diff options
Diffstat (limited to 'core/network.html')
| -rw-r--r-- | core/network.html | 66 |
1 files changed, 57 insertions, 9 deletions
diff --git a/core/network.html b/core/network.html index 3f8a870..657cd31 100644 --- a/core/network.html +++ b/core/network.html @@ -138,6 +138,12 @@ SERVICES=(iptables lo net crond) </pre> + <p>See current rules and packets counts;</p> + + <pre> + # iptables -L -n -v | less + </pre> + <p>Diagram of a package route throw iptables;</p> <pre> @@ -285,25 +291,67 @@ <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with your network configuration then run it;</p> + <p>Default configuration;</p> + <pre> - # bash core/scripts/iptables.sh + server) + + echo "Setting server network..." + ####### Input Chain ###### + $IPT -A INPUT -j blocker + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker + + $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + exit 0 + + ;; </pre> - <p> - <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run - to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> - file.</p> + <pre> + # bash core/scripts/iptables.sh + </pre> <h3 id="ipt_client">2.3.3.2. Client iptables </h3> <p></p> <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3> - <p>See current rules and packets;</p> - <pre> - # iptables -L -n -v | less - </pre> + $IPT -A FORWARD -j blocker + $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + <pre> <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> |