From f33f82d3c05a679cfb617cdc5f9dc7659b0c4e47 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 17 Sep 2016 03:51:07 +0100 Subject: updated core linux ports and iptables script --- core/scripts/iptables.sh | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'core/scripts/iptables.sh') diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 2931c8c..714a18a 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -147,6 +147,7 @@ IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" #PUB_IP="192.168.1.65" #PRIV_IF="wlp3s0" @@ -217,20 +218,20 @@ $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ##### Server rules below ###### #echo "Allow ICMP" -#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/12 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/12 -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/12 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/12 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT #echo "Allow DNS Server" #$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT #$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT #echo "Allow HTTP and HTTPS server" -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/12 -j ACCEPT -#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/12 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/12 -j ACCEPT -#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/12 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT #echo "Allow ssh server" #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT @@ -306,7 +307,7 @@ $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state -- # $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT # # echo "Allow warzone2100" -# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/12 -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT @@ -316,6 +317,14 @@ $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state -- # $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT ##### END your rules ############ +# Less log of known traffic + +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP + +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT # log everything else and drop $IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -- cgit 1.4.1-2-gfad0