about summary refs log tree commit diff stats
path: root/core/scripts/iptables.sh
diff options
context:
space:
mode:
Diffstat (limited to 'core/scripts/iptables.sh')
-rw-r--r--core/scripts/iptables.sh364
1 files changed, 311 insertions, 53 deletions
diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh
index 0f05b1f..2b4d68a 100644
--- a/core/scripts/iptables.sh
+++ b/core/scripts/iptables.sh
@@ -1,66 +1,296 @@
 #!/bin/bash
 
-TYPE=bridge
-#TYPE=server
-
-IPT="/usr/sbin/iptables"
-SPAMLIST="blockedip"
-SPAMDROPMSG="BLOCKED IP DROP"
-
-# public interface to network/internet
-BR_IF="br0"
-BR_NET="10.0.0.0/8"
-GW="10.0.0.1"
-DNS="10.0.0.254"
-
-PUB_IP="10.0.0.254"
-PUB_IF="enp8s0"
-
-# private interface for virtual/internal
-#PRIV_IF="wlp7s0"
-#PRIV_NET="192.168.1.0/24"
-
-#$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT
-
-#$IPT -A netconf_out -p icmp -d ${BR_NET} -j ACCEPT
-
-source iptables-conf.sh
-
-iptables_clear
-# Unlimited on loopback
-$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
-$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
-
-iptables_tables
+source /etc/iptables/iptables-conf.sh
+
+iptables_clear () {
+    echo "clear all iptables tables"
+
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+    iptables -t raw -F
+    iptables -t raw -X
+    iptables -t security -F
+    iptables -t security -X
+    iptables -N blocker
+
+    iptables -N srv_dhcp
+    iptables -N srv_rip
+    iptables -N srv_icmp
+    iptables -N srv_dns_in
+    iptables -N srv_dns_out
+    iptables -N srv_http_in
+    iptables -N srv_http_out
+    iptables -N srv_https_in
+    iptables -N srv_https_out
+    iptables -N srv_ssh_in
+    iptables -N srv_ssh_out
+    iptables -N srv_git_in
+    iptables -N srv_git_out
+    iptables -N srv_db_in
+    iptables -N srv_db_out
+
+
+    iptables -N cli_dns_in
+    iptables -N cli_dns_out
+    iptables -N cli_http_in
+    iptables -N cli_http_out
+    iptables -N cli_https_in
+    iptables -N cli_https_out
+    iptables -N cli_ssh_in
+    iptables -N cli_ssh_out
+    iptables -N cli_pops_in
+    iptables -N cli_pops_out
+    iptables -N cli_smtps_in
+    iptables -N cli_smtps_out
+    iptables -N cli_irc_in
+    iptables -N cli_irc_out
+    iptables -N cli_ftp_in
+    iptables -N cli_ftp_out
+    iptables -N cli_git_in
+    iptables -N cli_git_out
+    iptables -N cli_gpg_in
+    iptables -N cli_gpg_out
+
+    # Set Default Rules
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+}
+
+iptables_log () {
+    ## log everything else and drop
+    $IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+    $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+    $IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+}
+
+
+iptables_tables () {
+    echo "start adding tables..."
+
+    ####### blocker Chain  ######
+    ## Block google dns
+    $IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: "
+    $IPT -A blocker -s 8.8.0.0/24 -j DROP
+    ## Block sync
+    $IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+    $IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP
+    ## Block Fragments
+    $IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+    $IPT -A blocker -f -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+    $IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+    $IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+    $IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+    $IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+    $IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+    $IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,FIN FIN -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,PSH PSH -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ACK,URG URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
+    #$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+    ## Return to caller
+    $IPT -A blocker -j RETURN
+
+    ######## DNS Server
+    #echo "server_in chain: Allow input to DNS Server"
+    $IPT -A srv_dns_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_in -p tcp --dport 53 --sport 1024:65535  -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_in -j RETURN
+    #echo "srv_dns_out chain: Allow output from DNS server"
