  3 02:25:27 2018
+# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Apr  3 02:25:27 2018
+# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Tue Apr  3 02:25:27 2018
+# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Tue Apr  3 02:25:27 2018
+# Generated by iptables-save v1.6.2 on Tue Apr  3 02:25:27 2018
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:blocker - [0:0]
+:client_in - [0:0]
+:client_out - [0:0]
+:netconf_in - [0:0]
+:netconf_out - [0:0]
+:server_in - [0:0]
+:server_out - [0:0]
+-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT
+-A INPUT -j blocker
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in
+-A INPUT -d 10.0.0.0/8 -i br0 -j client_in
+-A INPUT -i br0 -j netconf_in
+-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
+-A FORWARD -j blocker
+-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in
+-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out
+-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in
+-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out
+-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out
+-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
+-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
+-A OUTPUT -j blocker
+-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out
+-A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out
+-A OUTPUT -o br0 -j netconf_out
+-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
+-A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7
+-A blocker -s 8.8.0.0/24 -j DROP
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
+-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
+-A blocker -f -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
+-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
+-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A blocker -j RETURN
+-A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A client_in -j RETURN
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A client_out -j RETURN
+-A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7
+-A netconf_in -p icmp -j ACCEPT
+-A netconf_in -j RETURN
+-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
+-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT
+-A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7
+-A netconf_out -p icmp -j ACCEPT
+-A netconf_out -j RETURN
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A server_in -j RETURN
+-A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+-A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A server_out -j RETURN
+COMMIT
+# Completed on Tue Apr  3 02:25:27 2018
diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/net.v4
index 568455a..568455a 100644
--- a/core/conf/iptables/rules.v4
+++ b/core/conf/iptables/net.v4
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index bb5cf91..dd17b97 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -3,8 +3,7 @@
 # /etc/rc.d/iptables: load/unload iptable rules
 #
 
-rules=rules.v4
-#rules=vlan.v4
+rules=/etc/iptables/net.v4
 
 iptables_clear () {
     echo "clear all iptables tables"
@@ -22,9 +21,8 @@ iptables_clear () {
 
 case $1 in
     start)
-        iptables_clear
         echo "starting IPv4 firewall filter table..."
-        /usr/sbin/iptables-restore < /etc/iptables/${rules}
+        /usr/sbin/iptables-restore ${rules}
         ;;
     stop)
         iptables_clear
@@ -51,6 +49,12 @@ case $1 in
         /usr/sbin/iptables -P FORWARD DROP
         /usr/sbin/iptables -P OUTPUT ACCEPT
 
+	/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
+	/usr/sbin/iptables -t mangle -P INPUT ACCEPT
+	/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
+	/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
+	/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+
         /usr/sbin/iptables -A OUTPUT -j ACCEPT
 
         # Unlimited on local
@@ -58,8 +62,9 @@ case $1 in
         /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
 
         # Accept passive
-        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
 
         # log everything else and drop
         /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
diff --git a/core/network.html b/core/network.html
index 57f877a..9aa5921 100644
--- a/core/network.html
+++ b/core/network.html
@@ -13,10 +13,10 @@
 
         <dl>
             <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt>
-            <dd>Configure iptables, start option loads set of rules from
-            file /etc/iptables/rules_file_name, open option allows everything
-            to outside and blocks everything from outside, stop will block
-            and log everything.</dd>
+            <dd>Configure <a href="#iptables">iptables</a>, start option
+            loads set of rules from file /etc/iptables/name.v4, open option
+            allows everything to outside and blocks everything from outside,
+            stop will block and log everything.</dd>
             <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt>
             <dd>Configure Ethernet interface with static or dynamic (dhcp)
             IP, set default route and add default gateway.</dd>
@@ -116,47 +116,45 @@
 
         <p>For more information about iptables read
         <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
-        Iptables can be setup at startup with
-        <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> script, change
-        <a href="conf/iptables/iptables.sh">/etc/iptables/iptables.sh</a>
-        with your needs and run to apply, after iptables-save can be used
-        to create /etc/iptables/rules.v4 file that is used by init script.</p>
+        Iptables can be setup at boot with
+        <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> init script, change
+        <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run
+        to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> 
+        file.</p>
 
