From eddfa5ed593e67c9b2e6c53382b4fe044663451a Mon Sep 17 00:00:00 2001 From: Silvino Date: Wed, 26 Jun 2019 17:10:12 +0100 Subject: core iptables revision --- core/conf/iptables/bridge.v4 | 220 +++++++++++++++++++++++++++++++++++++++ core/conf/iptables/client.v4 | 211 +++++++++++++++++++++++++++++++++++++ core/conf/iptables/ipt-bridge.sh | 4 +- core/conf/iptables/ipt-client.sh | 48 +++++++++ core/conf/iptables/ipt-conf.sh | 16 +-- core/conf/iptables/ipt-open.sh | 47 --------- core/conf/iptables/ipt-server.sh | 2 +- core/conf/iptables/open.v4 | 210 ------------------------------------- core/conf/rc.d/iptables | 86 ++++++++++----- core/conf/skel/.bashrc | 4 +- 10 files changed, 556 insertions(+), 292 deletions(-) create mode 100644 core/conf/iptables/bridge.v4 create mode 100644 core/conf/iptables/client.v4 create mode 100644 core/conf/iptables/ipt-client.sh delete mode 100644 core/conf/iptables/ipt-open.sh delete mode 100644 core/conf/iptables/open.v4 diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 new file mode 100644 index 0000000..35bfef4 --- /dev/null +++ b/core/conf/iptables/bridge.v4 @@ -0,0 +1,220 @@ +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP +-A INPUT -i br0 -j srv_dhcp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out +-A OUTPUT -o br0 -j srv_icmp +-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 diff --git a/core/conf/iptables/client.v4 b/core/conf/iptables/client.v4 new file mode 100644 index 0000000..91b564d --- /dev/null +++ b/core/conf/iptables/client.v4 @@ -0,0 +1,211 @@ +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -i wlp9s0 -j cli_dns_in +-A INPUT -i wlp9s0 -j cli_http_in +-A INPUT -i wlp9s0 -j cli_https_in +-A INPUT -i wlp9s0 -j cli_git_in +-A INPUT -i wlp9s0 -j cli_ssh_in +-A INPUT -i wlp9s0 -j srv_icmp +-A INPUT -i wlp9s0 -j cli_pops_in +-A INPUT -i wlp9s0 -j cli_smtps_in +-A INPUT -i wlp9s0 -j cli_irc_in +-A INPUT -i wlp9s0 -j cli_ftp_in +-A INPUT -i wlp9s0 -j cli_gpg_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -j blocker +-A OUTPUT -o wlp9s0 -j cli_dns_out +-A OUTPUT -o wlp9s0 -j cli_https_out +-A OUTPUT -o wlp9s0 -j cli_ssh_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j srv_icmp +-A OUTPUT -o wlp9s0 -j cli_pops_out +-A OUTPUT -o wlp9s0 -j cli_smtps_out +-A OUTPUT -o wlp9s0 -j cli_irc_out +-A OUTPUT -o wlp9s0 -j cli_ftp_out +-A OUTPUT -o wlp9s0 -j cli_gpg_out +-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index cd93687..6dbeb87 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -67,12 +67,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in @@ -133,4 +133,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out ## log everything else and drop ipt_log -iptables-save > bridge.v4 +iptables-save > /etc/iptables/bridge.v4 diff --git a/core/conf/iptables/ipt-client.sh b/core/conf/iptables/ipt-client.sh new file mode 100644 index 0000000..65df9e4 --- /dev/null +++ b/core/conf/iptables/ipt-client.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +echo "setting client network..." +source ipt-conf.sh +source ipt-firewall.sh +ipt_clear +ipt_tables + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -j cli_http_in +$IPT -A INPUT -i ${PUB_IF} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -j cli_git_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in +$IPT -A INPUT -i ${PUB_IF} -j srv_icmp +$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in +$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in +$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in +$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT + + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp +$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT + +## log everything else and drop +ipt_log +iptables-save > /etc/iptables/client.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index c3dac16..dcea837 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet +# bridge interface with interface facing gateway BR_IF="br0" +# bridge ip network address BR_NET="10.0.0.0/8" +# network gateway GW="10.0.0.1" -#GW="10.0.0.2" -#DNS="10.0.0.254" +# external dns DNS="212.55.154.174" -#DNS="8.8.8.8" +# static machine ip address PUB_IP="10.0.0.254" + +# public interface facing gateway PUB_IF="enp8s0" -# private interface for virtual/internal +# wifi interface WIFI_IF="wlp7s0" -#WIFI_NET="192.168.1.0/24" + +# static wifi ip network address WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh deleted file mode 100644 index 3ef1254..0000000 --- a/core/conf/iptables/ipt-open.