From 3ec086df28374f6433c15c060ff608eb2cb19814 Mon Sep 17 00:00:00 2001 From: Silvino Date: Mon, 17 Jun 2019 15:28:45 +0100 Subject: added caching to core apparmor --- core/conf/apparmor/parser.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 core/conf/apparmor/parser.conf (limited to 'core/conf') diff --git a/core/conf/apparmor/parser.conf b/core/conf/apparmor/parser.conf new file mode 100644 index 0000000..673d30a --- /dev/null +++ b/core/conf/apparmor/parser.conf @@ -0,0 +1,2 @@ +## Turn creating/updating of the cache on by default +write-cache -- cgit 1.4.1-2-gfad0 From c89c785b301ea90290190aceeb1da0c9b7d464b3 Mon Sep 17 00:00:00 2001 From: Silvino Date: Tue, 18 Jun 2019 20:38:33 +0100 Subject: added protection against sack in core sysctl --- core/conf/sysctl.conf | 3 +++ core/sysctl.html | 3 +++ 2 files changed, 6 insertions(+) (limited to 'core/conf') diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 771112a..d50520e 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -39,6 +39,9 @@ net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 +#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. +net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 diff --git a/core/sysctl.html b/core/sysctl.html index afee463..550ae6d 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -62,6 +62,9 @@ net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 + #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. + net.ipv4.tcp_sack = 0 + # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 -- cgit 1.4.1-2-gfad0 From 89b60df59cfe793452041b5a28e01a7b2c01b60b Mon Sep 17 00:00:00 2001 From: Silvino Date: Wed, 19 Jun 2019 00:54:23 +0100 Subject: fix core conf sysctl.conf --- core/conf/sysctl.conf | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'core/conf') diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index d50520e..3cc54d1 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -15,6 +15,9 @@ vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 +#Yama LSM by default +kernel.yama.ptrace_scope = 1 + # # Filesystem Protections # @@ -30,6 +33,8 @@ kernel.kptr_restrict = 2 # Network Protections # +net.core.bpf_jit_enable = 0 + # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths @@ -94,6 +99,7 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 @@ -134,3 +140,4 @@ net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_synack_retries = 3 # End of file + -- cgit 1.4.1-2-gfad0 From eddfa5ed593e67c9b2e6c53382b4fe044663451a Mon Sep 17 00:00:00 2001 From: Silvino Date: Wed, 26 Jun 2019 17:10:12 +0100 Subject: core iptables revision --- core/conf/iptables/bridge.v4 | 220 +++++++++++++++++++++++++++++++++++++++ core/conf/iptables/client.v4 | 211 +++++++++++++++++++++++++++++++++++++ core/conf/iptables/ipt-bridge.sh | 4 +- core/conf/iptables/ipt-client.sh | 48 +++++++++ core/conf/iptables/ipt-conf.sh | 16 +-- core/conf/iptables/ipt-open.sh | 47 --------- core/conf/iptables/ipt-server.sh | 2 +- core/conf/iptables/open.v4 | 210 ------------------------------------- core/conf/rc.d/iptables | 86 ++++++++++----- core/conf/skel/.bashrc | 4 +- 10 files changed, 556 insertions(+), 292 deletions(-) create mode 100644 core/conf/iptables/bridge.v4 create mode 100644 core/conf/iptables/client.v4 create mode 100644 core/conf/iptables/ipt-client.sh delete mode 100644 core/conf/iptables/ipt-open.sh delete mode 100644 core/conf/iptables/open.v4 (limited to 'core/conf') diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 new file mode 100644 index 0000000..35bfef4 --- /dev/null +++ b/core/conf/iptables/bridge.v4 @@ -0,0 +1,220 @@ +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -d 10.0.0.254/32 -i br0 -p tcp -m tcp --sport 3030 --dport 1024:65535 -j DROP +-A INPUT -i br0 -j srv_dhcp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_dns_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_icmp +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i br0 -j srv_ssh_in +-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -j cli_dns_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_https_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_git_in +-A INPUT -d 10.0.0.254/32 -i br0 -j cli_ssh_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -i br0 -o br0 -j srv_dhcp +-A FORWARD -s 10.0.0.0/8 -i br0 -o br0 -j ACCEPT +-A FORWARD -s 212.55.154.174/32 -d 10.0.0.254/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_dns_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_http_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_https_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in +-A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in +-A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT +-A OUTPUT -s 10.0.0.254/32 -o br0 -p tcp -m tcp --sport 1024:65535 --dport 3030 -j DROP +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dhcp +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j srv_ssh_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j srv_git_out +-A OUTPUT -o br0 -j srv_icmp +-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o br0 -j cli_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_ssh_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o br0 -j cli_http_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_https_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_git_out +-A OUTPUT -s 10.0.0.254/32 -o br0 -j cli_http_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Wed Jun 26 15:44:59 2019 diff --git a/core/conf/iptables/client.v4 b/core/conf/iptables/client.v4 new file mode 100644 index 0000000..91b564d --- /dev/null +++ b/core/conf/iptables/client.v4 @@ -0,0 +1,211 @@ +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 +# Generated by iptables-save v1.8.3 on Thu Jun 20 20:34:21 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -i wlp9s0 -j cli_dns_in +-A INPUT -i wlp9s0 -j cli_http_in +-A INPUT -i wlp9s0 -j cli_https_in +-A INPUT -i wlp9s0 -j cli_git_in +-A INPUT -i wlp9s0 -j cli_ssh_in +-A INPUT -i wlp9s0 -j srv_icmp +-A INPUT -i wlp9s0 -j cli_pops_in +-A INPUT -i wlp9s0 -j cli_smtps_in +-A INPUT -i wlp9s0 -j cli_irc_in +-A INPUT -i wlp9s0 -j cli_ftp_in +-A INPUT -i wlp9s0 -j cli_gpg_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -j blocker +-A OUTPUT -o wlp9s0 -j cli_dns_out +-A OUTPUT -o wlp9s0 -j cli_https_out +-A OUTPUT -o wlp9s0 -j cli_ssh_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j srv_icmp +-A OUTPUT -o wlp9s0 -j cli_pops_out +-A OUTPUT -o wlp9s0 -j cli_smtps_out +-A OUTPUT -o wlp9s0 -j cli_irc_out +-A OUTPUT -o wlp9s0 -j cli_ftp_out +-A OUTPUT -o wlp9s0 -j cli_gpg_out +-A OUTPUT -o wlp9s0 -p udp -m udp --sport 1024:65511 --dport 1024:65535 -j ACCEPT +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Thu Jun 20 20:34:21 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index cd93687..6dbeb87 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -67,12 +67,12 @@ $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in @@ -133,4 +133,4 @@ $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out ## log everything else and drop ipt_log -iptables-save > bridge.v4 +iptables-save > /etc/iptables/bridge.v4 diff --git a/core/conf/iptables/ipt-client.sh b/core/conf/iptables/ipt-client.sh new file mode 100644 index 0000000..65df9e4 --- /dev/null +++ b/core/conf/iptables/ipt-client.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +echo "setting client network..." +source ipt-conf.sh +source ipt-firewall.sh +ipt_clear +ipt_tables + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -j cli_http_in +$IPT -A INPUT -i ${PUB_IF} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -j cli_git_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in +$IPT -A INPUT -i ${PUB_IF} -j srv_icmp +$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in +$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in +$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in +$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -j ACCEPT + + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp +$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:655335 --dport 1024:65535 -j ACCEPT + +## log everything else and drop +ipt_log +iptables-save > /etc/iptables/client.