+    $IPT -A srv_dns_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_dns_out -j RETURN
+
+    ####### Database Server
+    $IPT -A srv_db_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_db_in -j RETURN
+    $IPT -A srv_db_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_db_out -j RETURN
+
+    ####### SSH Server
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \
+        --update --seconds 60 --hitcount 4 --rttl \
+        --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH"
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \
+        --hitcount 4 --rttl --name SSH -j DROP
+
+    $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+    $IPT -A srv_ssh_in -j RETURN
+    $IPT -A srv_ssh_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A srv_ssh_out -j RETURN
+
+    ####### HTTP Server
+    $IPT -A srv_http_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_http_in -j RETURN
+    $IPT -A srv_http_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_http_out -j RETURN
+
+    ####### HTTPS Server
+    $IPT -A srv_https_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_https_in -j RETURN
+    $IPT -A srv_https_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_https_out -j RETURN
+
+    ###### GIT server
+    $IPT -A srv_git_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A srv_git_in -j RETURN
+    $IPT -A srv_git_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    $IPT -A srv_git_out -j RETURN
+
+    ######## DNS Client
+    $IPT -A cli_dns_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_dns_out -j RETURN
+    $IPT -A cli_dns_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_dns_in -j RETURN
+
+    ######## HTTP Client
+    #$IPT -A cli_http_in -p tcp -m tcp --tcp-flags ACK --sport 80 --dport 1024:65535 -j DROP
+
+    $IPT -A cli_http_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_in -p udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_in -j RETURN
+    $IPT -A cli_http_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_out -p udp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_http_out -j RETURN
+
+    ######## IRC client
+    $IPT -A cli_irc_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_irc_in -j RETURN
+    $IPT -A cli_irc_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_irc_out -j RETURN
+
+    ######## FTP client
+
+    $IPT -A cli_ftp_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_in -j RETURN
+    $IPT -A cli_ftp_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ftp_out -j RETURN
+    ######## GIT client
+    $IPT -A cli_git_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_git_in -j RETURN
+    $IPT -A cli_git_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_git_out -j RETURN
+
+    ######## POP3S client
+    $IPT -A cli_pops_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_pops_in -j RETURN
+    $IPT -A cli_pops_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_pops_out -j RETURN
+
+    ######## SMTPS client
+    $IPT -A cli_smtps_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_smtps_in -j RETURN
+    $IPT -A cli_smtps_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_smtps_out -j RETURN
+
+    ######## HTTPS client
+    $IPT -A cli_https_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_in -j RETURN
+    $IPT -A cli_https_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_https_out -j RETURN
+
+    ######## SSH client
+    $IPT -A cli_ssh_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_in -j RETURN
+    $IPT -A cli_ssh_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_ssh_out -j RETURN
+
+    ######## GPG key client
+    $IPT -A cli_gpg_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+    $IPT -A cli_gpg_in -j RETURN
+    $IPT -A cli_gpg_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+    $IPT -A cli_gpg_out -j RETURN
+
+    ######## DHCP Server
+    $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT
+    $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT
+    $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT
+    $IPT -A srv_dhcp -j RETURN
+
+    ####### RIP Server
+    $IPT -A srv_rip -p udp --sport 520 --dport 520 -j ACCEPT
+    $IPT -A srv_rip -j RETURN
+
+    ####### ICMP Server
+    $IPT -A srv_icmp -p icmp -j ACCEPT
+    $IPT -A srv_icmp -j RETURN
+}
 
