+++ /dev/null
-#!/bin/sh
-exit 0
-#set -x
-
-
-REAL_PATH=$(realpath $(dirname $0))
-
-################################
-# definitions
-################################
-source $REAL_PATH/definitions
-
-
-################################
-# nat PREROUTING rules
-# dnat openvpn packets
-# from the internet
-# to the internal vpn host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "openvpn -> internal vpn host" \
- --protocol udp \
- --in-interface $EXTERNAL_IF_STATIC \
- --destination $PUBLIC_IP_202 \
- --destination-port 1194 \
- --jump DNAT --to-destination $VPN_INTERNAL_IP
-# dnat smtp packets
-# from the internet
-# to the perimeter svc host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "smtp -> perimeter service host" \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --destination $PUBLIC_IP_202 \
- --destination-port 25 \
- --jump DNAT --to-destination $SVC_PERIMETER_IP
-# dnat dns packets
-# from the internet
-# to the perimeter external name server host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "dns (udp) -> perimeter name server host" \
- --protocol udp \
- --in-interface $EXTERNAL_IF_STATIC \
- --destination $PUBLIC_IP_202 \
- --destination-port 53 \
- --jump DNAT --to-destination $ENS_PERIMETER_IP
-# dnat dns packets
-# from the internet
-# to the perimeter external name server host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "dns (tcp) -> perimeter name server host" \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --destination $PUBLIC_IP_202 \
- --destination-port 53 \
- --jump DNAT --to-destination $ENS_PERIMETER_IP
-# dnat http and https packets
-# from the internet
-# to the perimeter web server host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "http, https -> perimeter www host" \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --destination $PUBLIC_IP_202 \
- --match multiport \
- --destination-ports 80,443 \
- --jump DNAT --to-destination $WS_PERIMETER_IP
-## dnat http and https packets
-## from the internet
-## to the perimeter whmcs host
-#$IPTABLES --table nat --append PREROUTING \
-# --match comment \
-# --comment "http, https -> perimeter whmcs host" \
-# --protocol tcp \
-# --in-interface $EXTERNAL_IF_194 \
-# --destination $PUBLIC_IP \
-# --match multiport \
-# --destination-ports 80,443 \
-# --jump DNAT --to-destination $WHMCS_PERIMETER_IP
-
-################################
-# filter INPUT rules
-# allow dns replies
-# from the perimeter ns host
-$IPTABLES --table filter --append INPUT \
- --match comment \
- --comment "dns replies <- pns.pm" \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol udp \
- --in-interface $PERIMETER_IF \
- --source $PNS_PERIMETER_IP \
- --source-port 53 \
- --destination $EFG_PERIMETER_IP \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# allow ssh packets
-# from the usr, sr and in networks
-$IPTABLES --table filter --append INPUT \
- --match comment \
- --comment "ssh from the usr, sr and in networks" \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --source-port 1024:65535 \
- --destination $EFG_PERIMETER_IP \
- --destination-port 22 \
- --jump ACCEPT
-# allow icmp packets
-# from anywhere
-$IPTABLES --table filter --append INPUT \
- --protocol icmp \
- --jump ACCEPT
-# allow packets
-# from the loopback address
-# to the loopback address
-$IPTABLES --table filter --append INPUT \
- --in-interface $LOOPBACK_IF \
- --source $LOOPBACK_IP \
- --destination $LOOPBACK_IP \
- --jump ACCEPT
-
-################################
-# filter FORWARD rules
-# forward packets
-# of established sessions
-# from the internet
-# to the usr, sr and in networks
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "established sessions to the usr, sr and in networks" \
- --match conntrack \
- --ctstate ESTABLISHED,RELATED \
- --in-interface ${EXTERNAL_IF_PREFIX}+ \
- --out-interface $PERIMETER_IF \
- --destination ${USR_NET},${SR_NET},$IN_NET \
- --jump ACCEPT
-# forward packets
-# from the usr, sr and in networks
