+++ /dev/null
-#!/bin/sh
-exit 0
-
-REAL_PATH=$(realpath $(dirname $0))
-
-################################
-# definitions
-################################
-source $REAL_PATH/definitions
-
-
-################################
-# delete all user-defined chains of all tables
-$IPTABLES --table filter --delete-chain
-$IPTABLES --table nat --delete-chain
-$IPTABLES --table mangle --delete-chain
-$IPTABLES --table raw --delete-chain
-
-################################
-# flush all chains of all tables
-$IPTABLES --table filter --flush INPUT
-$IPTABLES --table filter --flush FORWARD
-$IPTABLES --table filter --flush OUTPUT
-$IPTABLES --table nat --flush PREROUTING
-$IPTABLES --table nat --flush INPUT
-$IPTABLES --table nat --flush OUTPUT
-$IPTABLES --table nat --flush POSTROUTING
-$IPTABLES --table mangle --flush PREROUTING
-$IPTABLES --table mangle --flush INPUT
-$IPTABLES --table mangle --flush FORWARD
-$IPTABLES --table mangle --flush OUTPUT
-$IPTABLES --table mangle --flush POSTROUTING
-$IPTABLES --table raw --flush PREROUTING
-$IPTABLES --table raw --flush OUTPUT
-
-################################
-# reset counters for all chains of all tables
-$IPTABLES --table filter --zero INPUT
-$IPTABLES --table filter --zero FORWARD
-$IPTABLES --table filter --zero OUTPUT
-$IPTABLES --table nat --zero PREROUTING
-$IPTABLES --table nat --zero INPUT
-$IPTABLES --table nat --zero OUTPUT
-$IPTABLES --table nat --zero POSTROUTING
-$IPTABLES --table mangle --zero PREROUTING
-$IPTABLES --table mangle --zero INPUT
-$IPTABLES --table mangle --zero FORWARD
-$IPTABLES --table mangle --zero OUTPUT
-$IPTABLES --table mangle --zero POSTROUTING
-$IPTABLES --table raw --zero PREROUTING
-$IPTABLES --table raw --zero OUTPUT
-
-################################
-# set the default policy for all chains of all tables
-$IPTABLES --table filter --policy INPUT DROP
-$IPTABLES --table filter --policy FORWARD DROP
-$IPTABLES --table filter --policy OUTPUT DROP
-$IPTABLES --table nat --policy PREROUTING ACCEPT
-$IPTABLES --table nat --policy INPUT ACCEPT
-$IPTABLES --table nat --policy OUTPUT ACCEPT
-$IPTABLES --table nat --policy POSTROUTING ACCEPT
-$IPTABLES --table mangle --policy PREROUTING ACCEPT
-$IPTABLES --table mangle --policy INPUT ACCEPT
-$IPTABLES --table mangle --policy FORWARD ACCEPT
-$IPTABLES --table mangle --policy OUTPUT ACCEPT
-$IPTABLES --table mangle --policy POSTROUTING ACCEPT
-$IPTABLES --table raw --policy PREROUTING ACCEPT
-$IPTABLES --table raw --policy OUTPUT ACCEPT
+++ /dev/null
-#!/bin/sh
-exit 0
-
-REAL_PATH=$(realpath $(dirname $0))
-
-################################
-# definitions
-################################
-source $REAL_PATH/definitions
-
-
-################################
-# nat PREROUTING rules
-# dnat ssh, smtp, imap and rsync packets
-# from the usr, sr and in networks
-# to the perimeter service host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "ssh, smtp, imap, rsync -> svc.pm" \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --destination $PUBLIC_IP_202 \
- --match multiport \
- --destination-ports 22,25,143,873 \
- --jump DNAT --to-destination $SVC_PERIMETER_IP
-# dnat http and https packets
-# from the usr, sr and in networks
-# to the perimeter web server host
-$IPTABLES --table nat --append PREROUTING \
- --match comment \
- --comment "http(s) -> ws.pm" \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --destination $PUBLIC_IP_202 \
- --match multiport \
- --destination-ports 80,443 \
- --jump DNAT --to-destination $WS_PERIMETER_IP
-
-################################
-# filter INPUT rules
-# allow dns packets
-# from the internal svc host
-$IPTABLES --table filter --append INPUT \
- --match comment \
- --comment "dns replies <- svc" \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol udp \
- --in-interface $INTERNAL_IF \
- --source $SVC_INTERNAL_IP \
- --source-port 53 \
- --destination $IFG_USR_IP \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# allow ssh packets
-# from the usr, sr, in and vpn networks
-$IPTABLES --table filter --append INPUT \
- --match comment \
- --comment "ssh <- usr, sr, in, vpn networks" \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \
- --source-port 1024:65535 \
- --destination $IFG_USR_IP \
- --destination-port 22 \
- --jump ACCEPT
-# allow packets
-# from the loopback address
-# to the loopback address
-$IPTABLES --table filter --append INPUT \
- --in-interface $LOOPBACK_IF \
- --source $LOOPBACK_IP \
- --destination $LOOPBACK_IP \
- --jump ACCEPT
-# allow icmp packets
-# from anywhere
-$IPTABLES --table filter --append INPUT \