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index c3dac16..dcea837 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -5,19 +5,23 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet +# bridge interface with interface facing gateway BR_IF="br0" +# bridge ip network address BR_NET="10.0.0.0/8" +# network gateway GW="10.0.0.1" -#GW="10.0.0.2" -#DNS="10.0.0.254" +# external dns DNS="212.55.154.174" -#DNS="8.8.8.8" +# static machine ip address PUB_IP="10.0.0.254" + +# public interface facing gateway PUB_IF="enp8s0" -# private interface for virtual/internal +# wifi interface WIFI_IF="wlp7s0" -#WIFI_NET="192.168.1.0/24" + +# static wifi ip network address WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh deleted file mode 100644 index 3ef1254..0000000 --- a/core/conf/iptables/ipt-open.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -echo "setting client network..." -source ipt-conf.sh -source ipt-firewall.sh -ipt_clear -ipt_tables - -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - -####### Input Chain ###### -$IPT -A INPUT -j blocker - -$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in -$IPT -A INPUT -i ${PUB_IF} -j cli_http_in -$IPT -A INPUT -i ${PUB_IF} -j cli_https_in -$IPT -A INPUT -i ${PUB_IF} -j cli_git_in -$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in -$IPT -A INPUT -i ${PUB_IF} -j srv_icmp -$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in -$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in -$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in -$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in -$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in - - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker - -$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out -$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp -$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out -$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out - -## log everything else and drop -ipt_log - -iptables-save > open.v4 diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 370db60..e557193 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -43,4 +43,4 @@ $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out ## log everything else and drop ipt_log -iptables-save > server.v4 +iptables-save > /etc/iptables/server.v4 diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/open.v4 deleted file mode 100644 index 30e476d..0000000 --- a/core/conf/iptables/open.v4 +++ /dev/null @@ -1,210 +0,0 @@ -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*security -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 -# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT DROP [0:0] -:blocker - [0:0] -:cli_dns_in - [0:0] -:cli_dns_out - [0:0] -:cli_ftp_in - [0:0] -:cli_ftp_out - [0:0] -:cli_git_in - [0:0] -:cli_git_out - [0:0] -:cli_gpg_in - [0:0] -:cli_gpg_out - [0:0] -:cli_http_in - [0:0] -:cli_http_out - [0:0] -:cli_https_in - [0:0] -:cli_https_out - [0:0] -:cli_irc_in - [0:0] -:cli_irc_out - [0:0] -:cli_pops_in - [0:0] -:cli_pops_out - [0:0] -:cli_smtps_in - [0:0] -:cli_smtps_out - [0:0] -:cli_ssh_in - [0:0] -:cli_ssh_out - [0:0] -:srv_db_in - [0:0] -:srv_db_out - [0:0] -:srv_dhcp - [0:0] -:srv_dns_in - [0:0] -:srv_dns_out - [0:0] -:srv_git_in - [0:0] -:srv_git_out - [0:0] -:srv_http_in - [0:0] -:srv_http_out - [0:0] -:srv_https_in - [0:0] -:srv_https_out - [0:0] -:srv_icmp - [0:0] -:srv_rip - [0:0] -:srv_ssh_in - [0:0] -:srv_ssh_out - [0:0] --A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT --A INPUT -j blocker --A INPUT -i wlp9s0 -j cli_dns_in --A INPUT -i wlp9s0 -j cli_http_in --A INPUT -i wlp9s0 -j cli_https_in --A INPUT -i wlp9s0 -j cli_git_in --A INPUT -i wlp9s0 -j cli_ssh_in --A INPUT -i wlp9s0 -j srv_icmp --A INPUT -i wlp9s0 -j cli_pops_in --A INPUT -i wlp9s0 -j cli_smtps_in --A INPUT -i wlp9s0 -j cli_irc_in --A INPUT -i wlp9s0 -j cli_ftp_in --A INPUT -i wlp9s0 -j cli_gpg_in --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 --A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT --A OUTPUT -j blocker --A OUTPUT -o wlp9s0 -j cli_dns_out --A OUTPUT -o wlp9s0 -j cli_https_out --A OUTPUT -o wlp9s0 -j cli_ssh_out --A OUTPUT -o wlp9s0 -j cli_git_out --A OUTPUT -o wlp9s0 -j cli_git_out --A OUTPUT -o wlp9s0 -j srv_icmp --A OUTPUT -o wlp9s0 -j cli_pops_out --A OUTPUT -o wlp9s0 -j cli_smtps_out --A OUTPUT -o wlp9s0 -j cli_irc_out --A OUTPUT -o wlp9s0 -j cli_ftp_out --A OUTPUT -o wlp9s0 -j cli_gpg_out --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A blocker -f -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" --A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " --A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP --A blocker -j RETURN --A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT --A cli_dns_in -j RETURN --A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT --A cli_dns_out -j RETURN --A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_in -j RETURN --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT --A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A cli_ftp_out -j RETURN --A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_git_in -j RETURN --A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_git_out -j RETURN --A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_gpg_in -j RETURN --A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_gpg_out -j RETURN --A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_http_in -j RETURN --A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_http_out -j RETURN --A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_https_in -j RETURN --A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_https_out -j RETURN --A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_irc_in -j RETURN --A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_irc_out -j RETURN --A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_pops_in -j RETURN --A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_pops_out -j RETURN --A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_smtps_in -j RETURN --A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_smtps_out -j RETURN --A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A cli_ssh_in -j RETURN --A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT --A cli_ssh_out -j RETURN --A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_db_in -j RETURN --A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_db_out -j RETURN --A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT --A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT --A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT --A srv_dhcp -j RETURN --A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_dns_in -j RETURN --A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_dns_out -j RETURN --A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_git_in -j RETURN --A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_git_out -j RETURN --A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_http_in -j RETURN --A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_http_out -j RETURN --A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT --A srv_https_in -j RETURN --A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT --A srv_https_out -j RETURN --A srv_icmp -p icmp -j ACCEPT --A srv_icmp -j RETURN --A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT --A srv_rip -j RETURN --A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" --A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP --A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT --A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" --A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP --A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_in -j RETURN --A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A srv_ssh_out -j RETURN -COMMIT -# Completed on Sat Jun 8 23:05:15 2019 diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index cc7c765..f8b7881 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,35 +1,31 @@ +#!/bin/bash IPT="/usr/sbin/iptables" -TYPE=bridge +#TYPE=bridge #TYPE=server -#TYPE=open +TYPE=open +#TYPE=client -echo "clear all iptables tables" +clear_ipt() { -${IPT} -F -${IPT} -X -${IPT} -t nat -F -${IPT} -t nat -X -${IPT} -t mangle -F -${IPT} -t mangle -X -${IPT} -t raw -F -${IPT} -t raw -X -${IPT} -t security -F -${IPT} -t security -X + ${IPT} -F + ${IPT} -X + ${IPT} -t nat -F + ${IPT} -t nat -X + ${IPT} -t mangle -F + ${IPT} -t mangle -X + ${IPT} -t raw -F + ${IPT} -t raw -X + ${IPT} -t security -F + ${IPT} -t security -X -# Set Default Rules -${IPT} -P INPUT DROP -${IPT} -P FORWARD DROP -${IPT} -P OUTPUT DROP - -${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +} case $1 in start) case $TYPE in bridge) - + clear_ipt echo "setting bridge network..." echo 1 > /proc/sys/net/ipv4/ip_forward @@ -38,23 +34,63 @@ case $1 in ;; server) - + clear_ipt echo "setting server