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "from the usr, sr and in networks" \
- --in-interface $PERIMETER_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface ${EXTERNAL_IF_PREFIX}+ \
- --jump ACCEPT
-# forward openvpn packets
-# from the internet
-# to the internal vpn host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "openvpn -> internal openvpn host" \
- --protocol udp \
- --in-interface $EXTERNAL_IF_STATIC \
- --out-interface $PERIMETER_IF \
- --destination $VPN_INTERNAL_IP \
- --destination-port 1194 \
- --jump ACCEPT
-# forward http and https requests
-# from the internet
-# to the perimeter web server host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "http, https -> perimeter web server host" \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --match multiport \
- --destination-ports 80,443 \
- --jump ACCEPT
-# forward http and https replies
-# of established sessions
-# from the perimeter web server host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "perimeter web server host http, https replies" \
- --protocol tcp \
- --match conntrack \
- --ctstate ESTABLISHED \
- --in-interface $PERIMETER_IF \
- --source $WS_PERIMETER_IP \
- --match multiport \
- --source-ports 80,443 \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump ACCEPT
-# forward dns requests and notifications
-# from the internet
-# to the external name server host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns requests from internet (udp) -> ens.pm" \
- --protocol udp \
- --in-interface $EXTERNAL_IF_STATIC \
- --source-port 1024:65535 \
- --out-interface $PERIMETER_IF \
- --destination $ENS_PERIMETER_IP \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns replies
-# from the external name server host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns replies from ens.pm (udp) -> internet" \
- --match conntrack \
- --ctstate ESTABLISHED,RELATED \
- --protocol udp \
- --in-interface $PERIMETER_IF \
- --source $ENS_PERIMETER_IP \
- --source-port 53 \
- --out-interface $EXTERNAL_IF_STATIC \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# forward dns requests
-# from the external and perimeter name server hosts
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns requests from (e|p)ns.pm (udp) -> internet" \
- --protocol udp \
- --in-interface $PERIMETER_IF \
- --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --source-port 1024:65535 \
- --out-interface $EXTERNAL_IF_STATIC \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns replies
-# from the internet
-# to the external and perimeter name server hosts
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns replies (udp) -> (e|p)ns.pm" \
- --match conntrack \
- --ctstate ESTABLISHED,RELATED \
- --protocol udp \
- --in-interface $EXTERNAL_IF_STATIC \
- --source-port 53 \
- --out-interface $PERIMETER_IF \
- --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# forward dns requests
-# from the internet
-# to the external name server host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns requests (tcp) -> ens.pm" \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --source-port 1024:65535 \
- --out-interface $PERIMETER_IF \
- --destination $ENS_PERIMETER_IP \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns replies
-# of established sessions
-# from the external name server host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns replies from ens.pm (tcp) -> internet" \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $ENS_PERIMETER_IP \
- --source-port 53 \
- --out-interface $EXTERNAL_IF_STATIC \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# forward dns requests
-# from the external and perimeter name server hosts
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns requests from (e|p)ns.pm -> internet" \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --source-port 1024:65535 \
- --out-interface $EXTERNAL_IF_STATIC \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns replies
