Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
jeremy
/
HON95-wiki
kopia lustrzana https://github.com/HON95/wiki
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: 1ad5a38e98
Gałęzie Tagi
HON95-wiki
/
config
/
linux-server
/
files
/
iptables
/
iptables-complex.sh

iptables-complex.sh 18 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557 
  1. #!/bin/bash
    2. 

  2. 

  3. # Firewall script for XXX.
    4. 

  4. #
    5. 

  5. # General notes:
    6. 

  6. # - ISC DHCP server uses raw sockets for DHCPv4, which bypasses the firewall.
    7. 

  7. # - DHCP responses from a server counts as established/related,
    8. 

  8. #   so responses from WAN DHCP servers with private addresses are not blocked.
    9. 

  9. # - Linux with bridge-netfilter may filter bridged traffic, meaning bridge-internal
    10. 

  10. #   traffic passes through IPTables, therefore packets forwarded from and to
    11. 

  11. #   the same bridge subnet must be accepted for bridged devices to communicate.
    12. 

  12. #
    13. 

  13. # Notes about this network and script:
    14. 

  14. # - All policies are set to DROP while updating the rules,
    15. 

  15. #   to prevent both unauthorized access (ACCEPT) and disconnects (REJECT).
    16. 

  16. # - External traffic is bogon filtered.
    17. 

  17. # - Internal traffic is source verified.
    18. 

  18. # - Both IPv4 and IPv6 is NATed.
    19. 

  19. # - Automatic rules and chains, e.g. from Docker and Fail2Ban, will be removed when this script is run.
    20. 

  20. 

  21. ################################################################################
    22. 

  22. 

  23. set -eu
    24. 

  24. 

  25. ### Config
    26. 

  26. 

  27. # Network subnets used to verify source
    28. 

  28. NET_LAN_SUPER=(     [4]="10.0.0.0/16"      [6]="fd00:0:0::0/48"      )
    29. 

  29. NET_CORE_MGMT=(     [4]="10.0.10.0/24"     [6]="fd00:0:0:a::0/64"    )
    30. 

  30. NET_PERF_MGMT=(     [4]="10.0.11.0/24"     [6]="fd00:0:0:b::0/64"    )
    31. 

  31. NET_APPS=(          [4]="10.0.30.0/24"     [6]="fd00:0:0:1e::0/64"   )
    32. 

  32. NET_USERS=(         [4]="10.0.100.0/24"    [6]="fd00:0:0:64::0/64"   )
    33. 

  33. NET_GUESTS=(        [4]="10.0.101.0/24"    [6]="fd00:0:0:65::0/64"   )
    34. 

  34. NET_ADMINS=(        [4]="10.0.102.0/24"    [6]="fd00:0:0:66::0/64"   )
    35. 

  35. 

  36. IF_WAN="enp0s0"
    37. 

  37. IF_CORE_MGMT="enp0s0"
    38. 

  38. IF_PERF_MGMT="enp0s0"
    39. 

  39. IF_APPS="enp0s0"
    40. 

  40. IF_USERS="enp0s0"
    41. 

  41. IF_GUESTS="enp0s0"
    42. 

  42. IF_ADMINS="enp0s0"
    43. 

  43. 

  44. HOST_UNIFI=(    [4]="10.0.30.7"    [6]="fd00:0:0:1e::7"   )
    45. 

  45. 

  46. IPT4="iptables"
    47. 

  47. IPT6="ip6tables"
    48. 

  48. IPT_SAVE="netfilter-persistent"
    49. 

  49. 

  50. ################################################################################
    51. 

  51. 

  52. ### Helper structures
    53. 

  53. 

  54. find_cmd() {
    55. 

  55.     set +e
    56. 

  56.     val=$(which $1)
    57. 

  57.     if [ -z "$val" ]; then
    58. 

  58.         echo "Error: $1 missing." 1>&2
    59. 

  59.         return -1
    60. 

  60.     fi
    61. 

  61.     echo "$val"
    62. 

  62. }
    63. 

  63. 

  64. IPT4_CMD="$(find_cmd "$IPT4")"
    65. 

  65. IPT6_CMD="$(find_cmd "$IPT6")"
    66. 

  66. IPT_SAVE_CMD="$(find_cmd "$IPT_SAVE") save"
    67. 

  67. 

  68. ipt4() {
    69. 

  69.     $IPT4_CMD "$@" || return $?
    70. 

  70. }
    71. 

  71. 

  72. ipt6() {
    73. 

  73.     $IPT6_CMD "$@" || return $?
    74. 

