From 3a37ebad404fd2febf8af950cb59ca56a63d3b3f Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 8 Jan 2020 01:38:07 +0000 Subject: iptables bridge and server update --- core/conf/iptables/bridge.v4 | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) (limited to 'core/conf/iptables/bridge.v4') diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 index bea9be0..7048bdb 100644 --- a/core/conf/iptables/bridge.v4 +++ b/core/conf/iptables/bridge.v4 @@ -1,34 +1,34 @@ -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *raw :PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [1:2468] +:OUTPUT ACCEPT [2:104] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [1:2468] +:OUTPUT ACCEPT [2:104] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sun Jul 7 23:48:36 2019 -# Generated by iptables-save v1.8.2 on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 +# Generated by iptables-save v1.8.3 on Thu Sep 12 14:45:57 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -66,6 +66,7 @@ COMMIT :srv_https_in - [0:0] :srv_https_out - [0:0] :srv_icmp - [0:0] +:srv_ntp - [0:0] :srv_rip - [0:0] :srv_ssh_in - [0:0] :srv_ssh_out - [0:0] @@ -77,21 +78,28 @@ COMMIT -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp -A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j cli_http_in -A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -i br0 -j cli_http_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in -A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -d 10.0.0.254/32 -i br0 -j srv_ntp +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 -A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT -A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp -A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -d 10.0.0.5/32 -i br0 -o br0 -j ACCEPT -A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ntp -A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT -A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in +-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in -A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP -A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP @@ -110,7 +118,9 @@ COMMIT -A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out -A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out -A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out --A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_ntp +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT -A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP @@ -206,6 +216,8 @@ COMMIT -A srv_https_out -j RETURN -A srv_icmp -p icmp -j ACCEPT -A srv_icmp -j RETURN +-A srv_ntp -p udp -m udp --sport 123 --dport 123 -j ACCEPT +-A srv_ntp -j RETURN -A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT -A srv_rip -j RETURN -A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT @@ -221,4 +233,4 @@ COMMIT -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A srv_ssh_out -j RETURN COMMIT -# Completed on Sun Jul 7 23:48:36 2019 +# Completed on Thu Sep 12 14:45:57 2019 -- cgit 1.4.1-2-gfad0