diff options
author | Silvino Silva <silvino@bk.ru> | 2018-04-11 17:01:15 +0100 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2018-04-11 17:01:15 +0100 |
commit | 4f0a749494c7d31b8d203490ec008918c8bacc87 (patch) | |
tree | 6d690512d0724d8b8386d8ae36715d03fd75fe56 /core | |
parent | 50f9d4a5d286fff80b4df38136c45bde5abcd4c4 (diff) | |
download | doc-4f0a749494c7d31b8d203490ec008918c8bacc87.tar.gz |
iptables moved to core
Diffstat (limited to 'core')
-rw-r--r-- | core/conf/iptables/br-lan.v4 | 136 | ||||
-rw-r--r-- | core/conf/iptables/net.v4 (renamed from core/conf/iptables/rules.v4) | 0 | ||||
-rw-r--r-- | core/conf/rc.d/iptables | 17 | ||||
-rw-r--r-- | core/network.html | 42 | ||||
-rw-r--r-- | core/scripts/iptables-br.sh (renamed from core/conf/iptables/iptables-lan.sh) | 214 | ||||
-rw-r--r-- | core/scripts/iptables.sh (renamed from core/conf/iptables/iptables.sh) | 3 |
6 files changed, 272 insertions, 140 deletions
diff --git a/core/conf/iptables/br-lan.v4 b/core/conf/iptables/br-lan.v4 new file mode 100644 index 0000000..61da499 --- /dev/null +++ b/core/conf/iptables/br-lan.v4 @@ -0,0 +1,136 @@ +# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Tue Apr 3 02:25:27 2018 +# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Tue Apr 3 02:25:27 2018 +# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Tue Apr 3 02:25:27 2018 +# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Tue Apr 3 02:25:27 2018 +# Generated by iptables-save v1.6.2 on Tue Apr 3 02:25:27 2018 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:client_in - [0:0] +:client_out - [0:0] +:netconf_in - [0:0] +:netconf_out - [0:0] +:server_in - [0:0] +:server_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j server_in +-A INPUT -d 10.0.0.0/8 -i br0 -j client_in +-A INPUT -i br0 -j netconf_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j blocker +-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_in +-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j netconf_out +-A FORWARD -d 10.0.0.0/8 -i br0 -o br0 -j client_in +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j client_out +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j server_out +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT +-A OUTPUT -j blocker +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j server_out +-A OUTPUT -s 10.0.0.0/8 -o br0 -j client_out +-A OUTPUT -o br0 -j netconf_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -s 8.8.0.0/24 -j LOG --log-prefix "iptables: blocker google: " --log-level 7 +-A blocker -s 8.8.0.0/24 -j DROP +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A client_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A client_in -j RETURN +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A client_out -j RETURN +-A netconf_in -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A netconf_in -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A netconf_in -p icmp -j LOG --log-prefix "iptables: netconf_in ICMP: " --log-level 7 +-A netconf_in -p icmp -j ACCEPT +-A netconf_in -j RETURN +-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A netconf_out -s 10.0.0.0/8 -d 10.0.0.0/8 -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A netconf_out -p icmp -j LOG --log-prefix "iptables: netconf_out ICMP: " --log-level 7 +-A netconf_out -p icmp -j ACCEPT +-A netconf_out -j RETURN +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A server_in -j RETURN +-A server_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A server_out -p tcp -m tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A server_out -j RETURN +COMMIT +# Completed on Tue Apr 3 02:25:27 2018 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/net.v4 index 568455a..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/net.v4 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index bb5cf91..dd17b97 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -3,8 +3,7 @@ # /etc/rc.d/iptables: load/unload iptable rules # -rules=rules.v4 -#rules=vlan.v4 +rules=/etc/iptables/net.v4 iptables_clear () { echo "clear all iptables tables" @@ -22,9 +21,8 @@ iptables_clear () { case $1 in start) - iptables_clear echo "starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/${rules} + /usr/sbin/iptables-restore ${rules} ;; stop) iptables_clear @@ -51,6 +49,12 @@ case $1 in /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT ACCEPT + /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT + /usr/sbin/iptables -t mangle -P INPUT ACCEPT + /usr/sbin/iptables -t mangle -P FORWARD ACCEPT + /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT + /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT + /usr/sbin/iptables -A OUTPUT -j ACCEPT # Unlimited on local @@ -58,8 +62,9 @@ case $1 in /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT # log everything else and drop /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " diff --git a/core/network.html b/core/network.html index 57f877a..9aa5921 100644 --- a/core/network.html +++ b/core/network.html @@ -13,10 +13,10 @@ <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> - <dd>Configure iptables, start option loads set of rules from - file /etc/iptables/rules_file_name, open option allows everything - to outside and blocks everything from outside, stop will block - and log everything.