#!/bin/bash echo "setting bridge network..." source ipt-conf.sh source ipt-firewall.sh ipt_clear ipt_tables # Unlimited on loopback $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT ######## NAT Prerouting Chain ###### #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 ##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 ##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " ######## Forward Chain ###### #$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT #$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # ## Allow all for BR_NET $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT ## DHCP $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp ## Allow access from bridge to gateway wifi interface #$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in #$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out #$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in #$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out #$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in #$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out ##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in ##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out #$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in #$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out ## allow output from BR_NET to external $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT ##Less noise #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP ######## Input Chain ###### $IPT -A INPUT -j blocker ##Less noise $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT #$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT #$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j ACCEPT #$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j ACCEPT $IPT -A INPUT -i ${BR_IF} -j srv_dhcp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in #$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp #$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in #$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp #$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in #$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in #$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in #$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in #$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in #$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in ## PXE server #$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT #$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT ######## Output Chain ###### ##Less noise $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out $IPT -A OUTPUT -o ${BR_IF} -j srv_icmp #$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out #$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out #$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out #$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out #$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out #$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out #$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out #$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out #$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp ## PXE Server #$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT ######## PostRouting Chain ###### ##Less noise ##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT ##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT ##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT #$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE ##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " ## log everything else and drop ipt_log iptables-save > bridge.v4