about summary refs log tree commit diff stats
path: root/core/conf/iptables/ipt-bridge.sh
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/iptables/ipt-bridge.sh')
-rw-r--r--core/conf/iptables/ipt-bridge.sh178
1 files changed, 64 insertions, 114 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index 67b5053..b0f7daa 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -1,142 +1,92 @@
 #!/bin/bash
-echo "setting bridge network..."
-source ipt-conf.sh
-source ipt-firewall.sh
-ipt_clear
-ipt_tables
 
 # Unlimited on loopback
-$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-######## NAT Prerouting Chain  ######
-#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
-#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
-##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+#########################################################################
+#         FORWARD
+#########################################################################
 
-######## Forward Chain  ######
-#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-#
-## Allow all for BR_NET
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -j blockip_in
+$IPT -A FORWARD -j blockip_out
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
-
-## DHCP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 520 --sport 520 -j DROP
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp
-
-## Allow access from bridge to gateway wifi interface
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
-
-##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
-##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
-#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
-
-## allow output from BR_NET to external
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
-
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 212.55.154.174 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 204.140.20.21 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 50.23.197.95 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 50.23.197.94 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 212.55.154.174 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 204.140.20.21 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 10.0.0.4 -d 50.23.197.94 -j ACCEPT
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 212.55.154.174 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 204.140.20.21 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 50.23.197.95 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 50.23.197.94 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 212.55.154.174 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 204.140.20.21 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.4 -s 50.23.197.94 -j ACCEPT
+
+
+$IPT -A FORWARD -i ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -s 10.0.0.3 -j cli_https_out
+$IPT -A FORWARD -i ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -s 10.0.0.3 -j cli_http_out
+$IPT -A FORWARD -i ${BR_IF} -m physdev --physdev-out tap1 --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -m physdev --physdev-out tap1 --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in
+#####Server
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 -s 10.0.0.4 -j srv_ssh_out
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ntp
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 -s 10.0.0.4 -j srv_git_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ntp
 
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -p tcp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j cli_http_in
-##Less noise
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 520 --sport 520 -j DROP
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 -s 10.0.0.4 -j cli_http_out
+#####HTTP Server
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 -s 10.0.0.4 -j srv_http_out
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 -s 10.0.0.4 -j srv_https_out
 
-######## Input Chain ######
+#########################################################################
+#         INPUT
+#########################################################################
 $IPT -A INPUT -j blocker
-
-##Less noise
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
-#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
-#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp  --sport 137 --dport 137 -j ACCEPT
-#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT
-#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j ACCEPT
-#$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j ACCEPT
-
-$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+$IPT -A INPUT -j blockip_in
+$IPT -A INPUT -i ${BR_IF} -p udp --dport 520 --sport 520 -j DROP
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 -j DROP
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
-$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j srv_ntp
-
-#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
-#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
-#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
-#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
-#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
-#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
-#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
-#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
-#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -s ${BR_NET} -d ${PUB_IP} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s 10.0.0.4 -j cli_git_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -j srv_dhcp
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${BR_NET} -j srv_dhcp
 
-## PXE server
-#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT
-#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+#$IPT -A INPUT -j LOG
 
-######## Output Chain ######
+$IPT -A OUTPUT -o ${BR_IF} -p udp --dport 520 --sport 520 -j DROP
 
-##Less noise
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 -j DROP
+$IPT -A OUTPUT -o blockip_out
 
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out
-$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp
-#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp
-
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
-
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${GW} -j cli_http_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
-$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_ntp
-
-#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
-
-#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
-#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp
-
-## PXE Server
-#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT
-
-######## PostRouting Chain ######
-##Less noise
-##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
-#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
-##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -d ${BR_NET} -j srv_icmp
 
 ## log everything else and drop
 ipt_log
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-17 21:45:51 +0000