         <p>Init script "start" option loads set of rules from file
         /etc/iptables/rules.v4, "open" option allows everything to outside
         and blocks everything from outside, "stop" will block and log
         everything.</p>
 
+        <p>Setup init script and rules ;</p>
+
         <pre>
         # mkdir /etc/iptables
-        # cp c9-doc/core/conf/iptables/rules.v4 /etc/iptables/
-        # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/
+        # cp core/conf/iptables/net.v4 /etc/iptables/
+        # cp core/conf/rc.d/iptables /etc/rc.d/
         # chmod +x /etc/rc.d/iptables
         </pre>
 
-        <p>Adjust rules.v4 to your needs, then;</p>
+        <p>Change /etc/rc.conf and add iptables;</p>
 
         <pre>
-        # sh /etc/rc.d/iptables start
+        SERVICES=(iptables lo net crond)
         </pre>
 
-        <p>See current rules and packets;</p>
+        <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with
+        your network configuration then run it;</p>
 
         <pre>
-        # iptables -L -n -v | less
+        # bash core/scripts/iptables.sh
         </pre>
 
-        <p>Copy init script, edit if you dont like to
-        let drop when you call stop.</p>
-
-        <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p>
+        <p>See current rules and packets;</p>
 
         <pre>
-        SERVICES=(lo iptables net crond)
+        # iptables -L -n -v | less
         </pre>
 
-        <p>
-
         <h2 id="wpa">2.3.4. Wpa and dhcpd</h2>
 
         <p>There is more information on
diff --git a/core/conf/iptables/iptables-lan.sh b/core/scripts/iptables-br.sh
index 32a6ef5..be1280c 100644
--- a/core/conf/iptables/iptables-lan.sh
+++ b/core/scripts/iptables-br.sh
@@ -147,15 +147,15 @@ IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
 SPAMDROPMSG="BLOCKED IP DROP"
 # public interface to network/internet
+#PUB_IF="wlp7s0"
+PUB_IF="enp8s0"
 BR_IF="br0"
-BR_IP="10.0.0.254"
-BR_NET="10.0.0.0/8"
+PUB_IP="10.0.0.254"
+NET_ADDR="10.0.0.0/8"
 GW="10.0.0.1"
-
 # private interface for virtual/internal
-WIFI_IF="wlp7s0"
-WIFI_NET="192.168.1.0/24"
-#PRI_IP="192.168.1.33"
+PRIV_IF="wlp7s0"
+PRIV_IP="192.168.1.33"
 
 echo "Stopping ipv4 firewall and deny everyone..."
 
@@ -178,18 +178,22 @@ iptables -N server_out
 iptables -N client_in
 iptables -N client_out
 
-iptables -N srv_dns_in
-iptables -N srv_dns_out
-iptables -N cli_dns_in
-iptables -N cli_dns_out
-iptables -N cli_http_in
-iptables -N cli_http_out
-
 # Set Default Rules
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
+echo "Starting ipv4 firewall tables..."
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+#modprobe ip_conntrack
+#modprobe ip_conntrack_ftp
+#echo 1 > /proc/sys/net/ipv4/ip_forward
+
 ####### blocker Chain  ######
 ## Block google dns
 $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
@@ -200,75 +204,62 @@ $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
 ## Block Fragments
 $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
 $IPT -A blocker -f -j DROP
+
 $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+
 $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
 $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
 $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
 $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
 $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
 $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
 $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
 $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
 $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 ## Return to caller
 $IPT -A blocker -j RETURN
 
