From 4bae2cb246e58e6ca757f170b937da2eefc4ece5 Mon Sep 17 00:00:00 2001 From: Robert Gerus Date: Sun, 24 Nov 2013 17:19:33 +0100 Subject: [PATCH] cleanup and fixup --- fw.globals | 5 ----- rules/01-output-snat | 3 +-- rules/02-kasha-services | 6 ------ rules/03-kasha-outbound-connections | 17 ----------------- rules/04-kasha-local-connections | 10 ---------- rules/10-ar-amanojaku | 16 ---------------- rules/11-pht-forwards | 9 --------- 7 files changed, 1 insertion(+), 65 deletions(-) delete mode 100644 rules/03-kasha-outbound-connections delete mode 100644 rules/04-kasha-local-connections delete mode 100644 rules/10-ar-amanojaku delete mode 100644 rules/11-pht-forwards diff --git a/fw.globals b/fw.globals index 27bedc8..183dba9 100644 --- a/fw.globals +++ b/fw.globals @@ -8,13 +8,8 @@ IF_LAN="lanbr" NET_LAN="10.24.0.0/16" NET_WAN="192.168.0.0/24" NET_AR="10.24.20.0/24" -NET_Q3K="10.24.16.0/24" - -NET_AR_DESKTOP="10.30.24.0/24" # hosts: -#NAS -HOST_AMANOJAKU="10.24.20.250" #ROUTER HOST_KASHA="10.24.0.1" HOST_KASHA_WAN="192.168.0.11" diff --git a/rules/01-output-snat b/rules/01-output-snat index 6186ff8..4259fb5 100644 --- a/rules/01-output-snat +++ b/rules/01-output-snat @@ -1,8 +1,7 @@ #!/bin/bash rules() { iptables --table filter $flag FORWARD -i ${IF_WAN} -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables --table filter $flag FORWARD -i ${IF_LAN} -o ${IF_WAN} -j ACCEPT - iptables --table nat $flag POSTROUTING -s 10.24.20.0/24 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN} + iptables --table nat $flag POSTROUTING -s ${NET_LAN} -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN} if ${HAVE_WAN2}; then iptables --table nat $flag POSTROUTING -s 10.24.20.10 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN2} fi diff --git a/rules/02-kasha-services b/rules/02-kasha-services index d21ae8a..da0ced0 100644 --- a/rules/02-kasha-services +++ b/rules/02-kasha-services @@ -1,11 +1,5 @@ #!/bin/bash rules() { -# ssh from lan - iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 22 -j ACCEPT -# dns - iptables -t filter $flag INPUT -i ${IF_LAN} -p udp -d ${HOST_KASHA} --dport 53 -j ACCEPT - iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 53 -j ACCEPT - # avoid having multiple OUTPUT rules iptables -t filter $flag OUTPUT -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT } diff --git a/rules/03-kasha-outbound-connections b/rules/03-kasha-outbound-connections deleted file mode 100644 index d4d7f6d..0000000 --- a/rules/03-kasha-outbound-connections +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -rules() { - ntp_ips=( 212.244.36.227 212.244.36.228 ) -# fwtest: 01-ssh_test_via_NAS.sh - iptables -t filter $flag OUTPUT -o ${IF_LAN} -p tcp -d ${HOST_AMANOJAKU} --dport 22 -j ACCEPT - iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -s ${HOST_AMANOJAKU} --sport 22 -j ACCEPT -# outbound DNS - iptables -t filter $flag OUTPUT -o ${IF_WAN} -p tcp --dport 53 -j ACCEPT - iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp --dport 53 -j ACCEPT -# outbound NTP - for ntp_server in ${ntp_ips[@]}; do - iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp -d ${ntp_server} --dport 123 -j ACCEPT - done - -# i hate having a multitude of stateless INPUT rules - iptables -t filter $flag INPUT -i ${IF_WAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -} diff --git a/rules/04-kasha-local-connections b/rules/04-kasha-local-connections deleted file mode 100644 index 118d9d3..0000000 --- a/rules/04-kasha-local-connections +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bah -rules() { - for chain in OUTPUT INPUT; do - for proto in tcp udp; do - for type in s d; do - iptables -t filter $flag ${chain} -s 127.0.0.0/8 -d 127.0.0.0/8 -p ${proto} -m ${proto} --${type}port 53 -j ACCEPT; - done - done - done -} diff --git a/rules/10-ar-amanojaku b/rules/10-ar-amanojaku deleted file mode 100644 index e8a3030..0000000 --- a/rules/10-ar-amanojaku +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -rules() { - : - # nope, the host is not here. -# # tcp -# for port in 22 80 443 14528:14530 20000; do -# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU} -# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -p tcp --dport ${port} -j ACCEPT -# done -# -# # udp -# for port in 60000:60100; do -# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -m udp -p udp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU} -# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -m udp -p udp --dport ${port} -j ACCEPT -# done -} diff --git a/rules/11-pht-forwards b/rules/11-pht-forwards deleted file mode 100644 index d4b723f..0000000 --- a/rules/11-pht-forwards +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -rules() { - if ${HAVE_WAN2}; then - iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN2} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22 - iptables -t nat $flag POSTROUTING -o ${IF_WAN} -d 178.217.184.63 -j SNAT --to-source ${HOST_KASHA_WAN2} - fi - iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22 - iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 777 -j DNAT --to-destination 10.24.40.1:80 -}