From 1bfea776374a665e4e2fd70aa74a145976c4034e Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Sun, 6 May 2018 14:06:13 +0100
Subject: iptables server revision

---
 core/scripts/iptables.sh | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

(limited to 'core/scripts/iptables.sh')

diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh
index 6efdcc6..3824dab 100644
--- a/core/scripts/iptables.sh
+++ b/core/scripts/iptables.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 TYPE=bridge
+#TYPE=server
 
 IPT="/usr/sbin/iptables"
 SPAMLIST="blockedip"
@@ -10,13 +11,14 @@ SPAMDROPMSG="BLOCKED IP DROP"
 BR_IF="br0"
 BR_NET="10.0.0.0/8"
 GW="10.0.0.1"
+DNS="10.0.0.254"
 
 PUB_IP="10.0.0.254"
 PUB_IF="enp8s0"
 
 # private interface for virtual/internal
-PRIV_IF="wlp7s0"
-PRIV_NET="192.168.1.0/24"
+#PRIV_IF="wlp7s0"
+#PRIV_NET="192.168.1.0/24"
 
 #$IPT -A netconf_in -p icmp -s ${BR_NET} -j ACCEPT
 
@@ -63,6 +65,8 @@ case $TYPE in
 
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
+        $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
+
         $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in
 
         $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp
@@ -76,11 +80,11 @@ case $TYPE in
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
+        $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
+
         $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
 
         ####### PostRouting Chain ######
-        #May  6 11:31:45 c9 kernel: iptables: POSTROUTING: IN= OUT=br0 PHYSIN=tap2 PHYSOUT=enp8s0 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357
-
         $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
 
 
@@ -89,6 +93,9 @@ case $TYPE in
         ## log everything else and drop
         iptables_log
 
+	$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
+	$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "
+
         iptables-save > /etc/iptables/net.v4
         exit 0
         ;;
@@ -98,9 +105,19 @@ case $TYPE in
         ####### Input Chain ######
         $IPT -A INPUT -j blocker
 
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in
+	$IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in
+
         ####### Output Chain ######
         $IPT -A OUTPUT -j blocker
 
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out
+	$IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out
+
         ## log everything else and drop
         iptables_log
 
-- 
cgit 1.4.1-2-gfad0