-# of established sessions
-# from the internet
-# to the external and perimeter name server hosts
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns replies (tcp) -> (e|p)ns.pm" \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol tcp \
- --in-interface $EXTERNAL_IF_STATIC \
- --source-port 53 \
- --out-interface $PERIMETER_IF \
- --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# forward smtp, dns, http and https requests
-# from the perimeter svc host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $SVC_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --destination-ports 25,53,80,443 \
- --jump ACCEPT
-# forward smtp, dns, http and https replies
-# of established sessions
-# from the internet
-# to the perimeter svc host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --match conntrack \
- --ctstate ESTABLISHED \
- --in-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --source-ports 25,53,80,443 \
- --out-interface $PERIMETER_IF \
- --destination $SVC_PERIMETER_IP \
- --jump ACCEPT
-# forward smtp, http and https requests
-# from the perimeter web server host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "perimeter ws host smtp, http, https requests (let's encrypt)" \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $WS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --destination-ports 25,80,443 \
- --jump ACCEPT
-# forward smtp, http and https replies
-# of established sessions
-# from the internet
-# to the perimeter web server host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "perimeter ws host smtp, http, https replies (let's encrypt)" \
- --protocol tcp \
- --match conntrack \
- --ctstate ESTABLISHED \
- --in-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --source-ports 25,80,443 \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --jump ACCEPT
-# forward http and https requests
-# from the perimeter whmcs host
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "perimeter whmcs host http, https requests (let's encrypt)" \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $WHMCS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --destination-ports 80,443 \
- --jump ACCEPT
-# forward http and https replies
-# of established sessions
-# from the internet
-# to the perimeter whmcs host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "perimeter whmcs host http, https replies (let's encrypt)" \
- --protocol tcp \
- --match conntrack \
- --ctstate ESTABLISHED \
- --in-interface $EXTERNAL_IF_STATIC \
- --match multiport \
- --source-ports 80,443 \
- --out-interface $PERIMETER_IF \
- --destination $WHMCS_PERIMETER_IP \
- --jump ACCEPT
-# forward icmp packets
-# from anywhere
-# to anywhere
-$IPTABLES --table filter --append FORWARD \
- --protocol icmp \
- --jump ACCEPT
-
-################################
-# filter OUTPUT rules
-# allow dns requests
-# to the perimeter name server host
-$IPTABLES --table filter --append OUTPUT \
- --match comment \
- --comment "dns requests -> pns.pm" \
- --match conntrack \
- --ctstate NEW \
- --protocol udp \
- --source $EFG_PERIMETER_IP \
- --source-port 1024:65535 \
- --out-interface $PERIMETER_IF \
- --destination $PNS_PERIMETER_IP \
- --destination-port 53 \
- --jump ACCEPT
-# allow ssh packets
-# of established sessions
-# to the usr, sr and in networks
-$IPTABLES --table filter --append OUTPUT \
- --protocol tcp \
- --match conntrack \
- --ctstate ESTABLISHED \
- --source $EFG_PERIMETER_IP \
- --source-port 22 \
- --out-interface $PERIMETER_IF \
- --destination ${USR_NET},${SR_NET},$IN_NET \
- --jump ACCEPT
-# allow icmp packets
-# to anywhere
-$IPTABLES --table filter --append OUTPUT \
- --protocol icmp \
- --jump ACCEPT
-# allow packets
-# from the loopback address
-# to the loopback address
-$IPTABLES --table filter --append OUTPUT \
- --source $LOOPBACK_IP \
- --out-interface $LOOPBACK_IF \
- --destination $LOOPBACK_IP \
- --jump ACCEPT
-
-################################
-# nat POSTROUTING rules
