From d548aa0cf8497cfd4151768e5d85e1db858ee6d2 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Tue, 12 Jun 2018 20:09:49 +0100 Subject: fix iptables let ssh out if server --- core/scripts/iptables.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'core') diff --git a/core/scripts/iptables.sh b/core/scripts/iptables.sh index 2b4d68a..1304210 100644 --- a/core/scripts/iptables.sh +++ b/core/scripts/iptables.sh @@ -270,7 +270,7 @@ case $TYPE in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out ####### Forward TAP2 ssh and https ###### - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in @@ -296,11 +296,6 @@ case $TYPE in #Less noise $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in - $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap2 -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -m physdev --physdev-in tap1 -j srv_dns_in @@ -308,6 +303,11 @@ case $TYPE in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap1 -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_dns_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in + $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in + ####### Output Chain ###### $IPT -A OUTPUT -j blocker #Less noise @@ -324,6 +324,8 @@ case $TYPE in $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out + $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d cli_ssh_out + ####### PostRouting Chain ###### #Less noise #$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -- cgit 1.4.1-2-gfad0