  74. }
    75. 

  75. 

  76. ipt46() {
    77. 

  77.     ipt4 "$@" || return $?
    78. 

  78.     ipt6 "$@" || return $?
    79. 

  79. }
    80. 

  80. 

  81. ipt_save() {
    82. 

  82.   $IPT_SAVE_CMD || return $?
    83. 

  83. }
    84. 

  84. 

  85. ## Add accept rules for specified services the specified chain.
    86. 

  86. # Syntax: add_chain_services <chain> [service]*
    87. 

  87. add_chain_services() {
    88. 

  88.     [[ $# -lt 1 ]] && { echo "In ${FUNCNAME[0]}: Missing argument 1"; return -1; }
    89. 

  89.     chain=$1
    90. 

  90.     shift
    91. 

  91. 

  92.     for srv in "$@"; do
    93. 

  93.         case "$srv" in
    94. 

  94.         # In alphabetic order
    95. 

  95.         dns)
    96. 

  96.             ipt46 -A $chain -p udp --dport 53 -j ACCEPT
    97. 

  97.             ;;
    98. 

  98.         iperf3)
    99. 

  99.             ipt46 -A $chain -p tcp --dport 5201 -j ACCEPT
    100. 

  100.             ;;
    101. 

  101.         ntopng)
    102. 

  102.             ipt46 -A $chain -p tcp --dport 3000 -j ACCEPT
    103. 

  103.             ;;
    104. 

  104.         ntp)
    105. 

  105.             ipt46 -A $chain -p udp --dport 123 -j ACCEPT
    106. 

  106.             ;;
    107. 

  107.         ping)
    108. 

  108.             ipt4 -A $chain -p icmp --icmp-type echo-request -j ACCEPT
    109. 

  109.             ipt6 -A $chain -p icmpv6 --icmpv6-type echo-request -j ACCEPT
    110. 

  110.             ;;
    111. 

  111.         ssh)
    112. 

  112.             ipt46 -A $chain -p tcp --dport 22 -j ACCEPT
    113. 

  113.             ;;
    114. 

  114.         *)
    115. 

  115.             echo "Cannot add unknown service: $srv"
    116. 

  116.             return -1
    117. 

  117.             ;;
    118. 

  118.         esac
    119. 

  119.     done
    120. 

  120. }
    121. 

  121. 

  122. ################################################################################
    123. 

  123. 

  124. echo "Deleting existing rules and chains, then adding new ones ..."
    125. 

  125. 

  126. ################################################################################
    127. 

  127. 

  128. ### Temporary policies
    129. 

  129. ipt46 -P INPUT DROP
    130. 

  130. ipt46 -P OUTPUT DROP
    131. 

  131. ipt46 -P FORWARD DROP
    132. 

  132. 

  133. ################################################################################
    134. 

  134. 

  135. ### Clear all
    136. 

  136. # TODO whitelist to not remove all chains
    137. 

  137. ipt46 -F
    138. 

  138. ipt46 -X
    139. 

  139. ipt46 -t nat -F
    140. 

  140. ipt46 -t nat -X
    141. 

  141. ipt46 -t mangle -F
    142. 

  142. ipt46 -t mangle -X
    143. 

  143. ipt46 -t raw -F
    144. 

  144. ipt46 -t raw -X
    145. 

  145. ipt46 -t security -F
    146. 

  146. ipt46 -t security -X
    147. 

  147. 

  148. ################################################################################
    149. 

  149. 

  150. ### Filter chains
    151. 

  151. 

  152. ## IPv4 source bogon filter
    153. 

  153. chain="bogon-src-filter"
    154. 

  154. ipt4 -N $chain
    155. 

  155. ipt4 -A $chain -s 0.0.0.0/8 -j DROP             # "This" Network
    156. 

  156. ipt4 -A $chain -s 10.0.0.0/8 -j DROP            # Private-Use Networks
    157. 

  157. ipt4 -A $chain -s 100.64.0.0/10 -j DROP         # Shared Address Space
    158. 

  158. ipt4 -A $chain -s 127.0.0.0/8 -j DROP           # Loopback
    159. 

  159. ipt4 -A $chain -s 169.254.0.0/16 -j DROP        # Link local
    160. 

  160. ipt4 -A $chain -s 172.16.0.0/12 -j DROP         # Private-Use Networks
    161. 

  161. ipt4 -A $chain -s 192.0.0.0/24 -j DROP          # IETF Protocol Assignments
    162. 

