cleanup and fixup

fw.globals

@@ -8,13 +8,8 @@ IF_LAN="lanbr"
 NET_LAN="10.24.0.0/16"
 NET_WAN="192.168.0.0/24"
 NET_AR="10.24.20.0/24"
-NET_Q3K="10.24.16.0/24"
-
-NET_AR_DESKTOP="10.30.24.0/24"
 
 # hosts:
-#NAS
-HOST_AMANOJAKU="10.24.20.250"
 #ROUTER
 HOST_KASHA="10.24.0.1"
 HOST_KASHA_WAN="192.168.0.11"

rules/01-output-snat

@@ -1,8 +1,7 @@
 #!/bin/bash
 rules() {
     iptables --table filter $flag FORWARD -i ${IF_WAN} -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables --table filter $flag FORWARD -i ${IF_LAN} -o ${IF_WAN} -j ACCEPT
-    iptables --table nat $flag POSTROUTING -s 10.24.20.0/24 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
+    iptables --table nat $flag POSTROUTING -s ${NET_LAN} -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
     if ${HAVE_WAN2}; then
         iptables --table nat $flag POSTROUTING -s 10.24.20.10 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN2}
     fi

rules/02-kasha-services

@@ -1,11 +1,5 @@
 #!/bin/bash
 rules() {
-# ssh from lan
-    iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 22 -j ACCEPT
-# dns
-    iptables -t filter $flag INPUT -i ${IF_LAN} -p udp -d ${HOST_KASHA} --dport 53 -j ACCEPT
-    iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 53 -j ACCEPT
-
 # avoid having multiple OUTPUT rules
     iptables -t filter $flag OUTPUT -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 }

rules/03-kasha-outbound-connections

@@ -1,17 +0,0 @@
-#!/bin/bash
-rules() {
-    ntp_ips=( 212.244.36.227 212.244.36.228 )
-# fwtest: 01-ssh_test_via_NAS.sh 
-    iptables -t filter $flag OUTPUT -o ${IF_LAN} -p tcp -d ${HOST_AMANOJAKU} --dport 22 -j ACCEPT
-    iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -s ${HOST_AMANOJAKU} --sport 22 -j ACCEPT
-# outbound DNS
-    iptables -t filter $flag OUTPUT -o ${IF_WAN} -p tcp --dport 53 -j ACCEPT
-    iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp --dport 53 -j ACCEPT
-# outbound NTP
-    for ntp_server in ${ntp_ips[@]}; do
-        iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp -d ${ntp_server} --dport 123 -j ACCEPT
-    done
-
-# i hate having a multitude of stateless INPUT rules
-    iptables -t filter $flag INPUT -i ${IF_WAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-}

rules/04-kasha-local-connections

@@ -1,10 +0,0 @@
-#!/bin/bah
-rules() {
-    for chain in OUTPUT INPUT; do
-        for proto in tcp udp; do
-            for type in s d; do
-                iptables -t filter $flag ${chain} -s 127.0.0.0/8 -d 127.0.0.0/8 -p ${proto} -m ${proto} --${type}port 53 -j ACCEPT;
-            done
-        done
-    done
-}

rules/10-ar-amanojaku

@@ -1,16 +0,0 @@
-#!/bin/bash
-rules() {
-    :
-    # nope, the host is not here.
-#    # tcp
-#    for port in 22 80 443 14528:14530 20000; do
-#        iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
-#        iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -p tcp --dport ${port} -j ACCEPT
-#    done
-#
-#    # udp
-#    for port in 60000:60100; do
-#        iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -m udp -p udp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
-#        iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -m udp -p udp --dport ${port} -j ACCEPT
-#    done
-}

rules/11-pht-forwards

@@ -1,9 +0,0 @@
-#!/bin/bash
-rules() {
-    if ${HAVE_WAN2}; then
-        iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN2} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
-        iptables -t nat $flag POSTROUTING -o ${IF_WAN} -d 178.217.184.63 -j SNAT --to-source ${HOST_KASHA_WAN2}
-    fi
-    iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
-    iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 777 -j DNAT --to-destination 10.24.40.1:80
-}