core iptables bridge revision

2 files changed, 22 insertions, 17 deletions

diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4
index 35bfef4..4930262 100644
--- a/core/conf/iptables/bridge.v4
+++ b/core/conf/iptables/bridge.v4
@@ -1,34 +1,34 @@
-# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
 *security
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 COMMIT
-# Completed on Wed Jun 26 15:44:59 2019
-# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
 *raw
-:PREROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [2:80]
+:OUTPUT ACCEPT [3:4544]
 COMMIT
-# Completed on Wed Jun 26 15:44:59 2019
-# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Wed Jun 26 15:44:59 2019
-# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
 *mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
+:PREROUTING ACCEPT [2:80]
+:INPUT ACCEPT [2:80]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [3:4544]
+:POSTROUTING ACCEPT [2:2292]
 COMMIT
-# Completed on Wed Jun 26 15:44:59 2019
-# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019
+# Completed on Fri Jun 28 01:22:10 2019
+# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
@@ -91,6 +91,9 @@ COMMIT
 -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in
 -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in
 -A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
+-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in
+-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP
+-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP
 -A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
 -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
 -A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT
@@ -217,4 +220,4 @@ COMMIT
 -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A srv_ssh_out -j RETURN
 COMMIT
-# Completed on Wed Jun 26 15:44:59 2019
+# Completed on Fri Jun 28 01:22:10 2019
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index 6dbeb87..694c22f 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -50,8 +50,10 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in
 ##Less noise
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 520 --sport 520 -j DROP
 
 ######## Input Chain ######
 $IPT -A INPUT -j blocker