  162. ipt4 -A $chain -s 192.0.2.0/24 -j DROP          # TEST-NET-1
    163. 

  163. ipt4 -A $chain -s 192.168.0.0/16 -j DROP        # Private-Use Networks
    164. 

  164. ipt4 -A $chain -s 198.18.0.0/15 -j DROP         # Network Interconnect Device Benchmark Testing
    165. 

  165. ipt4 -A $chain -s 198.51.100.0/24 -j DROP       # TEST-NET-2
    166. 

  166. ipt4 -A $chain -s 203.0.113.0/24 -j DROP        # TEST-NET-3
    167. 

  167. ipt4 -A $chain -s 224.0.0.0/4 -j DROP           # Multicast
    168. 

  168. ipt4 -A $chain -s 240.0.0.0/4 -j DROP           # Reserved for Future Use
    169. 

  169. ipt4 -A $chain -s 255.255.255.255/32 -j DROP    # Limited Broadcast
    170. 

  170. 

  171. ## IPv4 destination bogon filter
    172. 

  172. # Duplicate of source filter
    173. 

  173. chain="bogon-dst-filter"
    174. 

  174. ipt4 -N $chain
    175. 

  175. ipt4 -A $chain -d 0.0.0.0/8 -j DROP
    176. 

  176. ipt4 -A $chain -d 10.0.0.0/8 -j DROP
    177. 

  177. ipt4 -A $chain -d 100.64.0.0/10 -j DROP
    178. 

  178. ipt4 -A $chain -d 127.0.0.0/8 -j DROP
    179. 

  179. ipt4 -A $chain -d 169.254.0.0/16 -j DROP
    180. 

  180. ipt4 -A $chain -d 172.16.0.0/12 -j DROP
    181. 

  181. ipt4 -A $chain -d 192.0.0.0/24 -j DROP
    182. 

  182. ipt4 -A $chain -d 192.0.2.0/24 -j DROP
    183. 

  183. ipt4 -A $chain -d 192.168.0.0/16 -j DROP
    184. 

  184. ipt4 -A $chain -d 198.18.0.0/15 -j DROP
    185. 

  185. ipt4 -A $chain -d 198.51.100.0/24 -j DROP
    186. 

  186. ipt4 -A $chain -d 203.0.113.0/24 -j DROP
    187. 

  187. ipt4 -A $chain -d 224.0.0.0/4 -j DROP
    188. 

  188. ipt4 -A $chain -d 240.0.0.0/4 -j DROP
    189. 

  189. ipt4 -A $chain -d 255.255.255.255/32 -j DROP
    190. 

  190. 

  191. ## IPv6 source bogon filter
    192. 

  192. chain="bogon-src-filter"
    193. 

  193. ipt6 -N $chain
    194. 

  194. ipt6 -A $chain -s ::/8 -j DROP                  # Unspecified, loopback and compatible and mapped IPv4
    195. 

  195. # Covered
    196. 

  196. #ipt6 -A $chain -s ::/128 -j DROP               # Unspecified
    197. 

  197. #ipt6 -A $chain -s ::1/128 -j DROP              # Loopback
    198. 

  198. #ipt6 -A $chain -s ::/96 -j DROP                # IPv4-compatible
    199. 

  199. #ipt6 -A $chain -s ::ffff:0:0/96 -j DROP        # IPv4-mapped
    200. 

  200. ipt6 -A $chain -s 64:ff9b::/96 -j DROP          # IPv4-IPv6 Translation
    201. 

  201. ipt6 -A $chain -s 100::/64 -j DROP              # Discard-Only
    202. 

  202. ipt6 -A $chain -s 200::/7 -j DROP               # OSI NSAP-mapped prefix set (deprecated)
    203. 

  203. ipt6 -A $chain -s 2001::/23 -j DROP             # IETF Protocol Assignments
    204. 

  204. # Covered
    205. 

  205. #ipt6 -A $chain -s 2001::/32 -j DROP            # TEREDO
    206. 

  206. ipt6 -A $chain -s 2001:2::/48 -j DROP           # Benchmarking
    207. 

  207. ipt6 -A $chain -s 2001:db8::/32 -j DROP         # Documentation
    208. 

  208. ipt6 -A $chain -s 2001:10::/28 -j DROP          # ORCHID
    209. 

  209. ipt6 -A $chain -s 2002::/16 -j DROP             # All 6to4
    210. 

  210. ipt6 -A $chain -s 3ffe::/16 -j DROP             # 6bone (decommissioned)
    211. 

  211. ipt6 -A $chain -s fc00::/7 -j DROP              # Unique-Local
    212. 

