summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Gerus <arachnist@i.am-a.cat>2013-11-24 17:19:33 +0100
committerRobert Gerus <arachnist@i.am-a.cat>2013-11-24 17:19:33 +0100
commit4bae2cb246e58e6ca757f170b937da2eefc4ece5 (patch)
tree51b05cd641c8755b578877d477b93a7540a57032
parentb8df2c5b47c4afe325d5ac4a294544bd106be136 (diff)
downloadold-firewall-4bae2cb246e58e6ca757f170b937da2eefc4ece5.tar.gz
old-firewall-4bae2cb246e58e6ca757f170b937da2eefc4ece5.tar.bz2
old-firewall-4bae2cb246e58e6ca757f170b937da2eefc4ece5.zip
cleanup and fixup
-rw-r--r--fw.globals5
-rw-r--r--rules/01-output-snat3
-rw-r--r--rules/02-kasha-services6
-rw-r--r--rules/03-kasha-outbound-connections17
-rw-r--r--rules/04-kasha-local-connections10
-rw-r--r--rules/10-ar-amanojaku16
-rw-r--r--rules/11-pht-forwards9
7 files changed, 1 insertions, 65 deletions
diff --git a/fw.globals b/fw.globals
index 27bedc8..183dba9 100644
--- a/fw.globals
+++ b/fw.globals
@@ -8,13 +8,8 @@ IF_LAN="lanbr"
NET_LAN="10.24.0.0/16"
NET_WAN="192.168.0.0/24"
NET_AR="10.24.20.0/24"
-NET_Q3K="10.24.16.0/24"
-
-NET_AR_DESKTOP="10.30.24.0/24"
# hosts:
-#NAS
-HOST_AMANOJAKU="10.24.20.250"
#ROUTER
HOST_KASHA="10.24.0.1"
HOST_KASHA_WAN="192.168.0.11"
diff --git a/rules/01-output-snat b/rules/01-output-snat
index 6186ff8..4259fb5 100644
--- a/rules/01-output-snat
+++ b/rules/01-output-snat
@@ -1,8 +1,7 @@
#!/bin/bash
rules() {
iptables --table filter $flag FORWARD -i ${IF_WAN} -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- iptables --table filter $flag FORWARD -i ${IF_LAN} -o ${IF_WAN} -j ACCEPT
- iptables --table nat $flag POSTROUTING -s 10.24.20.0/24 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
+ iptables --table nat $flag POSTROUTING -s ${NET_LAN} -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN}
if ${HAVE_WAN2}; then
iptables --table nat $flag POSTROUTING -s 10.24.20.10 -o ${IF_WAN} -j SNAT --to-source ${HOST_KASHA_WAN2}
fi
diff --git a/rules/02-kasha-services b/rules/02-kasha-services
index d21ae8a..da0ced0 100644
--- a/rules/02-kasha-services
+++ b/rules/02-kasha-services
@@ -1,11 +1,5 @@
#!/bin/bash
rules() {
-# ssh from lan
- iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 22 -j ACCEPT
-# dns
- iptables -t filter $flag INPUT -i ${IF_LAN} -p udp -d ${HOST_KASHA} --dport 53 -j ACCEPT
- iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -d ${HOST_KASHA} --dport 53 -j ACCEPT
-
# avoid having multiple OUTPUT rules
iptables -t filter $flag OUTPUT -o ${IF_LAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
}
diff --git a/rules/03-kasha-outbound-connections b/rules/03-kasha-outbound-connections
deleted file mode 100644
index d4d7f6d..0000000
--- a/rules/03-kasha-outbound-connections
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-rules() {
- ntp_ips=( 212.244.36.227 212.244.36.228 )
-# fwtest: 01-ssh_test_via_NAS.sh
- iptables -t filter $flag OUTPUT -o ${IF_LAN} -p tcp -d ${HOST_AMANOJAKU} --dport 22 -j ACCEPT
- iptables -t filter $flag INPUT -i ${IF_LAN} -p tcp -s ${HOST_AMANOJAKU} --sport 22 -j ACCEPT
-# outbound DNS
- iptables -t filter $flag OUTPUT -o ${IF_WAN} -p tcp --dport 53 -j ACCEPT
- iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp --dport 53 -j ACCEPT
-# outbound NTP
- for ntp_server in ${ntp_ips[@]}; do
- iptables -t filter $flag OUTPUT -o ${IF_WAN} -p udp -d ${ntp_server} --dport 123 -j ACCEPT
- done
-
-# i hate having a multitude of stateless INPUT rules
- iptables -t filter $flag INPUT -i ${IF_WAN} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-}
diff --git a/rules/04-kasha-local-connections b/rules/04-kasha-local-connections
deleted file mode 100644
index 118d9d3..0000000
--- a/rules/04-kasha-local-connections
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bah
-rules() {
- for chain in OUTPUT INPUT; do
- for proto in tcp udp; do
- for type in s d; do
- iptables -t filter $flag ${chain} -s 127.0.0.0/8 -d 127.0.0.0/8 -p ${proto} -m ${proto} --${type}port 53 -j ACCEPT;
- done
- done
- done
-}
diff --git a/rules/10-ar-amanojaku b/rules/10-ar-amanojaku
deleted file mode 100644
index e8a3030..0000000
--- a/rules/10-ar-amanojaku
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-rules() {
- :
- # nope, the host is not here.
-# # tcp
-# for port in 22 80 443 14528:14530 20000; do
-# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
-# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -p tcp --dport ${port} -j ACCEPT
-# done
-#
-# # udp
-# for port in 60000:60100; do
-# iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -m udp -p udp --dport ${port} -j DNAT --to-destination ${HOST_AMANOJAKU}
-# iptables -t filter $flag FORWARD -i ${IF_WAN} -d ${HOST_AMANOJAKU} -m udp -p udp --dport ${port} -j ACCEPT
-# done
-}
diff --git a/rules/11-pht-forwards b/rules/11-pht-forwards
deleted file mode 100644
index d4b723f..0000000
--- a/rules/11-pht-forwards
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-rules() {
- if ${HAVE_WAN2}; then
- iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN2} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
- iptables -t nat $flag POSTROUTING -o ${IF_WAN} -d 178.217.184.63 -j SNAT --to-source ${HOST_KASHA_WAN2}
- fi
- iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 666 -j DNAT --to-destination 10.24.40.1:22
- iptables -t nat $flag PREROUTING -i ${IF_WAN} -d ${HOST_KASHA_WAN} -p tcp --dport 777 -j DNAT --to-destination 10.24.40.1:80
-}