- --protocol icmp \
- --jump ACCEPT
-
-################################
-# filter FORWARD rules
-# forward packets
-# of established sessions
-# to the usr, sr and in networks
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "established sessions -> internal networks" \
- --match conntrack \
- --ctstate ESTABLISHED,RELATED \
- --in-interface $PERIMETER_IF \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${SR_NET},$IN_NET \
- --jump ACCEPT
-# forward packets
-# from the usr, sr and in networks
-# to the internet
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "usr network -> internet" \
- --in-interface $INTERNAL_IF \
- --source $USR_NET \
- --out-interface $PERIMETER_IF \
- ! --destination $PERIMETER_NET \
- --jump ACCEPT
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "sr network -> internet" \
- --in-interface $INTERNAL_IF \
- --source $SR_NET \
- --out-interface $PERIMETER_IF \
- ! --destination $PERIMETER_NET \
- --jump ACCEPT
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "in network -> internet" \
- --in-interface $INTERNAL_IF \
- --source $IN_NET \
- --out-interface $PERIMETER_IF \
- ! --destination $PERIMETER_NET \
- --jump ACCEPT
-# forward ssh, smtp, imap and rsync requests
-# from the usr, sr and in networks
-# to the perimeter service host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $PERIMETER_IF \
- --destination $SVC_PERIMETER_IP \
- --match multiport \
- --destination-ports 22,25,143,873 \
- --jump ACCEPT
-# forward ssh, http and https requests
-# from the usr, sr and in networks
-# to the perimeter web server host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --match multiport \
- --destination-ports 22,80,443 \
- --jump ACCEPT
-# forward ssh, http, https and rsync requests
-# from the usr, sr and in networks
-# to the perimeter subversion host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $PERIMETER_IF \
- --destination $SVN_PERIMETER_IP \
- --match multiport \
- --destination-ports 22,80,443,873 \
- --jump ACCEPT
-# forward http requests
-# from the perimeter web server host
-# to the internal store host
-#$IPTABLES --table filter --append FORWARD \
-# --protocol tcp \
-# --in-interface $PERIMETER_IF \
-# --source $WS_PERIMETER_IP \
-# --source-port 1024:65535 \
-# --out-interface $INTERNAL_IF \
-# --destination $STORE_INTERNAL_IP \
-# --destination-port 80 \
-# --jump ACCEPT
-# forward http replies
-# from the internal store host
-# to the perimeter web server host
-#$IPTABLES --table filter --append FORWARD \
-# --match conntrack \
-# --ctstate ESTABLISHED \
-# --protocol tcp \
-# --in-interface $INTERNAL_IF \
-# --source $STORE_INTERNAL_IP \
-# --source-port 80 \
-# --out-interface $PERIMETER_IF \
-# --destination $WS_PERIMETER_IP \
-# --destination-port 1024:65535 \
-# --jump ACCEPT
-# forward dns zone notify messages
-# from the internal primary name server host
-# to the perimeter external/perimeter name server hosts
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns notify -> ens.pm, pns.pm" \
- --match conntrack \
- --ctstate NEW \
- --protocol udp \
- --in-interface $INTERNAL_IF \
- --source $PNS_INTERNAL_IP \
- --source-port 1024:65535 \
- --out-interface $PERIMETER_IF \
- --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns zone transfer requests
-# from the perimeter external/perimeter name server hosts
-# to the internal primary name server host
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns xfr -> ens.pm, pns.pm" \
- --match conntrack \
- --ctstate NEW \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --source-port 1024:65535 \
- --out-interface $INTERNAL_IF \
- --destination $PNS_INTERNAL_IP \
- --destination-port 53 \
- --jump ACCEPT
-# forward dns zone transfer replies
-# from the internal primary name server host
-# to the perimeter external/perimeter name server hosts
-$IPTABLES --table filter --append FORWARD \
- --match comment \
- --comment "dns xfr -> ens.pm, pns.pm" \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source $PNS_INTERNAL_IP \
- --source-port 53 \
- --out-interface $PERIMETER_IF \
- --destination ${ENS_PERIMETER_IP},$PNS_PERIMETER_IP \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# forward openvpn packets
-# from the internet
-# to the internal vpn host
-$IPTABLES --table filter --append FORWARD \
- --protocol udp \
- --in-interface $PERIMETER_IF \
- ! --source $PERIMETER_NET \
- --out-interface $INTERNAL_IF \
- --destination $VPN_INTERNAL_IP \
- --destination-port 1194 \
- --jump ACCEPT
-# forward packets
-# from the usr network