network..." ## load server configuration iptables-restore /etc/iptables/server.v4 ;; - open) - + client) + clear_ipt echo "setting client network..." ## load client configuration - iptables-restore /etc/iptables/open.v4 + iptables-restore /etc/iptables/client.v4 + ;; + open) + clear_ipt + echo "setting open network..." + ## load client configuration + + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT ACCEPT + + ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + ${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + ${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + ${IPT} -A OUTPUT -j ACCEPT + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + ;; esac ;; stop) + echo "clear all iptables tables" + clear_ipt + # Set Default Rules + ${IPT} -P INPUT DROP + ${IPT} -P FORWARD DROP + ${IPT} -P OUTPUT DROP + + ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + ${IPT} -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + + ;; + restart) + clear_ipt + $0 start + ;; + status) + ${IPT} -v ;; *) echo "Usage: $0 [start|stop]" diff --git a/core/conf/skel/.bashrc b/core/conf/skel/.bashrc index 88cf24c..55d1c78 100644 --- a/core/conf/skel/.bashrc +++ b/core/conf/skel/.bashrc @@ -22,12 +22,14 @@ HISTSIZE=1000 HISTFILESIZE=2000 +alias diff='diff --color=auto' +alias grep='grep --color=auto' +alias ls='ls -ph --color=auto' alias rm='rm -i' #alias cp='cp -i' alias mv='mv -i' # Prevents accidentally clobbering files. alias mkdir='mkdir -p' - alias h='history' alias hg='history | grep' alias j='jobs -l' -- cgit 1.4.1-2-gfad0 From b0c241f112e1e50a2910249cfe66c1648ba2f3fa Mon Sep 17 00:00:00 2001 From: Silvino Date: Fri, 28 Jun 2019 03:54:24 +0100 Subject: core iptables bridge revision --- core/conf/iptables/bridge.v4 | 35 +++++++++++++++++++---------------- core/conf/iptables/ipt-bridge.sh | 4 +++- 2 files changed, 22 insertions(+), 17 deletions(-) (limited to 'core/conf') diff --git a/core/conf/iptables/bridge.v4 b/core/conf/iptables/bridge.v4 index 35bfef4..4930262 100644 --- a/core/conf/iptables/bridge.v4 +++ b/core/conf/iptables/bridge.v4 @@ -1,34 +1,34 @@ -# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT -# Completed on Wed Jun 26 15:44:59 2019 -# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 *raw -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] +:PREROUTING ACCEPT [2:80] +:OUTPUT ACCEPT [3:4544] COMMIT -# Completed on Wed Jun 26 15:44:59 2019 -# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Wed Jun 26 15:44:59 2019 -# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 *mangle -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] +:PREROUTING ACCEPT [2:80] +:INPUT ACCEPT [2:80] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [3:4544] +:POSTROUTING ACCEPT [2:2292] COMMIT -# Completed on Wed Jun 26 15:44:59 2019 -# Generated by iptables-save v1.8.2 on Wed Jun 26 15:44:59 2019 +# Completed on Fri Jun 28 01:22:10 2019 +# Generated by iptables-save v1.8.2 on Fri Jun 28 01:22:10 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -91,6 +91,9 @@ COMMIT -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_ssh_in -A FORWARD -d 10.0.0.4/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j srv_git_in -A FORWARD -i br0 -o br0 -p tcp -m physdev --physdev-in enp8s0 -m tcp --sport 443 --dport 1024:65535 -j ACCEPT +-A FORWARD -d 10.0.0.3/32 -i br0 -o br0 -m physdev --physdev-in enp8s0 -j cli_http_in +-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 519 -j DROP +-A FORWARD -i br0 -o br0 -p udp -m udp --sport 520 --dport 520 -j DROP -A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT -A OUTPUT -s 10.0.0.254/32 -d 10.0.0.254/32 -o lo -j ACCEPT @@ -217,4 +220,4 @@ COMMIT -A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A srv_ssh_out -j RETURN COMMIT -# Completed on Wed Jun 26 15:44:59 2019 +# Completed on Fri Jun 28 01:22:10 2019 diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index 6dbeb87..694c22f 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -50,8 +50,10 @@ $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10. $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.3 -j cli_http_in ##Less noise -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 520 --sport 520 -j DROP ######## Input Chain ###### $IPT -A INPUT -j blocker -- cgit 1.4.1-2-gfad0