cleanup and fixup
parent
b8df2c5b47
commit
4bae2cb246
|
@ -8,13 +8,8 @@ IF_LAN="lanbr"
|
|||
NET_LAN="10.24.0.0/16"
|
||||
NET_WAN="192.168.0.0/24"
|
||||
NET_AR="10.24.20.0/24"
|
||||
NET_Q3K="10.24.16.0/24"
|
||||
|
||||
NET_AR_DESKTOP="10.30.24.0/24"
|
||||
|
||||
# hosts:
|
||||
#NAS
|
||||
HOST_AMANOJAKU="10.24.20.250"
|
||||
#ROUTER
|
||||
HOST_KASHA="10.24.0.1"
|
||||
HOST_KASHA_WAN="192.168.0.11"
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
#!/bin/bash
|
||||
rules() {
|
||||
iptables --table filter $flag FORWARD -i ${IF_WAN} -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables --table filter $flag FORWARD -i ${IF_LAN} -o ${IF_WAN} -j ACCEPT
|
||||
iptables --table nat $flag POSTROUTING -s 10.24.20.0/24 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
|
||||
iptables --table nat $flag POSTROUTING -s ${NET_LAN} -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
|
||||
if ${HAVE_WAN2}; then
|
||||
iptables --table nat $flag POSTROUTING -s 10.24.20.10 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN2}
|
||||
fi
|
||||
|
|
|
@ -1,11 +1,5 @@
|
|||
#!/bin/bash
|
||||
rules() {
|
||||
# ssh from lan
|
||||
iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 22 -j ACCEPT
|
||||
# dns
|
||||
iptables -t filter $flag INPUT -i ${IF_LAN} -p udp -d ${HOST_KASHA} --dport 53 -j ACCEPT
|
||||
iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 53 -j ACCEPT
|
||||
|
||||
# avoid having multiple OUTPUT rules
|
||||
iptables -t filter $flag OUTPUT -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
}
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
#!/bin/bash
|
||||
rules() {
|
||||
ntp_ips=( 212.244.36.227 212.244.36.228 )
|
||||
# fwtest: 01-ssh_test_via_NAS.sh
|
||||
iptables -t filter $flag OUTPUT -o ${IF_LAN} -p tcp -d ${HOST_AMANOJAKU} --dport 22 -j ACCEPT
|
||||
iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -s ${HOST_AMANOJAKU} --sport 22 -j ACCEPT
|
||||
# outbound DNS
|
||||
iptables -t filter $flag OUTPUT -o ${IF_WAN} -p tcp --dport 53 -j ACCEPT
|
||||
iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp --dport 53 -j ACCEPT
|
||||
# outbound NTP
|
||||
for ntp_server in ${ntp_ips[@]}; do
|
||||
iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp -d ${ntp_server} --dport 123 -j ACCEPT
|
||||
done
|
||||
|
||||
# i hate having a multitude of stateless INPUT rules
|
||||
iptables -t filter $flag INPUT -i ${IF_WAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
#!/bin/bah
|
||||
rules() {
|
||||
for chain in OUTPUT INPUT; do
|
||||
for proto in tcp udp; do
|
||||
for type in s d; do
|
||||
iptables -t filter $flag ${chain} -s 127.0.0.0/8 -d 127.0.0.0/8 -p ${proto} -m ${proto} --${type}port 53 -j ACCEPT;
|
||||
done
|
||||
done
|
||||
done
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
#!/bin/bash
|
||||
rules() {
|
||||
:
|
||||
# nope, the host is not here.
|
||||
# # tcp
|
||||
# for port in 22 80 443 14528:14530 20000; do
|
||||
# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
|
||||
# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -p tcp --dport ${port} -j ACCEPT
|
||||
# done
|
||||
#
|
||||
# # udp
|
||||
# for port in 60000:60100; do
|
||||
# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -m udp -p udp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
|
||||
# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -m udp -p udp --dport ${port} -j ACCEPT
|
||||
# done
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
#!/bin/bash
|
||||
rules() {
|
||||
if ${HAVE_WAN2}; then
|
||||
iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN2} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
|
||||
iptables -t nat $flag POSTROUTING -o ${IF_WAN} -d 178.217.184.63 -j SNAT --to-source ${HOST_KASHA_WAN2}
|
||||
fi
|
||||
iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
|
||||
iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 777 -j DNAT --to-destination 10.24.40.1:80
|
||||
}
|
Loading…
Reference in New Issue