-# to the sr, in, vpn and peep-bo networks
-$IPTABLES --table filter --append FORWARD \
- --in-interface $INTERNAL_IF \
- --source $USR_NET \
- --out-interface $INTERNAL_IF \
- --destination ${SR_NET},${IN_NET},${VPN_NET},$PEEP_BO_NET \
- --jump ACCEPT
-# forward packets
-# from the sr network
-# to the usr, in and vpn networks
-$IPTABLES --table filter --append FORWARD \
- --in-interface $INTERNAL_IF \
- --source $SR_NET \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${IN_NET},$VPN_NET \
- --jump ACCEPT
-# forward packets
-# from the in network
-# to the usr, sr and vpn networks
-$IPTABLES --table filter --append FORWARD \
- --in-interface $INTERNAL_IF \
- --source $IN_NET \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${SR_NET},$VPN_NET \
- --jump ACCEPT
-# forward packets
-# from the vpn network
-# to the usr, sr and in networks
-$IPTABLES --table filter --append FORWARD \
- --in-interface $INTERNAL_IF \
- --source $VPN_NET \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${SR_NET},$IN_NET \
- --jump ACCEPT
-# forward packets
-# from the peep-bo network
-# to the usr, sr and in networks
-$IPTABLES --table filter --append FORWARD \
- --in-interface $INTERNAL_IF \
- --source $PEEP_BO_NET \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${SR_NET},$IN_NET \
- --jump ACCEPT
-# forward ssh packets
-# from the usr, sr and in networks
-# to the external firewall/gateway host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source ${USR_NET},${SR_NET},$IN_NET \
- --out-interface $PERIMETER_IF \
- --destination $EFG_PERIMETER_IP \
- --destination-port 22 \
- --jump ACCEPT
-# forward http requests
-# from the perimeter web server
-# to the dvredmine host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $WS_PERIMETER_IP \
- --out-interface $INTERNAL_IF \
- --destination $DVREDMINE_INTERNAL_IP \
- --destination-port 80 \
- --jump ACCEPT
-# forward http replies
-# from the dvredmine host
-# to the perimeter web server
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source $DVREDMINE_INTERNAL_IP \
- --source-port 80 \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --jump ACCEPT
-# forward http requests
-# from the perimeter web server
-# to the minicrm host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $WS_PERIMETER_IP \
- --out-interface $INTERNAL_IF \
- --destination $MINICRM_INTERNAL_IP \
- --destination-port 8080 \
- --jump ACCEPT
-# forward http replies
-# from the minicrm host
-# to the perimeter web server
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source $MINICRM_INTERNAL_IP \
- --source-port 8080 \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --jump ACCEPT
-# forward http requests
-# from the perimeter web server
-# to the workstation host
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $PERIMETER_IF \
- --source $WS_PERIMETER_IP \
- --out-interface $INTERNAL_IF \
- --destination $WORKSHEET_SR_IP \
- --destination-port 8079 \
- --jump ACCEPT
-# forward http replies
-# from the workstation host
-# to the perimeter web server
-$IPTABLES --table filter --append FORWARD \
- --protocol tcp \
- --in-interface $INTERNAL_IF \
- --source $WORKSHEET_SR_IP \
- --source-port 8079 \
- --out-interface $PERIMETER_IF \
- --destination $WS_PERIMETER_IP \
- --jump ACCEPT
-# forward icmp packets
-# from anywhere
-# to anywhere
-$IPTABLES --table filter --append FORWARD \
- --protocol icmp \
- --jump ACCEPT
-
-################################
-# filter OUTPUT rules
-# allow dns requests
-# to the internal svc host
-$IPTABLES --table filter --append OUTPUT \
- --match comment \
- --comment "dns requests -> svc" \
- --match conntrack \
- --ctstate NEW \
- --protocol udp \
- --source $IFG_USR_IP \
- --out-interface $INTERNAL_IF \
- --destination $SVC_INTERNAL_IP \
- --destination-port 53 \
- --jump ACCEPT
-# allow ssh packets
-# of established sessions
-# to the usr, sr, in and vpn networks
-$IPTABLES --table filter --append OUTPUT \
- --match conntrack \
- --ctstate ESTABLISHED \
- --protocol tcp \
- --source $IFG_USR_IP \
- --source-port 22 \
- --out-interface $INTERNAL_IF \
- --destination ${USR_NET},${SR_NET},${IN_NET},$VPN_NET \
- --destination-port 1024:65535 \
- --jump ACCEPT
-# allow packets
-# from the loopback address
-# to the loopback address
-$IPTABLES --table filter --append OUTPUT \
- --source $LOOPBACK_IP \
- --out-interface $LOOPBACK_IF \
- --destination $LOOPBACK_IP \
- --jump ACCEPT
-# allow icmp packets
-# to anywhere
-$IPTABLES --table filter --append OUTPUT \
- --protocol icmp \
- --jump ACCEPT
https://git.useribm.hu / user-lxc.git / commitdiff