about summary refs log tree commit diff stats
path: root/core/conf/iptables/ipt-bridge.sh
blob: 6ad26fa5731ae27ee85b081fbbae59f5fb3d8ca6 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

#!/bin/bash

echo "setting bridge ${BR_IF} network..."
echo 1 > /proc/sys/net/ipv4/ip_forward

# Unlimited on loopback
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT
$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT

####### NAT Prerouting Chain  ######
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53
$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443
#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: "

####### Forward Chain  ######
$IPT -A FORWARD -j blocker
$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT

# Allow access from bridge to gateway wifi interface
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out

#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in
#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out
$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out

# allow output from BR_NET to external
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT

# allow input from public bridged interface facing Internet 
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in

######## Forward TAP2 ssh, http and https  ######
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out
#
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out

$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out


#Less noise
$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF}  -p udp --dport 519 --sport 520 -j DROP


#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT
#
#
# Tap1
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out
#
#
## Tap3
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in
#
#
# Tap1, Tap2 and Tap3 can access external https

#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out
#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in



#
#        #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip
#
#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp
#        $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp

#
####### Input Chain ######
$IPT -A INPUT -j blocker
#Less noise
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp  --sport 3030 --dport 1024:65535 -j DROP
$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 137 --dport 137 -j DROP
$IPT -A INPUT -i ${WIFI_IF} -p udp  --sport 138 --dport 138 -j DROP

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in
$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in
  
$IPT -A INPUT -i ${BR_IF} -j srv_dhcp
$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP}  -j srv_dhcp

$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in
$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in
$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in

$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in
$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in

####### Output Chain ######
$IPT -A OUTPUT -j blocker

#Less noise
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out

$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out
$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out


$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out
$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out
$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out

$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out
$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out

#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_ssh_out

####### PostRouting Chain ######
#Less noise
#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT

$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE

#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: "
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-05 22:36:54 +0000