From c440afaf8f47bc53cc841a1587d1c10b12911e64 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sun, 6 May 2018 13:37:41 +0100 Subject: iptables, failtoban and dnsmasq revision --- core/scripts/iptables-br.sh | 395 ------------------------------------------ core/scripts/iptables-conf.sh | 9 +- core/scripts/iptables.sh | 37 ++-- 3 files changed, 32 insertions(+), 409 deletions(-) delete mode 100644 core/scripts/iptables-br.sh (limited to 'core') diff --git a/core/scripts/iptables-br.sh b/core/scripts/iptables-br.sh deleted file mode 100644 index be1280c..0000000 --- a/core/scripts/iptables-br.sh +++ /dev/null @@ -1,395 +0,0 @@ -#!/bin/sh - -# -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# + -# | -# v -# +-------------+ +------------------+ -# |table: filter| <---+ | table: nat | -# |chain: INPUT | | | chain: PREROUTING| -# +-----+-------+ | +--------+---------+ -# | | | -# v | v -# [local process] | **************** +--------------+ -# | +---------+ Routing decision +------> |table: filter | -# v **************** |chain: FORWARD| -# **************** +------+-------+ -# Routing decision | -# **************** | -# | | -# v **************** | -# +-------------+ +------> Routing decision <---------------+ -# |table: nat | | **************** -# |chain: OUTPUT| | + -# +-----+-------+ | | -# | | v -# v | +-------------------+ -# +--------------+ | | table: nat | -# |table: filter | +----+ | chain: POSTROUTING| -# |chain: OUTPUT | +--------+----------+ -# +--------------+ | -# v -# XXXXXXXXXXXXXXXXX -# XXXX Network XXXX -# XXXXXXXXXXXXXXXXX -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] {-A|-C|-D} chain rule-specification -# -# iptables [-t table] -I chain [rulenum] rule-specification -# -# iptables [-t table] -R chain rulenum rule-specification -# -# iptables [-t table] -D chain rulenum -# -# iptables [-t table] -S [chain [rulenum]] -# -# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] -# -# iptables [-t table] -N chain -# -# iptables [-t table] -X [chain] -# -# iptables [-t table] -P chain target -# -# iptables [-t table] -E old-chain-name new-chain-name -# -# rule-specification = [matches...] [target] -# -# match = -m matchname [per-match-options] -# -# -# Targets -# -# can be a user defined chain -# -# ACCEPT - accepts the packet -# DROP - drop the packet on the floor -# QUEUE - packet will be stent to queue -# RETURN - stop traversing this chain and -# resume ate the next rule in the -# previeus (calling) chain. -# -# if packet reach the end of the chain or -# a target RETURN, default policy for that -# chain is applayed. -# -# Target Extensions -# -# AUDIT -# CHECKSUM -# CLASSIFY -# DNAT -# DSCP -# LOG -# Torn on kernel logging, will print some -# some information on all matching packets. -# Log data can be read with dmesg or syslogd. -# This is a non-terminating target and a rule -# should be created with matching criteria. -# -# --log-level level -# Level of logging (numeric or see sys- -# log.conf(5) -# -# --log-prefix prefix -# Prefix log messages with specified prefix -# up to 29 chars log -# -# --log-uid -# Log the userid of the process with gener- -# ated the packet -# NFLOG -# This target pass the packet to loaded logging -# backend to log the packet. One or more userspace -# processes may subscribe to the group to receive -# the packets. -# -# ULOG -# This target provides userspace logging of maching -# packets. One or more userspace processes may then -# then subscribe to various multicast groups and -# then receive the packets. -# -# -# Commands -# -# -A, --append chain rule-specification -# -C, --check chain rule-specification -# -D, --delete chain rule-specification -# -D, --delete chain rulenum -# -I, --insert chain [rulenum] rule-specification -# -R, --replace chain rulenum rule-specification -# -L, --list [chain] -# -P, --policy chain target -# -# Parameters -# -# -p, --protocol protocol -# tcp, udp, udplite, icmp, esp, ah, sctp, all -# -s, --source address[/mask][,...] -# -d, --destination address[/mask][,...] -# -j, --jump target -# -g, --goto chain -# -i, --in-interface name -# -o, --out-interface name -# -f, --fragment -# -m, --match options module-name -# iptables can use extended packet matching -# modules. -# -c, --set-counters packets bytes - -IPT="/usr/sbin/iptables" -SPAMLIST="blockedip" -SPAMDROPMSG="BLOCKED IP DROP" -# public interface to network/internet -#PUB_IF="wlp7s0" -PUB_IF="enp8s0" -BR_IF="br0" -PUB_IP="10.0.0.254" -NET_ADDR="10.0.0.0/8" -GW="10.0.0.1" -# private interface for virtual/internal -PRIV_IF="wlp7s0" -PRIV_IP="192.168.1.33" - -echo "Stopping ipv4 firewall and deny everyone..." - -iptables -F -iptables -X -iptables -t nat -F -iptables -t nat -X -iptables -t mangle -F -iptables -t mangle -X -iptables -t raw -F -iptables -t raw -X -iptables -t security -F -iptables -t security -X -iptables -N blocker - -iptables -N netconf_in -iptables -N netconf_out -iptables -N server_in -iptables -N server_out -iptables -N client_in -iptables -N client_out - -# Set Default Rules -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT DROP - -echo "Starting ipv4 firewall tables..." -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - -#modprobe ip_conntrack -#modprobe ip_conntrack_ftp -#echo 1 > /proc/sys/net/ipv4/ip_forward - -####### blocker Chain ###### -## Block google dns -$IPT -A blocker -s 8.8.0.0/24 -j LOG --log-level 7 --log-prefix "iptables: blocker google: " -$IPT -A blocker -s 8.8.0.0/24 -j DROP -## Block sync -$IPT -A blocker -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " -$IPT -A blocker -p tcp ! --syn -m state --state NEW -j DROP -## Block Fragments -$IPT -A blocker -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " -$IPT -A blocker -f -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A blocker -p tcp --tcp-flags ALL ALL -j DROP - -$IPT -A blocker -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " -$IPT -A blocker -p tcp --tcp-flags ALL NONE -j DROP # NULL packets - -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " -$IPT -A blocker -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " -$IPT -A blocker -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS - -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " -$IPT -A blocker -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans - -$IPT -A blocker -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP -## Return to caller -$IPT -A blocker -j RETURN - -####### server input Chain ###### -#echo "server_in chain: Allow to VNC Server" -#$IPT -A server_in -p tcp --dport 5900 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow to DataBase Server" -#$IPT -A server_in -p tcp --dport 5432 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow to SSH server" -#$IPT -A server_in -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to HTTPS Server" -#$IPT -A server_in -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to HTTP Server" -#$IPT -A server_in -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "server_in chain: Allow input to DNS Server" -$IPT -A server_in -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A server_in -p tcp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#echo "server_in chain: Allow input to GIT server" -#$IPT -A server_in -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_in -j RETURN - -####### server output Chain ###### -echo "server_out chain: Allow output from DNS server" -$IPT -A server_out -p udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -$IPT -A server_out -p tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from GIT server" -#$IPT -A server_out -p tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from https server" -#$IPT -A server_out -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from http server" -#$IPT -A server_out -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from SSH server" -#$IPT -A server_out -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from Data Base server" -#$IPT -A server_out -p tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#echo "server_out chain: Allow output from VNC server" -#$IPT -A server_out -p tcp --sport 5900 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A server_out -j RETURN - -####### client input Chain ###### -echo "client_in chain: Allow input from IRC server" -$IPT -A client_in -p tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from FTP server" -$IPT -A client_in -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GIT server" -$IPT -A client_in -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from POP3S server" -$IPT -A client_in -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SMTPS server" -$IPT -A client_in -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTP Server" -$IPT -A client_in -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from HTTPS server" -$IPT -A client_in -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -#$IPT -A client_in -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from DNS Server" -$IPT -A client_in -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from SSH Server" -$IPT -A client_in -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -$IPT -A client_in -p tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -echo "client_in chain: Allow input from GPG key Server" -$IPT -A client_in -p tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A client_in -j RETURN - -####### client output Chain ###### -echo "client_out chain: Allow output to IRC server" -$IPT -A client_out -p tcp --dport 6667 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to FTP server" -$IPT -A client_out -p tcp --dport 21 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GIT server" -$IPT -A client_out -p tcp --dport 9418 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to POP3S server" -$IPT -A client_out -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SMTPS server" -$IPT -A client_out -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to HTTPS server" -$IPT -A client_out -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p udp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "Allow to HTTP server" -$IPT -A client_out -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to DNS server" -$IPT -A client_out -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to SSH server" -$IPT -A client_out -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPT -A client_out -p tcp --dport 22 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -echo "client_out chain: Allow output to GPG key Server" -$IPT -A client_out -p tcp --dport 11371 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT - -## Return to caller -$IPT -A client_out -j RETURN - -####### netconf input Chain ###### -echo "netconf_in chain: Allow DHCP protocol" -$IPT -A netconf_in -p udp --sport 68 --dport 67 -j ACCEPT -echo "netconf_in chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_in -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP from ${NET_ADDR}" -#$IPT -A netconf_in -p icmp -s ${NET_ADDR} -j ACCEPT -echo "netconf_in chain: Allow ICMP from all" -$IPT -A netconf_in -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_in ICMP: " -$IPT -A netconf_in -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_in -j RETURN - - -####### netconf output Chain ###### -echo "netconf_out chain: Allow output from DHCP server" -$IPT -A netconf_out -p udp --sport 67 --dport 68 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -echo "netconf_out chain: Allow RIP protocol for ${NET_ADDR}" -$IPT -A netconf_out -p udp --sport 520 --dport 520 -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -#echo "netconf chain: Allow ICMP output to ${NET_ADDR}" -#$IPT -A netconf_out -p icmp -d ${NET_ADDR} -j ACCEPT -echo "netconf chain: Allow ICMP output to all" -$IPT -A netconf_out -p icmp -j LOG --log-level 7 --log-prefix "iptables: netconf_out ICMP: " -$IPT -A netconf_out -p icmp -j ACCEPT - -## Return to caller -$IPT -A netconf_out -j RETURN - -####### AP rules ###### -#$IPT -t nat -A PREROUTING -i ${BR_IF} -p tcp --dport 80 -j DNAT --to 10.0.0.4:80 - -$IPT -A FORWARD -j blocker -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -d ${NET_ADDR} -j ACCEPT -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -j netconf_out -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j client_out -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -j server_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${NET_ADDR} -j server_out - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j ACCEPT - -#$IPT -A FORWARD -j server_in - -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -j SNAT --to ${PUB_IP} - -####### Input Chain ###### -$IPT -A INPUT -j blocker - -$IPT -A INPUT -i ${BR_IF} -s ${NET_ADDR} -d ${PUB_IP} -j server_in -$IPT -A INPUT -i ${BR_IF} -d ${NET_ADDR} -j client_in -$IPT -A INPUT -i ${BR_IF} -j netconf_in - -#$IPT -A INPUT -i ${PUB_IF} -d ${NET_ADDR} -j client_in - -####### Output Chain ###### -$IPT -A OUTPUT -j blocker - -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${NET_ADDR} -j server_out -$IPT -A OUTPUT -o ${BR_IF} -s ${NET_ADDR} -j client_out -$IPT -A OUTPUT -o ${BR_IF} -j netconf_out - - -#$IPT -A OUTPUT -o ${PUB_IF} -s ${NET_ADDR} -j client_out - -## log everything else and drop -$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " -$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " -$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - -iptables-save > /etc/iptables/br-lan.v4 -exit 0 diff --git a/core/scripts/iptables-conf.sh b/core/scripts/iptables-conf.sh index cd3185b..04e804b 100644 --- a/core/scripts/iptables-conf.sh +++ b/core/scripts/iptables-conf.sh @@ -59,7 +59,6 @@ iptables_clear () { iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP - } iptables_log () { @@ -120,11 +119,11 @@ iptables_tables () { $IPT -A srv_ssh_in -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH -j ACCEPT $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent \ - --update --seconds 60 --hitcount 4 --rttl \ - --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" + --update --seconds 60 --hitcount 4 --rttl \ + --name SSH -j LOG --log-prefix "${SPAMDROPMSG} SSH" $IPT -A srv_ssh_in -p tcp --dport 2222 -m recent --update --seconds 60 \ - --hitcount 4 --rttl --name SSH -j DROP + --hitcount 4 --rttl --name SSH -j DROP $IPT -A srv_ssh_in -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT @@ -217,6 +216,8 @@ iptables_tables () { ######## DHCP Server $IPT -A srv_dhcp -p udp --sport 68 --dport 67 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 68 -j ACCEPT + $IPT -A srv_dhcp -p udp --sport 67 --dport 67 -j ACCEPT $IPT -A srv_dhcp -j RETURN ####### RIP Server diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 9c6cb87..6efdcc6 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -31,43 +31,60 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - iptables_tables case $TYPE in bridge) echo "Setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward + + ####### NAT Prerouting Chain ###### + #PREROUTING: IN=br0 OUT= PHYSIN=tap2 MAC=ff:ff:ff:ff:ff:ff:54:60:be:ef:5c:14:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 + ####### Forward Chain ###### $IPT -A FORWARD -j blocker - #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -d ${NET_ADDR} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j ACCEPT - #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap0 --physdev-out ${PUB_IF} -j srv_ssh_out + $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_in $IPT -A FORWARD -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + #$IPT -A FORWARD -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + ####### Input Chain ###### $IPT -A INPUT -j blocker + #Less noise + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j cli_ssh_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp ####### Output Chain ###### $IPT -A OUTPUT -j blocker + #Less noise + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out - - #Less noise - $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp ####### PostRouting Chain ###### - $IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE + #May 6 11:31:45 c9 kernel: iptables: POSTROUTING: IN= OUT=br0 PHYSIN=tap2 PHYSOUT=enp8s0 SRC=0.0.0.0 DST=255.255.255.255 LEN=377 TOS=0x00 PREC=0x00 TTL=64 ID=37544 PROTO=UDP SPT=68 DPT=67 LEN=357 + + $IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + + #$IPT -t nat -A POSTROUTING -o ${PRIV_IF} -j MASQUERADE ## log everything else and drop iptables_log -- cgit 1.4.1-2-gfad0