From b6b79e6d960febc3f266735e4a2f807d776b5830 Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Sat, 8 Dec 2018 02:08:20 +0000
Subject: iptables revision

---
 core/conf/iptables/ipt-bridge.sh | 158 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 158 insertions(+)
 create mode 100644 core/conf/iptables/ipt-bridge.sh

(limited to 'core/conf/iptables/ipt-bridge.sh')

diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
new file mode 100644
index 0000000..6f70e7c
--- /dev/null
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+echo "setting bridge ${BR_IF} network..."
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
+
+####### NAT Prerouting Chain  ######
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
+$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
+#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
+####### Forward Chain  ######
+$IPT -A FORWARD -j blocker
+$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
+# Allow access from bridge to gateway wifi interface
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
+
+#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
+$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+#
+#
+# Tap1
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
+#
+#
+## Tap3
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
+#
+#
+######## Forward TAP2 ssh, http and https  ######
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
+#
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+
+# Tap1, Tap2 and Tap3 can access external https
+
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
+
+#
+#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
+#
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
+#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
+
+#
+#Less noise
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+
+####### Input Chain ######
+$IPT -A INPUT -j blocker
+#Less noise
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
+$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
+  
+$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
+
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
+$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in
+
+$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
+$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in
+
+####### Output Chain ######
+$IPT -A OUTPUT -j blocker
+
+#Less noise
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out
+
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out
+
+
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out
+
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
+$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out
+
+#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out
+
+####### PostRouting Chain ######
+#Less noise
+#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE
+
+#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
-- 
cgit 1.4.1-2-gfad0


From 48b937054671a1807a6cb32d77eabf834666d98b Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Sat, 15 Dec 2018 03:27:38 +0000
Subject: core iptables script revision

---
 core/conf/iptables/ipt-bridge.sh | 44 ++++++++++++++++++++++++++--------------
 core/conf/iptables/ipt-conf.sh   |  1 +
 2 files changed, 30 insertions(+), 15 deletions(-)

(limited to 'core/conf/iptables/ipt-bridge.sh')

diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh
index 6f70e7c..6ad26fa 100644
--- a/core/conf/iptables/ipt-bridge.sh
+++ b/core/conf/iptables/ipt-bridge.sh
@@ -20,6 +20,8 @@ $IPT -A FORWARD -j blocker
 $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
+
 # Allow access from bridge to gateway wifi interface
 $IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
 $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
@@ -33,6 +35,30 @@ $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out
 $IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
 $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
 
+# allow output from BR_NET to external
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT
+
+# allow input from public bridged interface facing Internet 
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in
+
+######## Forward TAP2 ssh, http and https  ######
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
+#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
+#
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
+
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
+
+
+#Less noise
+$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
+
+
 #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 #
@@ -61,22 +87,11 @@ $IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out
 #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
 #
 #
-######## Forward TAP2 ssh, http and https  ######
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out
-#
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
-#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out
-
 # Tap1, Tap2 and Tap3 can access external https
 
 #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
 #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in
 
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 
 
 #
@@ -86,9 +101,6 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT
 #        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp
 
 #
-#Less noise
-$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP
-
 ####### Input Chain ######
 $IPT -A INPUT -j blocker
 #Less noise
@@ -96,11 +108,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -
 $IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
 $IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP
 
+$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp
+
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
 $IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
   
 $IPT -A INPUT -i ${BR_IF} -j srv_dhcp
-
 $IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp
 
 $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
@@ -125,6 +138,7 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
+$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp
 
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
 $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh
index 3874cee..eef0b52 100644
--- a/core/conf/iptables/ipt-conf.sh
+++ b/core/conf/iptables/ipt-conf.sh
@@ -9,6 +9,7 @@ SPAMDROPMSG="BLOCKED IP DROP"
 BR_IF="br0"
 BR_NET="10.0.0.0/8"
 GW="10.0.0.1"
+#GW="10.0.0.2"
 #DNS="10.0.0.254"
 DNS="212.55.154.174"
 
-- 
cgit 1.4.1-2-gfad0