-# snat packets
-# from the usr, sr and in networks
-$IPTABLES --table nat --append POSTROUTING \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $EXTERNAL_IF_DYNAMIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the usr, sr and in networks
-$IPTABLES --table nat --append POSTROUTING \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the perimeter svc host
-$IPTABLES --table nat --append POSTROUTING \
- --source $SVC_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the perimeter web server host
-$IPTABLES --table nat --append POSTROUTING \
- --source $WS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the perimeter whmcs host
-$IPTABLES --table nat --append POSTROUTING \
- --source $WHMCS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the perimeter name server host (perimeter network)
-$IPTABLES --table nat --append POSTROUTING \
- --source $PNS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
-# snat packets
-# from the external name server host (perimeter network)
-$IPTABLES --table nat --append POSTROUTING \
- --source $ENS_PERIMETER_IP \
- --out-interface $EXTERNAL_IF_STATIC \
- --jump SNAT --to-source $PUBLIC_IP_202
+++ /dev/null
-################################
-# iptables command
-################################
-IPTABLES=/sbin/iptables
-
-################################
-# interfaces
-################################
-
-# external interfaces
-EXTERNAL_IF_PREFIX=efg
-EXTERNAL_IF_DYNAMIC=${EXTERNAL_IF_PREFIX}d
-EXTERNAL_IF_STATIC=${EXTERNAL_IF_PREFIX}s
-
-# loopback interface
-LOOPBACK_IF=lo
-
-# perimeter interface
-PERIMETER_IF=eth0
-
-################################
-# addresses
-################################
-
-# loopback address
-LOOPBACK_IP=127.0.0.1
-
-# public address
-PUBLIC_IP_194=84.2.25.194
-PUBLIC_IP_195=84.2.25.195
-PUBLIC_IP_196=84.2.25.196
-PUBLIC_IP_197=84.2.25.197
-PUBLIC_IP_198=84.2.25.198
-PUBLIC_IP_199=84.2.25.199
-PUBLIC_IP_200=84.2.25.200
-PUBLIC_IP_201=84.2.25.201
-PUBLIC_IP_202=84.2.25.202
-PUBLIC_IP_203=84.2.25.203
-PUBLIC_IP_204=84.2.25.204
-PUBLIC_IP_205=84.2.25.205
-PUBLIC_IP_206=84.2.25.206
-
-PUBLIC_IP_146=194.149.40.146
-PUBLIC_IP_147=194.149.40.147
-PUBLIC_IP_148=194.149.40.148
-PUBLIC_IP_149=194.149.40.149
-PUBLIC_IP_150=194.149.40.150
-PUBLIC_IP_151=194.149.40.151
-PUBLIC_IP_152=194.149.40.152
-PUBLIC_IP_153=194.149.40.153
-PUBLIC_IP_154=194.149.40.154
-PUBLIC_IP_155=194.149.40.155
-PUBLIC_IP_156=194.149.40.156
-PUBLIC_IP_157=194.149.40.157
-PUBLIC_IP_158=194.149.40.158
-
-# modem management addresses
-DYNAMIC_MANAGEMENT_IP=192.168.65.1
-STATIC_MANAGEMENT_IP=192.168.210.1
-
-# modem/gateway addresses
-DYNAMIC_GATEWAY_IP=192.168.65.254
-STATIC_GATEWAY_IP=84.2.25.193
-
-# efg address (perimeter network)
-EFG_PERIMETER_IP=192.168.173.254
-
-# service address (perimeter network)
-SVC_PERIMETER_IP=192.168.173.253
-
-# transfer server address (perimeter network)
-XFR_PERIMETER_IP=192.168.173.251
-
-# whmcs server address (perimeter network)
-WHMCS_PERIMETER_IP=192.168.173.250
-
-# web server address (perimeter network)
-WS_PERIMETER_IP=192.168.173.249
-
-# subversion address (perimeter network)
-SVN_PERIMETER_IP=192.168.173.249
-
-# perimeter name server address (perimeter network)
-PNS_PERIMETER_IP=192.168.173.174
-
-# external name server address (perimeter network)
-ENS_PERIMETER_IP=192.168.173.64
-
-# ifg address (perimeter network)
-IFG_PERIMETER_IP=192.168.173.1
-
-# ipg addresses (internal network)
-IFG_USR_IP=10.228.109.254
-IFG_SR_IP=192.168.42.254
-IFG_IN_IP=192.168.43.254
-
-# service address (internal network)
-SVC_INTERNAL_IP=10.228.109.253
-
-# vpn address (internal network)
-VPN_INTERNAL_IP=10.228.109.236
-
-################################
-# networks
-################################
-
-# internal networks
-USR_NET=10.228.0.0/16
-SR_NET=192.168.42.0/24
-IN_NET=192.168.43.0/24
-
-# perimeter network
-PERIMETER_NET=192.168.173.0/24
-
-# vpn client network
-VPN_NET=172.16.223.0/24
https://git.useribm.hu / user-lxc.git / commitdiff