  212. ipt6 -A $chain -s fe80::/10 -j DROP             # Linked-Scoped Unicast
    213. 

  213. ipt6 -A $chain -s fec0::/10 -j DROP             # Site-local unicast (deprecated)
    214. 

  214. ipt6 -A $chain -s ff00::/8 -j DROP              # Multicast (includes solicited-node)
    215. 

  215. 

  216. ## IPv6 destination bogon filter
    217. 

  217. # Duplicate of source filter
    218. 

  218. chain="bogon-dst-filter"
    219. 

  219. ipt6 -N $chain
    220. 

  220. ipt6 -A $chain -d ::/8 -j DROP
    221. 

  221. ipt6 -A $chain -d 64:ff9b::/96 -j DROP
    222. 

  222. ipt6 -A $chain -d 100::/64 -j DROP
    223. 

  223. ipt6 -A $chain -d 200::/7 -j DROP
    224. 

  224. ipt6 -A $chain -d 2001::/23 -j DROP
    225. 

  225. ipt6 -A $chain -d 2001:2::/48 -j DROP
    226. 

  226. ipt6 -A $chain -d 2001:db8::/32 -j DROP
    227. 

  227. ipt6 -A $chain -d 2001:10::/28 -j DROP
    228. 

  228. ipt6 -A $chain -d 2002::/16 -j DROP
    229. 

  229. ipt6 -A $chain -d 3ffe::/16 -j DROP
    230. 

  230. ipt6 -A $chain -d fc00::/7 -j DROP
    231. 

  231. ipt6 -A $chain -d fe80::/10 -j DROP
    232. 

  232. ipt6 -A $chain -d fec0::/10 -j DROP
    233. 

  233. ipt6 -A $chain -d ff00::/8 -j DROP
    234. 

  234. 

  235. ################################################################################
    236. 

  236. 

  237. ### Input
    238. 

  238. 

  239. ## Input basic
    240. 

  240. ipt46 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    241. 

  241. ipt46 -A INPUT -m conntrack --ctstate INVALID -j DROP
    242. 

  242. # IPv6 NDP
    243. 

  243. ipt6 -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
    244. 

  244. ipt6 -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
    245. 

  245. ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
    246. 

  246. ipt6 -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
    247. 

  247. # DHCPv6 client+server (v6 doesn't use raw sockets)
    248. 

  248. ipt6 -A INPUT -p udp --dport 546 -j ACCEPT
    249. 

  249. ipt6 -A INPUT -p udp --dport 547 -j ACCEPT
    250. 

  250. 

  251. ## Input from localhost
    252. 

  252. ipt46 -A INPUT -i lo -j ACCEPT
    253. 

  253. 

  254. ## Input from wan
    255. 

  255. chain="in-from-wan"
    256. 

  256. echo $chain
    257. 

  257. ipt46 -N $chain
    258. 

  258. ipt46 -A INPUT -i $IF_WAN -j $chain
    259. 

  259. # Bogon filter src
    260. 

  260. ipt46 -A $chain -j bogon-src-filter
    261. 

  261. # Drop external traffic from internal addresses
    262. 

  262. ipt4 -A $chain -s ${NET_LAN_SUPER[4]} -j DROP # IPv4
    263. 

  263. ipt6 -A $chain -s ${NET_LAN_SUPER[6]} -j DROP # IPv6
    264. 

  264. # Services
    265. 

  265. add_chain_services $chain ping
    266. 

  266. # Default action
    267. 

  267. ipt46 -A $chain -j DROP
    268. 

  268. 

  269. ## Input from core-mgmt
    270. 

  270. chain="in-from-core-mgmt"
    271. 

  271. echo $chain
    272. 

  272. ipt46 -N $chain
    273. 

  273. ipt46 -A INPUT -i $IF_CORE_MGMT -j $chain
    274. 

  274. ipt4 -A $chain ! -s ${NET_CORE_MGMT[4]} -j DROP # IPv4
    275. 

  275. ipt6 -A $chain ! -s ${NET_CORE_MGMT[6]} -j DROP # IPv6
    276. 

  276. add_chain_services $chain ping dns ntp iperf3 ssh ntopng
    277. 

  277. ipt46 -A $chain -j REJECT
    278. 

  278. 

  279. ## Input from perf-mgmt
    280. 

  280. chain="in-from-perf-mgmt"
    281. 

  281. echo $chain
    282. 

  282. ipt46 -N $chain
    283. 

