about summary refs log tree commit diff stats
path: root/core/conf/iptables/ipt-firewall.sh
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/iptables/ipt-firewall.sh')
-rw-r--r--core/conf/iptables/ipt-firewall.sh50
1 files changed, 40 insertions, 10 deletions
diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh
index 086b864..0a947e6 100644
--- a/core/conf/iptables/ipt-firewall.sh
+++ b/core/conf/iptables/ipt-firewall.sh
@@ -14,6 +14,8 @@ ipt_clear () {
     iptables -t security -F
     iptables -t security -X
     iptables -N blocker
+    iptables -N blockip_in
+    iptables -N blockip_out
 
     iptables -N srv_dhcp
     iptables -N srv_rip
@@ -25,6 +27,8 @@ ipt_clear () {
     iptables -N srv_http_out
     iptables -N srv_https_in
     iptables -N srv_https_out
+    iptables -N srv_smtp_in
+    iptables -N srv_smtp_out
     iptables -N srv_ssh_in
     iptables -N srv_ssh_out
     iptables -N srv_git_in
@@ -70,6 +74,19 @@ ipt_log () {
 
 ipt_tables () {
     echo "start adding tables..."
+    # Filter out comments and blank lines
+    # store each ip or subnet in $ip
+    egrep -v "^#|^$" x | while IFS= read -r ip
+    do
+      # Append everything to droplist
+      echo "adding ${ip} to blockip"
+      $IPT -A blockip_in -s $ip -j LOG --log-prefix "${SPAMDROPMSG}"
+      $IPT -A blockip_in -s $ip -j DROP
+      $IPT -A blockip_out -d $ip -j LOG --log-prefix "${SPAMDROPMSG}"
+      $IPT -A blockip_out -d $ip -j DROP
+    done <"${SPAMLIST}"
+    
+    echo "blockip_in and blockip_out added"
 
     ####### blocker Chain  ######
     ## Block google dns
@@ -103,6 +120,7 @@ ipt_tables () {
     #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
     #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
     #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
     ## Return to caller
     $IPT -A blocker -j RETURN
 
@@ -123,6 +141,9 @@ ipt_tables () {
     $IPT -A srv_db_out -j RETURN
 
     ####### SSH Server
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -s ${BR_NET} -m state --state NEW -j ACCEPT
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -j LOG --log-prefix "iptables: SSH NEW":
     $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
 
     $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
@@ -134,22 +155,30 @@ ipt_tables () {
 
     $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 
-    $IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+    #$IPT -A srv_ssh_in -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
 
-    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent \
-        --update --seconds 60 --hitcount 4 --rttl \
-        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+    #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent \
+    #    --update --seconds 60 --hitcount 4 --rttl \
+    #    --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
 
-    $IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \
-        --hitcount 4 --rttl --name SSH -j DROP
+    #$IPT -A srv_ssh_in -p tcp --dport 22 -m recent --update --seconds 60 \
+    #    --hitcount 4 --rttl --name SSH -j DROP
 
-    $IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    #$IPT -A srv_ssh_in -p tcp --dport 22 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A srv_ssh_in -j RETURN
 
+    $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -d ${BR_NET} -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 2222 -j LOG --log-prefix "iptables: SSH OUT":
     $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-    $IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    #$IPT -A srv_ssh_out -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A srv_ssh_out -j RETURN
 
+    ####### smtp Server
+    $IPT -A srv_smtp_in -p tcp --dport 25 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_smtp_in -j RETURN
+    $IPT -A srv_smtp_out -p tcp --sport 25 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_smtp_out -j RETURN
+
     ####### HTTP Server
     $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
     $IPT -A srv_http_in -j RETURN
@@ -229,6 +258,9 @@ ipt_tables () {
     $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
     $IPT -A cli_ssh_in -j RETURN
+
+    $IPT -A cli_ssh_out -p tcp -d ${BR_NET} --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_out -p tcp --tcp-flags SYN,ACK SYN,ACK --dport 2222 -j LOG --log-prefix "iptables: SSH OUT":
     $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
     $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
     $IPT -A cli_ssh_out -j RETURN
@@ -258,5 +290,3 @@ ipt_tables () {
     $IPT -A srv_ntp -j RETURN
 
 }
-
-
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-18 08:25:58 +0000