</dd> + <dd>Configure <a href="#iptables">iptables</a>, start option + loads set of rules from file /etc/iptables/name.v4, open option + allows everything to outside and blocks everything from outside, + stop will block and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> <dd>Configure Ethernet interface with static or dynamic (dhcp) IP, set default route and add default gateway.</dd> @@ -116,47 +116,45 @@ <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. - Iptables can be setup at startup with - <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> script, change - <a href="conf/iptables/iptables.sh">/etc/iptables/iptables.sh</a> - with your needs and run to apply, after iptables-save can be used - to create /etc/iptables/rules.v4 file that is used by init script.</p> + Iptables can be setup at boot with + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> init script, change + <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run + to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> + file.</p> <p>Init script "start" option loads set of rules from file /etc/iptables/rules.v4, "open" option allows everything to outside and blocks everything from outside, "stop" will block and log everything.</p> + <p>Setup init script and rules ;</p> + <pre> # mkdir /etc/iptables - # cp c9-doc/core/conf/iptables/rules.v4 /etc/iptables/ - # cp c9-doc/core/conf/rc.d/iptables /etc/rc.d/ + # cp core/conf/iptables/net.v4 /etc/iptables/ + # cp core/conf/rc.d/iptables /etc/rc.d/ # chmod +x /etc/rc.d/iptables </pre> - <p>Adjust rules.v4 to your needs, then;</p> + <p>Change /etc/rc.conf and add iptables;</p> <pre> - # sh /etc/rc.d/iptables start + SERVICES=(iptables lo net crond) </pre> - <p>See current rules and packets;</p> + <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with + your network configuration then run it;</p> <pre> - # iptables -L -n -v | less + # bash core/scripts/iptables.sh </pre> - <p>Copy init script, edit if you dont like to - let drop when you call stop.</p> - - <p>Re-configure your rc.conf and add iptables before (w)lan is up;</p> + <p>See current rules and packets;</p> <pre> - SERVICES=(lo iptables net crond) + # iptables -L -n -v | less </pre> - <p> - <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> <p>There is more information on diff --git a/core/conf/iptables/iptables-lan.sh b/core/scripts/iptables-br.sh index 32a6ef5..be1280c 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/scripts/iptables-br.sh @@ -147,15 +147,15 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" # public interface to network/internet +#PUB_IF="wlp7s0" +PUB_IF="enp8s0" BR_IF="br0" -BR_IP="10.0.0.254" -BR_NET="10.0.0.0/8" +PUB_IP="10.0.0.254" +NET_ADDR="10.0.0.0/8" GW="10.0.0.1" - # private interface for virtual/internal -WIFI_IF="wlp7s0" -WIFI_NET="192.168.1.0/24" -#PRI_IP="192.168.1.33" +PRIV_IF="wlp7s0" +PRIV_IP="192.168.1.33" echo "Stopping ipv4 firewall and deny everyone..." @@ -178,18 +178,22 @@ iptables -N server_out iptables -N client_in iptables -N client_out -iptables -N srv_dns_in -iptables -N srv_dns_out -iptables -N cli_dns_in -iptables -N cli_dns_out -iptables -N cli_http_in -iptables -N cli_http_out - # Set Default Rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP +echo "Starting ipv4 firewall tables..." +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + +#modprobe ip_conntrack +#modprobe ip_conntrack_ftp +#echo 1 > /proc/sys/net/ipv4/ip_forward + ####### blocker Chain ###### ## Block google dns $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " @@ -200,75 +204,62 @@ $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP ## Block Fragments $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " $IPT -A blocker -f -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP + $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## Return to caller $IPT -A blocker -j RETURN -######## DNS Server -#echo "server_in chain: Allow input to DNS Server" -$IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_in -j RETURN -#echo "srv_dns_out chain: Allow output from DNS server" -$IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A srv_dns_out -j RETURN - -######## DNS Client -echo "cli_dns_out chain: Allow output to DNS server" -$IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_dns_out -j RETURN -echo "cli_dns_in chain: Allow input from DNS Server" -$IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_dns_in -j RETURN - -######## HTTP Client -$IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A cli_http_in -j RETURN -#echo "Allow to HTTP server" -$IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A cli_http_out -j RETURN - ####### server input Chain ###### #echo "server_in chain: Allow to VNC Server" -#$IPT -A server_in -p tcp --dport 5900:5910 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to DataBase Server" -$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow to SSH server" -$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTPS Server" -$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to HTTP Server" -$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow output from GIT server" -$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#$IPT -A server_in -p tcp --dport 5900 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#echo "server_in chain: Allow to DataBase Server" +#$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#echo "server_in chain: Allow to SSH server" +#$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#echo "server_in chain: Allow input to HTTPS Server" +#$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#echo "server_in chain: Allow input to HTTP Server" +#$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +echo "server_in chain: Allow input to DNS Server" +$IPT -A server_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A server_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +#echo "server_in chain: Allow input to GIT server" +#$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT ## Return to caller $IPT -A server_in -j RETURN ####### server output Chain ###### -echo "server_out chain: Allow output from GIT server" -$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from https server" -$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from http server" -$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from SSH server" -$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "server_out chain: Allow output from Data Base server" -$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +echo "server_out chain: Allow output from DNS server" +$IPT -A server_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +$IPT -A server_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +#echo "server_out chain: Allow output from GIT server" +#$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +#echo "server_out chain: Allow output from https server" +#$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +#echo "server_out chain: Allow output from http server" +#$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +#echo "server_out chain: Allow output from SSH server" +#$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +#echo "server_out chain: Allow output from Data Base server" +#$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #echo "server_out chain: Allow output from VNC server" -#$IPT -A server_out -p tcp --sport 5900:5910 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +#$IPT -A server_out -p tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT ## Return to caller $IPT -A server_out -j RETURN @@ -284,14 +275,20 @@ echo "client_in chain: Allow input from POP3S server" $IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT echo "client_in chain: Allow input from SMTPS server" $IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +echo "client_in chain: Allow input from HTTP Server" +$IPT -A client_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT echo "client_in chain: Allow input from HTTPS server" $IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +echo "client_in chain: Allow input from DNS Server" +$IPT -A client_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT echo "client_in chain: Allow input from SSH Server" $IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT $IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT echo "client_in chain: Allow input from GPG key Server" $IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +## Return to caller $IPT -A client_in -j RETURN ####### client output Chain ###### @@ -308,21 +305,28 @@ $IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ES echo "client_out chain: Allow output to HTTPS server" $IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +echo "Allow to HTTP server" +$IPT -A client_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +echo "client_out chain: Allow output to DNS server" +$IPT -A client_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT echo "client_out chain: Allow output to SSH server" $IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT echo "client_out chain: Allow output to GPG key