-######## DNS Server
-#echo "server_in chain: Allow input to DNS Server"
-$IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A srv_dns_in -j RETURN
-#echo "srv_dns_out chain: Allow output from DNS server"
-$IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-$IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-$IPT -A srv_dns_out -j RETURN
-
-######## DNS Client
-echo "cli_dns_out chain: Allow output to DNS server"
-$IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A cli_dns_out -j RETURN
-echo "cli_dns_in chain: Allow input from DNS Server"
-$IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A cli_dns_in -j RETURN
-
-######## HTTP Client
-$IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A cli_http_in -j RETURN
-#echo "Allow to HTTP server"
-$IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-$IPT -A cli_http_out -j RETURN
-
 ####### server input Chain  ######
 #echo "server_in chain: Allow to VNC Server"
-#$IPT -A server_in -p tcp --dport 5900:5910 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-echo "server_in chain: Allow to DataBase Server"
-$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-echo "server_in chain: Allow to SSH server"
-$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-echo "server_in chain: Allow input to HTTPS Server"
-$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-echo "server_in chain: Allow input to HTTP Server"
-$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-echo "server_in chain: Allow output from GIT server"
-$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -A server_in -p tcp --dport 5900 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#echo "server_in chain: Allow to DataBase Server"
+#$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#echo "server_in chain: Allow to SSH server"
+#$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#echo "server_in chain: Allow input to HTTPS Server"
+#$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#echo "server_in chain: Allow input to HTTP Server"
+#$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "server_in chain: Allow input to DNS Server"
+$IPT -A server_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A server_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
+#echo "server_in chain: Allow input to GIT server"
+#$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 
 ## Return to caller
 $IPT -A server_in -j RETURN
 
 ####### server output Chain  ######
-echo "server_out chain: Allow output from GIT server"
-$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-echo "server_out chain: Allow output from https server"
-$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-echo "server_out chain: Allow output from http server"
-$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-echo "server_out chain: Allow output from SSH server"
-$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-echo "server_out chain: Allow output from Data Base server"
-$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "server_out chain: Allow output from DNS server"
+$IPT -A server_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+$IPT -A server_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from GIT server"
+#$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from https server"
+#$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from http server"
+#$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from SSH server"
+#$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+#echo "server_out chain: Allow output from Data Base server"
+#$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 #echo "server_out chain: Allow output from VNC server"
-#$IPT -A server_out -p tcp --sport 5900:5910 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#$IPT -A server_out -p tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
 ## Return to caller
 $IPT -A server_out -j RETURN
@@ -284,14 +275,20 @@ echo "client_in chain: Allow input from POP3S server"
 $IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 echo "client_in chain: Allow input from SMTPS server"
 $IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from HTTP Server"
+$IPT -A client_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 echo "client_in chain: Allow input from HTTPS server"
 $IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+#$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "client_in chain: Allow input from DNS Server"
+$IPT -A client_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 echo "client_in chain: Allow input from SSH Server"
 $IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 $IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 echo "client_in chain: Allow input from GPG key Server"
 $IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+## Return to caller
 $IPT -A client_in -j RETURN
 
 ####### client output Chain  ######
@@ -308,21 +305,28 @@ $IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ES
 echo "client_out chain: Allow output to HTTPS server"
 $IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "Allow to HTTP server"
+$IPT -A client_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+echo "client_out chain: Allow output to DNS server"
+$IPT -A client_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 echo "client_out chain: Allow output to SSH server"
 $IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 echo "client_out chain: Allow output to GPG key Server"
 $IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+## Return to caller
 $IPT -A client_out -j RETURN
 
 ####### netconf input Chain  ######
 echo "netconf_in chain: Allow DHCP protocol"
 $IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT
-echo "netconf_in chain: Allow RIP protocol for ${BR_NET}"
-$IPT -A netconf_in -p udp --sport 520 --dport 520 -j ACCEPT
-#echo "netconf chain: Allow ICMP from ${BR_NET}"
-#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT
+echo "netconf_in chain: Allow RIP protocol for ${NET_ADDR}"
+$IPT -A netconf_in -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT
+#echo "netconf chain: Allow ICMP from ${NET_ADDR}"
+#$IPT -A netconf_in -p icmp -s ${NET_ADDR} -j ACCEPT
 echo "netconf_in chain: Allow ICMP from all"
+$IPT -A netconf_in -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_in ICMP: "
 $IPT -A netconf_in -p icmp -j ACCEPT
 