  283. ipt46 -A INPUT -i $IF_PERF_MGMT -j $chain
    284. 

  284. ipt4 -A $chain ! -s ${NET_PERF_MGMT[4]} -j DROP # IPv4
    285. 

  285. ipt6 -A $chain ! -s ${NET_PERF_MGMT[6]} -j DROP # IPv6
    286. 

  286. add_chain_services $chain ping dns ntp iperf3
    287. 

  287. ipt46 -A $chain -j REJECT
    288. 

  288. 

  289. ## Input from apps
    290. 

  290. chain="in-from-apps"
    291. 

  291. echo $chain
    292. 

  292. ipt46 -N $chain
    293. 

  293. ipt46 -A INPUT -i $IF_APPS -j $chain
    294. 

  294. ipt4 -A $chain ! -s ${NET_APPS[4]} -j DROP # IPv4
    295. 

  295. ipt6 -A $chain ! -s ${NET_APPS[6]} -j DROP # IPv6
    296. 

  296. add_chain_services $chain ping dns ntp
    297. 

  297. ipt46 -A $chain -j REJECT
    298. 

  298. 

  299. ## Input from users
    300. 

  300. chain="in-from-users"
    301. 

  301. echo $chain
    302. 

  302. ipt46 -N $chain
    303. 

  303. ipt46 -A INPUT -i $IF_USERS -j $chain
    304. 

  304. ipt4 -A $chain ! -s ${NET_USERS[4]} -j DROP # IPv4
    305. 

  305. ipt6 -A $chain ! -s ${NET_USERS[6]} -j DROP # IPv6
    306. 

  306. add_chain_services $chain ping dns ntp iperf3
    307. 

  307. ipt46 -A $chain -j REJECT
    308. 

  308. 

  309. ## Input from guest
    310. 

  310. chain="in-from-guests"
    311. 

  311. echo $chain
    312. 

  312. ipt46 -N $chain
    313. 

  313. ipt46 -A INPUT -i $IF_GUESTS -j $chain
    314. 

  314. ipt4 -A $chain ! -s ${NET_GUESTS[4]} -j DROP # IPv4
    315. 

  315. ipt6 -A $chain ! -s ${NET_GUESTS[6]} -j DROP # IPv6
    316. 

  316. add_chain_services $chain ping dns ntp
    317. 

  317. ipt46 -A $chain -j REJECT
    318. 

  318. 

  319. ## Input from admins
    320. 

  320. chain="in-from-admins"
    321. 

  321. echo $chain
    322. 

  322. ipt46 -N $chain
    323. 

  323. ipt46 -A INPUT -i $IF_ADMINS -j $chain
    324. 

  324. ipt4 -A $chain ! -s ${NET_ADMINS[4]} -j DROP # IPv4
    325. 

  325. ipt6 -A $chain ! -s ${NET_ADMINS[6]} -j DROP # IPv6
    326. 

  326. add_chain_services $chain ping dns ntp iperf3 ssh ntopng
    327. 

  327. ipt46 -A $chain -j REJECT
    328. 

  328. 

  329. ################################################################################
    330. 

  330. 

  331. ### Output
    332. 

  332. 

  333. ## Output basic
    334. 

  334. ipt46 -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    335. 

  335. ipt46 -A OUTPUT -m conntrack --ctstate INVALID -j DROP
    336. 

  336. # IPv6 NDP
    337. 

  337. ipt6 -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
    338. 

  338. ipt6 -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
    339. 

  339. 

  340. ## Output to localhost
    341. 

  341. ipt46 -A OUTPUT -o lo -j ACCEPT
    342. 

  342. 

  343. ## Output to WAN
    344. 

  344. chain="out-to-wan"
    345. 

  345. echo $chain
    346. 

  346. ipt46 -N $chain
    347. 

  347. ipt46 -A OUTPUT -o $IF_WAN -j $chain
    348. 

  348. # Block LAN leakage
    349. 

  349. ipt4 -A $chain -d ${NET_LAN_SUPER[4]} -j DROP # IPv4
    350. 

  350. ipt6 -A $chain -d ${NET_LAN_SUPER[6]} -j DROP # IPv6
    351. 

  351. # Default action
    352. 

  352. ipt46 -A $chain -j ACCEPT
    353. 

  353. 

  354. ## Output to LAN
    355. 

  355. chain="out-to-lan"
    356. 

  356. echo $chain
    357. 

  357. ipt46 -N $chain
    358. 

  358. ipt46 -A OUTPUT -o $IF_CORE_MGMT -j $chain
    359. 

