diff options
author | Silvino <silvino@bk.ru> | 2019-06-26 17:10:12 +0100 |
---|---|---|
committer | Silvino <silvino@bk.ru> | 2019-06-26 17:49:35 +0100 |
commit | eddfa5ed593e67c9b2e6c53382b4fe044663451a (patch) | |
tree | d95e5875c53dc3715c75721c2c749de22d643ca4 /core | |
parent | 2830b5fb96cce787ca8c7562a968effc3e57bdb1 (diff) | |
download | doc-eddfa5ed593e67c9b2e6c53382b4fe044663451a.tar.gz |
core iptables revision
Diffstat (limited to 'core')
-rw-r--r-- | core/conf/iptables/bridge.v4 | 220 | ||||
-rw-r--r-- | core/conf/iptables/client.v4 (renamed from core/conf/iptables/open.v4) | 21 | ||||
-rw-r--r-- | core/conf/iptables/ipt-bridge.sh | 4 | ||||
-rw-r--r-- | core/conf/iptables/ipt-client.sh (renamed from core/conf/iptables/ipt-open.sh) | 5 | ||||
-rw-r--r-- | core/conf/iptables/ipt-conf.sh | 16 | ||||
-rw-r--r-- | core/conf/iptables/ipt-server.sh | 2 | ||||
-rw-r--r-- | core/conf/rc.d/iptables | 86 | ||||
-rw-r--r-- | core/conf/skel/.bashrc | 4 |
8 files changed, 311 insertions, 47 deletions
diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 new file mode 100644 index 0000000..35bfef4 --- /dev/null +++ b/core/conf/iptables/bridge.v4 @@ -0,0 +1,220 @@ +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP +-A INPUT -i br0 -j srv_dhcp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out +-A OUTPUT -o br0 -j srv_icmp +-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/client.v4 index 30e476d..91b564d 100644 --- a/core/conf/iptables/open.v4 +++ b/core/conf/iptables/client.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,8 +27,8 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -97,6 +97,7 @@ COMMIT -A OUTPUT -o wlp9s0 -j cli_irc_out -A OUTPUT -o wlp9s0 -j cli_ftp_out -A OUTPUT -o wlp9s0 -j cli_gpg_out +-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP @@ -207,4 +208,4 @@ COMMIT -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A srv_ssh_out -j RETURN COMMIT -# Completed on Sat Jun 8 23:05:15 2019 +# Completed on Thu Jun 20 20:34:21 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index cd93687..6dbeb87 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -67,12 +67,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in @@ -133,4 +133,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out ## log everything else and drop ipt_log -iptables-save > bridge.v4 +iptables-save > /etc/iptables/bridge.v4 diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-client.sh index 3ef1254..65df9e4 100644 --- a/core/conf/iptables/ipt-open.sh +++ b/core/conf/iptables/ipt-client.sh @@ -24,6 +24,7 @@ $IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in $IPT -A INPUT -i ${PUB_IF} -j cli_irc_in $IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in $IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT ####### Output Chain ###### @@ -40,8 +41,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out $IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT ## log everything else and drop ipt_log - -iptables-save > open.v4 +iptables-save > /etc/iptables/client.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index c3dac16..dcea837 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet +# bridge interface with interface facing gateway BR_IF="br0" +# bridge ip network address BR_NET="10.0.0.0/8" +# network gateway GW="10.0.0.1" -#GW="10.0.0.2" -#DNS="10.0.0.254" +# external dns DNS="212.55.154.174" -#DNS="8.8.8.8" +# static machine ip address PUB_IP="10.0.0.254" + +# public interface facing gateway PUB_IF="enp8s0" -# private interface for virtual/internal +# wifi interface WIFI_IF="wlp7s0" -#WIFI_NET="192.168.1.0/24" + +# static wifi ip network address WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 370db60..e557193 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out ## log everything else and drop ipt_log -iptables-save > server.v4 +iptables-save > /etc/iptables/server.v4 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index cc7c765..f8b7881 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,35 +1,31 @@ +#!/bin/bash IPT="/usr/sbin/iptables" -TYPE=bridge +#TYPE=bridge #TYPE=server -#TYPE=open +TYPE=open +#TYPE=client -echo "clear all iptables tables" +clear_ipt() { -${IPT} -F -${IPT} -X -${IPT} -t nat -F -${IPT} -t nat -X -${IPT} -t mangle -F -${IPT} -t mangle -X -${IPT} -t raw -F -${IPT} -t raw -X -${IPT} -t security -F -${IPT} -t security -X + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X -# Set Default Rules -${IPT} -P INPUT DROP -${IPT} -P FORWARD DROP -${IPT} -P OUTPUT DROP - -${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +} case $1 in start) case $TYPE in bridge) - + clear_ipt echo "setting bridge network..." echo 1 > /proc/sys/net/ipv4/ip_forward @@ -38,23 +34,63 @@ case $1 in ;; server) - + clear_ipt echo "setting server network..." ## load server configuration iptables-restore /etc/iptables/server.v4 ;; - open) - + client) + clear_ipt echo "setting client network..." ## load client configuration - iptables-restore /etc/iptables/open.v4 + iptables-restore /etc/iptables/client.v4 + ;; + open) + clear_ipt + echo "setting open network..." + ## load client configuration + + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT ACCEPT + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + ${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + ${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + ${IPT} -A OUTPUT -j ACCEPT + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + ;; esac ;; stop) + echo "clear all iptables tables" + clear_ipt + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + ${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + + ;; + restart) + clear_ipt + $0 start + ;; + status) + ${IPT} -v ;; *) echo "Usage: $0 [start|stop]" diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 88cf24c..55d1c78 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -22,12 +22,14 @@ HISTSIZE=1000 HISTFILESIZE=2000 +alias diff='diff --color=auto' +alias grep='grep --color=auto' +alias ls='ls -ph --color=auto' alias rm='rm -i' #alias cp='cp -i' alias mv='mv -i' # Prevents accidentally clobbering files. alias mkdir='mkdir -p' - alias h='history' alias hg='history | grep' alias j='jobs -l' |