 ## Return to caller
@@ -331,75 +335,61 @@ $IPT -A netconf_in -j RETURN
 
 ####### netconf output Chain  ######
 echo "netconf_out chain: Allow output from DHCP server"
-$IPT -A netconf_out -p udp --sport 67 --dport 68 -j ACCEPT
-echo "netconf_out chain: Allow RIP protocol for ${BR_NET}"
-$IPT -A netconf_out -p udp --sport 520 --dport 520 -j ACCEPT
-#echo "netconf chain: Allow ICMP output to ${BR_NET}"
-#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT
+$IPT -A netconf_out -p udp --sport 67 --dport 68 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT
+echo "netconf_out chain: Allow RIP protocol for ${NET_ADDR}"
+$IPT -A netconf_out -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT
+#echo "netconf chain: Allow ICMP output to ${NET_ADDR}"
+#$IPT -A netconf_out -p icmp -d ${NET_ADDR} -j ACCEPT
 echo "netconf chain: Allow ICMP output to all"
+$IPT -A netconf_out -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_out ICMP: "
 $IPT -A netconf_out -p icmp -j ACCEPT
 
 ## Return to caller
 $IPT -A netconf_out -j RETURN
 
-############################################################
-#
-# Start adding rules tables
-#
+####### AP rules  ######
+#$IPT -t nat -A PREROUTING -i ${BR_IF} -p tcp --dport 80 -j DNAT --to 10.0.0.4:80
 
-echo "Starting ipv4 firewall tables..."
+$IPT -A FORWARD -j blocker
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -d ${NET_ADDR}  -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_out
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j client_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j client_out
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j server_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j server_out
 
-# Unlimited on loopback
-$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A INPUT -i lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT
-$IPT -A OUTPUT -o lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT
 
-#modprobe ip_conntrack
-#modprobe ip_conntrack_ftp
-echo 1 > /proc/sys/net/ipv4/ip_forward
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j ACCEPT
 
-####### Forward Chain  ######
-$IPT -A FORWARD -j blocker
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-$IPT -A FORWARD -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j ACCEPT
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j ACCEPT
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j ACCEPT
+#$IPT -A FORWARD -j server_in
+
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j SNAT --to ${PUB_IP}
 
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
+
+$IPT -A INPUT -i ${BR_IF} -s ${NET_ADDR} -d ${PUB_IP} -j server_in
+$IPT -A INPUT -i ${BR_IF} -d ${NET_ADDR} -j client_in
 $IPT -A INPUT -i ${BR_IF} -j netconf_in
-$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j srv_dns_in
-$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d ${BR_IP} -j server_in
-#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j client_in
-#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j cli_dns_in
-#$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j client_in
-#
-##$IPT -A INPUT -i ${WIFI_IF} -j server_in
-#$IPT -A INPUT -i ${WIFI_IF} -j netconf_in
+
+#$IPT -A INPUT -i ${PUB_IF} -d ${NET_ADDR} -j client_in
 
 ####### Output Chain ######
 $IPT -A OUTPUT -j blocker
-$IPT -A OUTPUT -o ${BR_IF}  -j netconf_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j srv_dns_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j server_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j client_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j client_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j cli_dns_out
 
-#$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -j client_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${NET_ADDR} -j server_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${NET_ADDR} -j client_out
+$IPT -A OUTPUT -o ${BR_IF} -j netconf_out
 
-#$IPT -A OUTPUT -o ${WIFI_IF} -j server_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j netconf_out
 
-####### PostRouting Chain ######
-$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
-#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j MASQUERADE
+#$IPT -A OUTPUT -o ${PUB_IF} -s ${NET_ADDR} -j client_out
 
 ## log everything else and drop
-$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
 $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
 $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
-$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
-$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+iptables-save > /etc/iptables/br-lan.v4
 exit 0
diff --git a/core/conf/iptables/iptables.sh b/core/scripts/iptables.sh
index 32a6ef5..b887204 100644
--- a/core/conf/iptables/iptables.sh
+++ b/core/scripts/iptables.sh
@@ -402,4 +402,7 @@ $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
 $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
 $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
 $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+
+iptables-save > /etc/iptables/net.rules
 exit 0