  359. ipt46 -A OUTPUT -o $IF_PERF_MGMT -j $chain
    360. 

  360. ipt46 -A OUTPUT -o $IF_APPS -j $chain
    361. 

  361. ipt46 -A OUTPUT -o $IF_USERS -j $chain
    362. 

  362. ipt46 -A OUTPUT -o $IF_GUESTS -j $chain
    363. 

  363. ipt46 -A OUTPUT -o $IF_ADMINS -j $chain
    364. 

  364. ipt46 -A $chain -j ACCEPT
    365. 

  365. 

  366. ################################################################################
    367. 

  367. 

  368. ### Forward
    369. 

  369. 

  370. ## Forward basic
    371. 

  371. ipt46 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    372. 

  372. ipt46 -A FORWARD -m conntrack --ctstate INVALID -j DROP
    373. 

  373. 

  374. ## Verify source for stub LANs
    375. 

  375. ipt4 -A FORWARD -i $IF_CORE_MGMT ! -s ${NET_CORE_MGMT[4]} -j DROP
    376. 

  376. ipt6 -A FORWARD -i $IF_CORE_MGMT ! -s ${NET_CORE_MGMT[6]} -j DROP
    377. 

  377. ipt4 -A FORWARD -i $IF_PERF_MGMT ! -s ${NET_PERF_MGMT[4]} -j DROP
    378. 

  378. ipt6 -A FORWARD -i $IF_PERF_MGMT ! -s ${NET_PERF_MGMT[6]} -j DROP
    379. 

  379. ipt4 -A FORWARD -i $IF_APPS ! -s ${NET_APPS[4]} -j DROP
    380. 

  380. ipt6 -A FORWARD -i $IF_APPS ! -s ${NET_APPS[6]} -j DROP
    381. 

  381. ipt4 -A FORWARD -i $IF_USERS ! -s ${NET_USERS[4]} -j DROP
    382. 

  382. ipt6 -A FORWARD -i $IF_USERS ! -s ${NET_USERS[6]} -j DROP
    383. 

  383. ipt4 -A FORWARD -i $IF_GUESTS ! -s ${NET_GUESTS[4]} -j DROP
    384. 

  384. ipt6 -A FORWARD -i $IF_GUESTS ! -s ${NET_GUESTS[6]} -j DROP
    385. 

  385. ipt4 -A FORWARD -i $IF_ADMINS ! -s ${NET_ADMINS[4]} -j DROP
    386. 

  386. ipt6 -A FORWARD -i $IF_ADMINS ! -s ${NET_ADMINS[6]} -j DROP
    387. 

  387. 

  388. ## Forward from wan
    389. 

  389. chain="fwd-from-wan"
    390. 

  390. echo $chain
    391. 

  391. ipt46 -N $chain
    392. 

  392. ipt46 -A FORWARD -i $IF_WAN -j $chain
    393. 

  393. # Bogon filter src and dst addresses
    394. 

  394. ipt46 -A $chain -j bogon-src-filter
    395. 

  395. ipt46 -A $chain -j bogon-dst-filter
    396. 

  396. # Drop external traffic from internal addresses
    397. 

  397. ipt4 -A $chain -s ${NET_LAN_SUPER[4]} -j DROP # IPv4
    398. 

  398. ipt6 -A $chain -s ${NET_LAN_SUPER[6]} -j DROP # IPv6
    399. 

  399. # Drop external traffic to internal addresses (because NAT44 + NAT66)
    400. 

  400. ipt4 -A $chain -d ${NET_LAN_SUPER[4]} -j DROP # IPv4
    401. 

  401. ipt6 -A $chain -d ${NET_LAN_SUPER[6]} -j DROP # IPv6
    402. 

  402. # Return
    403. 

  403. 

  404. ## Forward to wan
    405. 

  405. chain="fwd-to-wan"
    406. 

  406. echo $chain
    407. 

  407. ipt46 -N $chain
    408. 

  408. ipt46 -A FORWARD -o $IF_WAN -j $chain
    409. 

  409. # Block LAN leakage
    410. 

  410. ipt4 -A $chain -d ${NET_LAN_SUPER[4]} -j DROP # IPv4
    411. 

  411. ipt6 -A $chain -d ${NET_LAN_SUPER[6]} -j DROP # IPv6
    412. 

  412. # LANs
    413. 

  413. ipt46 -A $chain -i $IF_CORE_MGMT        -j ACCEPT
    414. 

  414. ipt46 -A $chain -i $IF_PERF_MGMT        -j ACCEPT
    415. 