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -echo "setting client network..." -source ipt-conf.sh -source ipt-firewall.sh -ipt_clear -ipt_tables - -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - -####### Input Chain ###### -$IPT -A INPUT -j blocker - -$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in -$IPT -A INPUT -i ${PUB_IF} -j cli_http_in -$IPT -A INPUT -i ${PUB_IF} -j cli_https_in -$IPT -A INPUT -i ${PUB_IF} -j cli_git_in -$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in -$IPT -A INPUT -i ${PUB_IF} -j srv_icmp -$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in -$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in -$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in -$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in -$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in - - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker - -$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out -$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp -$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out - -## log everything else and drop -ipt_log - -iptables-save > open.v4 diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 370db60..e557193 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out ## log everything else and drop ipt_log -iptables-save > server.v4 +iptables-save > /etc/iptables/server.v4 diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/open.v4 deleted file mode 100644 index 30e476d..0000000 --- a/core/conf/iptables/open.v4 +++ /dev/null @@ -1,210 +0,0 @@ -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:cli_dns_in - [0:0] -:cli_dns_out - [0:0] -:cli_ftp_in - [0:0] -:cli_ftp_out - [0:0] -:cli_git_in - [0:0] -:cli_git_out - [0:0] -:cli_gpg_in - [0:0] -:cli_gpg_out - [0:0] -:cli_http_in - [0:0] -:cli_http_out - [0:0] -:cli_https_in - [0:0] -:cli_https_out - [0:0] -:cli_irc_in - [0:0] -:cli_irc_out - [0:0] -:cli_pops_in - [0:0] -:cli_pops_out - [0:0] -:cli_smtps_in - [0:0] -:cli_smtps_out - [0:0] -:cli_ssh_in - [0:0] -:cli_ssh_out - [0:0] -:srv_db_in - [0:0] -:srv_db_out - [0:0] -:srv_dhcp - [0:0] -:srv_dns_in - [0:0] -:srv_dns_out - [0:0] -:srv_git_in - [0:0] -:srv_git_out - [0:0] -:srv_http_in - [0:0] -:srv_http_out - [0:0] -:srv_https_in - [0:0] -:srv_https_out - [0:0] -:srv_icmp - [0:0] -:srv_rip - [0:0] -:srv_ssh_in - [0:0] -:srv_ssh_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -i wlp9s0 -j cli_dns_in --A INPUT -i wlp9s0 -j cli_http_in --A INPUT -i wlp9s0 -j cli_https_in --A INPUT -i wlp9s0 -j cli_git_in --A INPUT -i wlp9s0 -j cli_ssh_in --A INPUT -i wlp9s0 -j srv_icmp --A INPUT -i wlp9s0 -j cli_pops_in --A INPUT -i wlp9s0 -j cli_smtps_in --A INPUT -i wlp9s0 -j cli_irc_in --A INPUT -i wlp9s0 -j cli_ftp_in --A INPUT -i wlp9s0 -j cli_gpg_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -o wlp9s0 -j cli_dns_out --A OUTPUT -o wlp9s0 -j cli_https_out --A OUTPUT -o wlp9s0 -j cli_ssh_out --A OUTPUT -o wlp9s0 -j cli_git_out --A OUTPUT -o wlp9s0 -j cli_git_out --A OUTPUT -o wlp9s0 -j srv_icmp --A OUTPUT -o wlp9s0 -j cli_pops_out --A OUTPUT -o wlp9s0 -j cli_smtps_out --A OUTPUT -o wlp9s0 -j cli_irc_out --A OUTPUT -o wlp9s0 -j cli_ftp_out --A OUTPUT -o wlp9s0 -j cli_gpg_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT --A cli_dns_in -j RETURN --A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT --A cli_dns_out -j RETURN --A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_in -j RETURN --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A cli_ftp_out -j RETURN --A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_git_in -j RETURN --A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_git_out -j RETURN --A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_gpg_in -j RETURN --A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_gpg_out -j RETURN --A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_http_in -j RETURN --A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_http_out -j RETURN --A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_https_in -j RETURN --A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_https_out -j RETURN --A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_irc_in -j RETURN --A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_irc_out -j RETURN --A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_pops_in -j RETURN --A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_pops_out -j RETURN --A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_smtps_in -j RETURN --A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_smtps_out -j RETURN --A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ssh_in -j RETURN --A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ssh_out -j RETURN --A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_db_in -j RETURN --A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_db_out -j RETURN --A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT --A srv_dhcp -j RETURN --A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_dns_in -j RETURN --A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_dns_out -j RETURN --A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_git_in -j RETURN --A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_git_out -j RETURN --A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_http_in -j RETURN --A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_http_out -j RETURN --A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_https_in -j RETURN --A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_https_out -j RETURN --A srv_icmp -p icmp -j ACCEPT --A srv_icmp -j RETURN --A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A srv_rip -j RETURN --A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" --A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP --A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" --A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP --A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_in -j RETURN --A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_out -j RETURN -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index cc7c765..f8b7881 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,35 +1,31 @@ +#!/bin/bash IPT="/usr/sbin/iptables" -TYPE=bridge +#TYPE=bridge #TYPE=server -#TYPE=open +TYPE=open +#TYPE=client -echo "clear all iptables tables" +clear_ipt() { -${IPT} -F -${IPT} -X -${IPT} -t nat -F -${IPT} -t nat -X -${IPT} -t mangle -F -${IPT} -t mangle -X -${IPT} -t raw -F -${IPT} -t raw -X -${IPT} -t security -F -${IPT} -t security -X + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X -# Set Default Rules -${IPT} -P INPUT DROP -${IPT} -P FORWARD DROP -${IPT} -P OUTPUT DROP - -${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +} case $1 in start) case $TYPE in bridge) - + clear_ipt echo "setting bridge network..." echo 1 > /proc/sys/net/ipv4/ip_forward @@ -38,23 +34,63 @@ case $1 in ;; server) - + clear_ipt echo "setting server network..." ## load server configuration iptables-restore /etc/iptables/server.v4 ;; - open) - + client) + clear_ipt echo "setting client network..." ## load client configuration - iptables-restore /etc/iptables/open.v4 + iptables-restore /etc/iptables/client.v4 + ;; + open) + clear_ipt + echo "setting open network..." + ## load client configuration + + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT ACCEPT + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + ${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + ${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + ${IPT} -A OUTPUT -j ACCEPT + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + ;; esac ;; stop) + echo "clear all iptables tables" + clear_ipt + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + ${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + + ;; + restart) + clear_ipt + $0 start + ;; + status) + ${IPT} -v ;; *) echo "Usage: $0 [start|stop]" diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 88cf24c..55d1c78 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -22,12 +22,14 @@ HISTSIZE=1000 HISTFILESIZE=2000 +alias diff='diff --color=auto' +alias grep='grep --color=auto' +alias ls='ls -ph --color=auto' alias rm='rm -i' #alias cp='cp -i' alias mv='mv -i' # Prevents accidentally clobbering files. alias mkdir='mkdir -p' - alias h='history' alias hg='history | grep' alias j='jobs -l' -- cgit 1.4.1-2-gfad0