From 3a37ebad404fd2febf8af950cb59ca56a63d3b3f Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 8 Jan 2020 01:38:07 +0000 Subject: iptables bridge and server update --- core/conf/iptables/bridge.v4 | 38 +++++++++++++++++++++++++------------- core/conf/iptables/ipt-bridge.sh | 10 +++++++++- core/conf/iptables/ipt-server.sh | 2 ++ 3 files changed, 36 insertions(+), 14 deletions(-) diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 index bea9be0..7048bdb 100644 --- a/core/conf/iptables/bridge.v4 +++ b/core/conf/iptables/bridge.v4 @@ -1,34 +1,34 @@ -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *raw :PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [1:2468] +:OUTPUT ACCEPT [2:104] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [1:2468] +:OUTPUT ACCEPT [2:104] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -66,6 +66,7 @@ COMMIT :srv_https_in - [0:0] :srv_https_out - [0:0] :srv_icmp - [0:0] +:srv_ntp - [0:0] :srv_rip - [0:0] :srv_ssh_in - [0:0] :srv_ssh_out - [0:0] @@ -77,21 +78,28 @@ COMMIT -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j cli_http_in -A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -i br0 -j cli_http_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -d 10.0.0.254/32 -i br0 -j srv_ntp +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 -A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT -A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp -A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -d 10.0.0.5/32 -i br0 -o br0 -j ACCEPT -A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ntp -A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT -A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in +-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in -A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP -A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP @@ -110,7 +118,9 @@ COMMIT -A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out -A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out -A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out --A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_ntp +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP @@ -206,6 +216,8 @@ COMMIT -A srv_https_out -j RETURN -A srv_icmp -p icmp -j ACCEPT -A srv_icmp -j RETURN +-A srv_ntp -p udp -m udp --sport 123 --dport 123 -j ACCEPT +-A srv_ntp -j RETURN -A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT -A srv_rip -j RETURN -A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT @@ -221,4 +233,4 @@ COMMIT -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A srv_ssh_out -j RETURN COMMIT -# Completed on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index 67b5053..961f05a 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -43,6 +43,7 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhc ## allow output from BR_NET to external $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d 10.0.0.5 -j ACCEPT $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in @@ -77,10 +78,14 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in +$IPT -A INPUT -i ${BR_IF} -j cli_http_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j srv_ntp +# let radio get in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --dport 1024:65535 --sport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in #$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp @@ -114,9 +119,12 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_ntp +# let radio and other stuff out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 1024:65535 --sport 1024:65535 -j ACCEPT + #$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out #$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out #$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 6a0a9c5..784f044 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -18,6 +18,7 @@ $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_http_in +$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_http_in @@ -32,6 +33,7 @@ $IPT -A OUTPUT -j blocker $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_http_out +$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j cli_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out -- cgit 1.4.1-2-gfad0