  415. ipt46 -A $chain -i $IF_APPS             -j ACCEPT
    416. 

  416. ipt46 -A $chain -i $IF_USERS            -j ACCEPT
    417. 

  417. ipt46 -A $chain -i $IF_GUESTS           -j ACCEPT
    418. 

  418. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT
    419. 

  419. # Default action
    420. 

  420. ipt46 -A $chain -j DROP
    421. 

  421. 

  422. ## Forward to core-mgmt
    423. 

  423. chain="fwd-to-core-mgmt"
    424. 

  424. echo $chain
    425. 

  425. ipt46 -N $chain
    426. 

  426. ipt46 -A FORWARD -o $IF_CORE_MGMT -j $chain
    427. 

  427. # LANs
    428. 

  428. ipt46 -A $chain -i $IF_CORE_MGMT        -j ACCEPT # Self
    429. 

  429. ipt46 -A $chain -i $IF_PERF_MGMT        -j REJECT
    430. 

  430. ipt46 -A $chain -i $IF_APPS             -j REJECT
    431. 

  431. ipt46 -A $chain -i $IF_USERS            -j REJECT
    432. 

  432. ipt46 -A $chain -i $IF_GUESTS           -j REJECT
    433. 

  433. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Admin
    434. 

  434. # Default action
    435. 

  435. ipt46 -A $chain -j DROP
    436. 

  436. 

  437. ## Forward to perf-mgmt
    438. 

  438. chain="fwd-to-perf-mgmt"
    439. 

  439. echo $chain
    440. 

  440. ipt46 -N $chain
    441. 

  441. ipt46 -A FORWARD -o $IF_PERF_MGMT -j $chain
    442. 

  442. # LANs
    443. 

  443. ipt46 -A $chain -i $IF_CORE_MGMT        -j REJECT
    444. 

  444. ipt46 -A $chain -i $IF_PERF_MGMT        -j ACCEPT # Self
    445. 

  445. ipt46 -A $chain -i $IF_APPS             -j REJECT
    446. 

  446. ipt46 -A $chain -i $IF_USERS            -j REJECT
    447. 

  447. ipt46 -A $chain -i $IF_GUESTS           -j REJECT
    448. 

  448. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Admin
    449. 

  449. # Default action
    450. 

  450. ipt46 -A $chain -j DROP
    451. 

  451. 

  452. ## Forward to apps
    453. 

  453. chain="fwd-to-apps"
    454. 

  454. echo $chain
    455. 

  455. ipt46 -N $chain
    456. 

  456. ipt46 -A FORWARD -o $IF_APPS -j $chain
    457. 

  457. # UniFi: From APs to controller
    458. 

  458. ipt4 -A $chain -i $IF_PERF_MGMT -d ${HOST_UNIFI[4]} -p tcp --dport=8080 -j ACCEPT # IPv4
    459. 

  459. ipt6 -A $chain -i $IF_PERF_MGMT -d ${HOST_UNIFI[6]} -p tcp --dport=8080 -j ACCEPT # IPv6
    460. 

  460. ipt4 -A $chain -i $IF_PERF_MGMT -d ${HOST_UNIFI[4]} -p udp --dport=3478 -j ACCEPT # IPv4
    461. 

  461. ipt6 -A $chain -i $IF_PERF_MGMT -d ${HOST_UNIFI[6]} -p udp --dport=3478 -j ACCEPT # IPv6
    462. 

  462. # LANs
    463. 

  463. ipt46 -A $chain -i $IF_CORE_MGMT        -j REJECT
    464. 

  464. ipt46 -A $chain -i $IF_PERF_MGMT        -j REJECT
    465. 

  465. ipt46 -A $chain -i $IF_APPS             -j ACCEPT # Self
    466. 

  466. ipt46 -A $chain -i $IF_USERS            -j REJECT
    467. 

  467. ipt46 -A $chain -i $IF_GUESTS           -j REJECT
    468. 

  468. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Admin
    469. 

  469. # Default action
    470. 

  470. ipt46 -A $chain -j DROP
    471. 

  471. 

  472. ## Forward to users
    473. 

  473. chain="fwd-to-users"
    474. 

  474. echo $chain
    475. 

  475. ipt46 -N $chain
    476. 

  476. ipt46 -A FORWARD -o $IF_USERS -j $chain
    477. 

  477. # LANs
    478. 

  478. ipt46 -A $chain -i $IF_CORE_MGMT        -j REJECT
    479. 

  479. ipt46 -A $chain -i $IF_PERF_MGMT        -j REJECT
    480. 

