Loading ipt-nat_core.v4 +9 −20 Original line number Diff line number Diff line Loading @@ -6,6 +6,10 @@ # Purpose: To bring up a robust firewall at bootup. int_if="enp0s9" ext_if="enp0s8" # 'Cleanup and reset' /sbin/iptables -F /sbin/iptables -X Loading Loading @@ -34,10 +38,6 @@ /sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP #/sbin/iptables -I INPUT -m set --match-set block src -j DROP #/sbin/iptables -I INPUT -m set --match-set ipdeny src -j DROP #/sbin/iptables -I INPUT -m set --match-set fullbogons-ipv4 src -j DROP # -- NEW -- /sbin/iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j DROP Loading @@ -59,10 +59,9 @@ # -- ! NEW -- /sbin/iptables -A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #/sbin/iptables -A INPUT -i enp0s9 -p udp --dport 67 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 443 -j ACCEPT Loading @@ -72,26 +71,16 @@ /sbin/iptables -A OUTPUT -p icmp -j ACCEPT #/sbin/iptables -A OUTPUT -p udp -o enp0s9 --sport 67 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 22 -j ACCEPT #/sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT # 'FORWARD' #/sbin/iptables -A FORWARD -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #/sbin/iptables -A FORWARD -j fw-interfaces #/sbin/iptables -A FORWARD -j fw-open #/sbin/iptables -A FORWARD -j DROP #/sbin/iptables -A fw-interfaces -i enp0s9 -j ACCEPT #/sbin/iptables -t nat -A POSTROUTING -s 192.168.232.0/24 -o enp0s8 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o $ext_if -j MASQUERADE /sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT /sbin/iptables -A FORWARD -i $int_if -o $ext_if -j ACCEPT # 'PREROUTING' /sbin/iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP Loading Loading
ipt-nat_core.v4 +9 −20 Original line number Diff line number Diff line Loading @@ -6,6 +6,10 @@ # Purpose: To bring up a robust firewall at bootup. int_if="enp0s9" ext_if="enp0s8" # 'Cleanup and reset' /sbin/iptables -F /sbin/iptables -X Loading Loading @@ -34,10 +38,6 @@ /sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP #/sbin/iptables -I INPUT -m set --match-set block src -j DROP #/sbin/iptables -I INPUT -m set --match-set ipdeny src -j DROP #/sbin/iptables -I INPUT -m set --match-set fullbogons-ipv4 src -j DROP # -- NEW -- /sbin/iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j DROP Loading @@ -59,10 +59,9 @@ # -- ! NEW -- /sbin/iptables -A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #/sbin/iptables -A INPUT -i enp0s9 -p udp --dport 67 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 443 -j ACCEPT Loading @@ -72,26 +71,16 @@ /sbin/iptables -A OUTPUT -p icmp -j ACCEPT #/sbin/iptables -A OUTPUT -p udp -o enp0s9 --sport 67 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 22 -j ACCEPT #/sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT # 'FORWARD' #/sbin/iptables -A FORWARD -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #/sbin/iptables -A FORWARD -j fw-interfaces #/sbin/iptables -A FORWARD -j fw-open #/sbin/iptables -A FORWARD -j DROP #/sbin/iptables -A fw-interfaces -i enp0s9 -j ACCEPT #/sbin/iptables -t nat -A POSTROUTING -s 192.168.232.0/24 -o enp0s8 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o $ext_if -j MASQUERADE /sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT /sbin/iptables -A FORWARD -i $int_if -o $ext_if -j ACCEPT # 'PREROUTING' /sbin/iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP Loading
