diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/conf/rc.d/iptables | 7 | ||||
| -rw-r--r-- | core/network.html | 111 |
2 files changed, 93 insertions, 25 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 9471f99..d4f9ebc 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -8,20 +8,25 @@ case $1 in ipt_tables case $TYPE in bridge) + + ## load bridge configuration source /etc/iptables/ipt-bridge.sh ## log everything else and drop ipt_log iptables-save > /etc/iptables/bridge.v4 + ;; server) + + ## load server configuration source /etc/iptables/iptables-conf.sh ## log everything else and drop ipt_log - iptables-save > /etc/iptables/net.v4 + iptables-save > /etc/iptables/server.v4 ;; esac ;; diff --git a/core/network.html b/core/network.html index 5913845..18dd220 100644 --- a/core/network.html +++ b/core/network.html @@ -286,52 +286,115 @@ -c, --set-counters packets bytes </pre> - <h3 id="ipt_server">2.3.3.1. Server iptables</h3> - <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with - your network configuration then run it;</p> + <h3 id="ipt_scripts">2.3.3.1. Iptable scripts</h3> + + <p><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> sources + host configuration and create tables with rules that later are + used to match packages.</p> + + <pre> + source /etc/iptables/ipt-conf.sh + source /etc/iptables/ipt-firewall.sh + + case $1 in + start) + ipt_clear + ipt_tables + case $TYPE in + bridge) + + ## load bridge configuration + source /etc/iptables/ipt-bridge.sh + + ## log everything else and drop + ipt_log + + iptables-save > /etc/iptables/bridge.v4 + ;; + server) + + + ## load server configuration + source /etc/iptables/iptables-conf.sh + + ## log everything else and drop + ipt_log + + iptables-save > /etc/iptables/server.v4 + ;; + esac + ;; + stop) + + ipt_clear + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; + esac + </pre> + + <h3 id="ipt_server">2.3.3.2. Server iptables</h3> + + <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a> + with your network configuration, edit <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a> matching rules with interfaces.</p> <p>Default configuration;</p> <pre> - server) + echo "setting server network..." + + # Unlimited on loopback + $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT + $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - echo "Setting server network..." ####### Input Chain ###### $IPT -A INPUT -j blocker - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + #$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in + + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j srv_git_in ####### Output Chain ###### $IPT -A OUTPUT -j blocker - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + #$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - ## log everything else and drop - iptables_log + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out - iptables-save > /etc/iptables/net.v4 - exit 0 - - ;; + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out </pre> + <pre> # bash core/scripts/iptables.sh </pre> - <h3 id="ipt_client">2.3.3.2. Client iptables </h3> + <h3 id="ipt_client">2.3.3.3. Client iptables </h3> <p></p> - <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3> + <h3 id="ipt_client">2.3.3.4. Bridge iptables</h3> <pre> $IPT -A FORWARD -j blocker @@ -351,7 +414,7 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - <pre> + </pre> <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> |