diff options
| author | Silvino Silva <silvino@bk.ru> | 2016-09-25 01:03:53 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2016-09-28 06:41:08 +0100 |
| commit | 2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e (patch) | |
| tree | 2f454fdd29b725cb0b1c7912e3be962afa2de6fc /tools/scripts | |
| parent | c0251af1c2c9a35fc395a8e911aa345519f6b878 (diff) | |
| download | doc-2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e.tar.gz | |
network revision
Diffstat (limited to 'tools/scripts')
| -rw-r--r-- | tools/scripts/system-iptables.sh (renamed from tools/scripts/iptables.sh) | 48 | ||||
| -rw-r--r-- | tools/scripts/system-qemu.sh | 15 |
2 files changed, 51 insertions, 12 deletions
diff --git a/tools/scripts/iptables.sh b/tools/scripts/system-iptables.sh index 3215633..4ec3b79 100644 --- a/tools/scripts/iptables.sh +++ b/tools/scripts/system-iptables.sh @@ -146,11 +146,17 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" + PUB_IF="wlp7s0" -DHCP_SERV="192.168.1.254" -#PUB_IP="192.168.1.65" #PRIV_IF="wlp3s0" +BRIDGE="br0" +BNET=10.0.0.0 +BMSK=24 + +DHCP_IP="192.168.1.254" +PUB_IP=$(ip addr show dev ${PUB_IF} | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') + modprobe ip_conntrack modprobe ip_conntrack_ftp @@ -175,10 +181,14 @@ iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP + # Unlimited on local $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT +$IPT -A INPUT -i $BRIDGE -j ACCEPT +$IPT -A OUTPUT -o $BRIDGE -j ACCEPT + # Block sync $IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP @@ -205,6 +215,17 @@ $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +##### Add your virtual rules below ###### + +#echo 1 > /proc/sys/net/ipv4/ip_forward +#$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +##$IPT -t nat -A POSTROUTING -s 10.0.2.0/24 -o ${PUB_IF} -j MASQUERADE +#$IPT -A FORWARD -i ${TAP_IF} -o ${PUB_IF} -j ACCEPT +#$IPT -A FORWARD -i ${PUB_IF} -o ${TAP_IF} -j ACCEPT +# +#$IPT -A INPUT -i ${TAP_IF} -j ACCEPT +#$IPT -A OUTPUT -o ${TAP_IF} -j ACCEPT + ##### Add your AP rules below ###### #echo 1 > /proc/sys/net/ipv4/ip_forward @@ -242,10 +263,14 @@ $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP echo "Allow DNS Client" -#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j LOG --log-level 7 --log-prefix "iptables: DNS TCP: " +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT -j LOG --log-level 7 --log-prefix "iptables: DNS UDP: " +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT echo "Allow Whois Client" @@ -300,21 +325,20 @@ $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j AC $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - # echo "Allow FairCoin" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT -# +# # echo "Allow Dashcoin" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT -# +# # echo "Allow warzone2100" # $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT -# +# # echo "Allow wesnoth" # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT @@ -326,8 +350,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state -- $IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP # DHCP -$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_SERV -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_IP -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 68 --dport 67 -s $DHCP_IP -j ACCEPT # log everything else and drop $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " diff --git a/tools/scripts/system-qemu.sh b/tools/scripts/system-qemu.sh new file mode 100644 index 0000000..8c68e70 --- /dev/null +++ b/tools/scripts/system-qemu.sh @@ -0,0 +1,15 @@ +#!/bin/sh +ISO=~/crux-3.2.iso +IMG=~/crux-img.qcow2 + +TAP=$1 + +echo "TAP: $TAP" + +qemu-system-x86_64 \ + -enable-kvm \ + -m 1024 \ + -boot d \ + -cdrom ${ISO} \ + -hda ${IMG} \ + -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no |