From c440afaf8f47bc53cc841a1587d1c10b12911e64 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 6 May 2018 13:37:41 +0100 Subject: iptables, failtoban and dnsmasq revision --- core/scripts/iptables.sh | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) (limited to 'core/scripts/iptables.sh') diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 9c6cb87..6efdcc6 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -31,43 +31,60 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - iptables_tables case $TYPE in bridge) echo "Setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward + + ####### NAT Prerouting Chain ###### + #PREROUTING: IN=br0 OUT= PHYSIN=tap2 MAC=ff:ff:ff:ff:ff:ff:54:60:be:ef:5c:14:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 + ####### Forward Chain ###### $IPT -A FORWARD -j blocker - #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT - #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap0 --physdev-out ${PUB_IF} -j srv_ssh_out + $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_in $IPT -A FORWARD -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + #$IPT -A FORWARD -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + ####### Input Chain ###### $IPT -A INPUT -j blocker + #Less noise + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp ####### Output Chain ###### $IPT -A OUTPUT -j blocker + #Less noise + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp ####### PostRouting Chain ###### - $IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE + #May 6 11:31:45 c9 kernel: iptables: POSTROUTING: IN= OUT=br0 PHYSIN=tap2 PHYSOUT=enp8s0 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 + + $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + + #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE ## log everything else and drop iptables_log -- cgit 1.4.1-2-gfad0