  480. ipt46 -A $chain -i $IF_APPS             -j REJECT
    481. 

  481. ipt46 -A $chain -i $IF_USERS            -j ACCEPT # Self
    482. 

  482. ipt46 -A $chain -i $IF_GUESTS           -j REJECT
    483. 

  483. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Admin
    484. 

  484. 

  485. ## Forward to guests
    486. 

  486. chain="fwd-to-guests"
    487. 

  487. echo $chain
    488. 

  488. ipt46 -N $chain
    489. 

  489. ipt46 -A FORWARD -o $IF_GUESTS -j $chain
    490. 

  490. # LANs
    491. 

  491. ipt46 -A $chain -i $IF_CORE_MGMT        -j REJECT
    492. 

  492. ipt46 -A $chain -i $IF_PERF_MGMT        -j REJECT
    493. 

  493. ipt46 -A $chain -i $IF_APPS             -j REJECT
    494. 

  494. ipt46 -A $chain -i $IF_USERS            -j ACCEPT # Allow
    495. 

  495. ipt46 -A $chain -i $IF_GUESTS           -j REJECT # Self, client isolation
    496. 

  496. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Admin
    497. 

  497. 

  498. ## Forward to admins
    499. 

  499. chain="fwd-to-admins"
    500. 

  500. echo $chain
    501. 

  501. ipt46 -N $chain
    502. 

  502. ipt46 -A FORWARD -o $IF_ADMINS -j $chain
    503. 

  503. # LANs
    504. 

  504. ipt46 -A $chain -i $IF_CORE_MGMT        -j REJECT
    505. 

  505. ipt46 -A $chain -i $IF_PERF_MGMT        -j REJECT
    506. 

  506. ipt46 -A $chain -i $IF_APPS             -j REJECT
    507. 

  507. ipt46 -A $chain -i $IF_USERS            -j REJECT
    508. 

  508. ipt46 -A $chain -i $IF_GUESTS           -j REJECT
    509. 

  509. ipt46 -A $chain -i $IF_ADMINS           -j ACCEPT # Self, admin
    510. 

  510. 

  511. ################################################################################
    512. 

  512. 

  513. ### NAT
    514. 

  514. 

  515. ## SNAT + masquerade
    516. 

  516. ipt4 -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE # IPv4
    517. 

  517. ipt6 -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE # IPv6
    518. 

  518. 

  519. ## DNAT + port Forward
    520. 

  520. # Port range for direct-wan: 50000-50999
    521. 

  521. # Forward HTTP+HTTPS to Nginx container
    522. 

  522. #ipt4 -t nat -A PREROUTING -i $IF_PUBLIC_WAN -p tcp -m multiport --dports 80,443 -j DNAT --to-destination ${HOST_NGINX_MASTER[4]}
    523. 

  523. #ipt6 -t nat -A PREROUTING -i $IF_PUBLIC_WAN -p tcp -m multiport --dports 80,443 -j DNAT --to-destination ${HOST_NGINX_MASTER[6]}
    524. 

  524. 

  525. ################################################################################
    526. 

  526. 

  527. ### Final policies
    528. 

  528. ipt46 -P INPUT DROP
    529. 

  529. ipt46 -P OUTPUT DROP
    530. 

  530. ipt46 -P FORWARD DROP
    531. 

  531. 

  532. ################################################################################
    533. 

  533. 

  534. ### Finish
    535. 

  535. num_rules=$(iptables -n --list --line-numbers | sed '/^num\|^$\|^Chain/d' | wc -l)
    536. 

  536. echo
    537. 

  537. # TODO chain count
    538. 

  538. echo "Rule count: $num_rules"
    539. 

  539. echo
    540. 

  540. echo "Please verify that you have not locked yourself out!"
    541. 

  541. echo "Try opening another SSH session."
    542. 

  542. echo "This can not easily be undone!"
    543. 

  543. echo
    544. 

  544. 

  545. finished=false
    546. 

  546. while [[ $finished != true ]]; do
    547. 

  547.     echo "Save running config to startup config?"
    548. 

  548.     read -p "Type \"YES\" to continue or CTRL+C to abort: " input
    549. 

  549.     if [[ $input == "YES" ]]; then
    550. 

  550.         finished=true
    551. 

  551.     else
    552. 

  552.         echo "Invalid input, try again."
    553. 

  553.     fi
    554. 

  554. done
    555. 

  555. 

  556. ipt_save
    557. 

  557. echo "Updated iptables startup config"
    558.