Server" $IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +## Return to caller $IPT -A client_out -j RETURN ####### netconf input Chain ###### echo "netconf_in chain: Allow DHCP protocol" $IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP from ${BR_NET}" -#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT +echo "netconf_in chain: Allow RIP protocol for ${NET_ADDR}" +$IPT -A netconf_in -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT +#echo "netconf chain: Allow ICMP from ${NET_ADDR}" +#$IPT -A netconf_in -p icmp -s ${NET_ADDR} -j ACCEPT echo "netconf_in chain: Allow ICMP from all" +$IPT -A netconf_in -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_in ICMP: " $IPT -A netconf_in -p icmp -j ACCEPT ## Return to caller @@ -331,75 +335,61 @@ $IPT -A netconf_in -j RETURN ####### netconf output Chain ###### echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${BR_NET}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${BR_NET}" -#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT +$IPT -A netconf_out -p udp --sport 67 --dport 68 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT +echo "netconf_out chain: Allow RIP protocol for ${NET_ADDR}" +$IPT -A netconf_out -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT +#echo "netconf chain: Allow ICMP output to ${NET_ADDR}" +#$IPT -A netconf_out -p icmp -d ${NET_ADDR} -j ACCEPT echo "netconf chain: Allow ICMP output to all" +$IPT -A netconf_out -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_out ICMP: " $IPT -A netconf_out -p icmp -j ACCEPT ## Return to caller $IPT -A netconf_out -j RETURN -############################################################ -# -# Start adding rules tables -# +####### AP rules ###### +#$IPT -t nat -A PREROUTING -i ${BR_IF} -p tcp --dport 80 -j DNAT --to 10.0.0.4:80 -echo "Starting ipv4 firewall tables..." +$IPT -A FORWARD -j blocker +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_out +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j client_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j client_out +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j server_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j server_out -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${BR_IP} -d ${BR_IP} -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -echo 1 > /proc/sys/net/ipv4/ip_forward +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j ACCEPT -####### Forward Chain ###### -$IPT -A FORWARD -j blocker -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT -$IPT -A FORWARD -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j ACCEPT -#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j ACCEPT +#$IPT -A FORWARD -j server_in + +#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j SNAT --to ${PUB_IP} ####### Input Chain ###### $IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${BR_IF} -s ${NET_ADDR} -d ${PUB_IP} -j server_in +$IPT -A INPUT -i ${BR_IF} -d ${NET_ADDR} -j client_in $IPT -A INPUT -i ${BR_IF} -j netconf_in -$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j srv_dns_in -$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d ${BR_IP} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j client_in -#$IPT -A INPUT -i ${WIFI_IF} -d ${WIFI_NET} -j cli_dns_in -#$IPT -A INPUT -i ${BR_IF} -d ${BR_IP} -j client_in -# -##$IPT -A INPUT -i ${WIFI_IF} -j server_in -#$IPT -A INPUT -i ${WIFI_IF} -j netconf_in + +#$IPT -A INPUT -i ${PUB_IF} -d ${NET_ADDR} -j client_in ####### Output Chain ###### $IPT -A OUTPUT -j blocker -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j srv_dns_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -d ${BR_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j client_out -#$IPT -A OUTPUT -o ${WIFI_IF} -s ${WIFI_NET} -j cli_dns_out -#$IPT -A OUTPUT -o ${BR_IF} -s ${BR_IP} -j client_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${NET_ADDR} -j server_out +$IPT -A OUTPUT -o ${BR_IF} -s ${NET_ADDR} -j client_out +$IPT -A OUTPUT -o ${BR_IF} -j netconf_out -#$IPT -A OUTPUT -o ${WIFI_IF} -j server_out -#$IPT -A OUTPUT -o ${WIFI_IF} -j netconf_out -####### PostRouting Chain ###### -$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j MASQUERADE +#$IPT -A OUTPUT -o ${PUB_IF} -s ${NET_ADDR} -j client_out ## log everything else and drop -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " -$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + +iptables-save > /etc/iptables/br-lan.v4 exit 0 diff --git a/core/conf/iptables/iptables.sh b/core/scripts/iptables.sh index 32a6ef5..b887204 100644 --- a/core/conf/iptables/iptables.sh +++ b/core/scripts/iptables.sh @@ -402,4 +402,7 @@ $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " $IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " + + +iptables-save > /etc/iptables/net.rules exit 0 |