 case $TYPE in
     bridge)
+        iptables_clear
+        iptables_tables
 
-        echo "Setting bridge network..."
+        echo "setting bridge network..."
         echo 1 > /proc/sys/net/ipv4/ip_forward
 
-        
+        # Unlimited on loopback
+        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
         ####### NAT Prerouting Chain  ######
-        #PREROUTING: IN=br0 OUT= PHYSIN=tap2 MAC=ff:ff:ff:ff:ff:ff:54:60:be:ef:5c:14:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357
 
         ####### Forward Chain  ######
         $IPT -A FORWARD -j blocker
         $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
         $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_in
-        $IPT -A FORWARD -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
+        # Tap1 can access external http
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
 
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+        ####### Forward TAP2 ssh and https  ######
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
 
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
-        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+        #
+        #        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+        #
+        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
+        #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
 
+        # Tap1 and Tap2 can access external https
         $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
         $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
 
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
+
+        #Less noise
+        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p udp --dport 519 --sport 520 -j DROP
+
         ####### Input Chain ######
         $IPT -A INPUT -j blocker
         #Less noise
@@ -69,45 +299,61 @@ case $TYPE in
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
-
-        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in
+        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
 
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in
+        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in
 
         $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
+        $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp
         $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
 
         ####### Output Chain ######
         $IPT -A OUTPUT -j blocker
         #Less noise
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 80 --sport 1024:65535 -j DROP
 
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out
-        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_dns_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.3 -j srv_dns_out
+
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
 
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
-        $IPT -A OUTPUT -o ${BR_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_dns_out
-
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
         ####### PostRouting Chain ######
-        $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        #Less noise
+        #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+        #$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
 
         #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE
 
         ## log everything else and drop
         iptables_log
 
-	$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
-	$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+	#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+	# $IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
 
         iptables-save > /etc/iptables/net.v4
         exit 0
         ;;
+
     server)
+        iptables_clear
+        iptables_tables
+
+        echo "setting server network..."
+
+        # Unlimited on loopback
+        $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+        $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+        $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
 
-        echo "Setting server network..."
         ####### Input Chain ######
         $IPT -A INPUT -j blocker
 
@@ -115,16 +361,28 @@ case $TYPE in
 	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
 	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
 	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+        $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in
+
+
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in
 	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in
 
         ####### Output Chain ######
         $IPT -A OUTPUT -j blocker
 
 	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out
 	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
 	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
 	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
+
 	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out
+	$IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out
+
+        $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out
 
         ## log everything else and drop
         iptables_log
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-02 21:15:30 +0000
' href='/akkartik/mu/commit/014literal_string.cc?h=main&id=9c30b38376e66442e6fde85ef54b959dc548bfe3'>9c30b383 ^ 
343bc535 ^

1f59be84 ^


7a9b05fa ^

7bba6e7b ^


ea542d0a ^

9f95c745 ^

78c50205 ^

9f95c745 ^

7cc045d9 ^


78c50205 ^

65c905fe ^

48e40252 ^


7cc045d9 ^




acc4792d ^

7cc045d9 ^









a796831f ^




3369875c ^






















88be3dbc ^

1ead3562 ^

e3fa6cc7 ^

3d6c13dc ^

acc4792d ^

c51043ab ^

23fd54f1 ^

1ead3562 ^

23fd54f1 ^


acc4792d ^

23fd54f1 ^

3369875c ^

1ead3562 ^

fc52705f ^

3369875c ^

fc52705f ^

acc4792d ^

fc52705f ^

c51043ab ^

1ead3562 ^

c51043ab ^


4f10b93a ^

35457609 ^

5683823a ^

acc4792d ^


2f677225 ^


1ead3562 ^

2f677225 ^



acc4792d ^

7fb3fccb ^


1ead3562 ^

7fb3fccb ^





acc4792d ^

7fb3fccb ^


1ead3562 ^

7fb3fccb ^


acc4792d ^

2589de99 ^



d63cddea ^


2589de99 ^

1
2

3
4

5
6
7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26
27

28

29
30

31
32
33

34

35

36

37
38
39
40
41
42

43
44

45

46

47
48
49

50
51
52
53

54
55
56
57
58
59
60
61

62

63

64

65

66

67

68
69

70

71
72
73

74

75

76

77
78
79
80
81

82

83
84

85

86

87
88

89
90

91

92
93
94
95
96
97
98
99
100

101

102

103

104

105

106

107

108

109

110

111
112
113

114

115
116

117

118
119

120

121

122

123

124
125

126

127

128
129

130
131
132
133

134

135
136
137
138
139
140
141
142
143

144
145
146
147

148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

170

171

172

173

174

175

176

177

178
179

180

181

182

183

184

185

186

187

188

189

190

191
192

193

194

195

196
197

198
199

200

201
202
203

204

205
206

207

208
209
210
211
212

213

214
215

216

217
218

219

220
221
222

223
224

225