From: Alviro Iskandar Setiawan <[email protected]>
To: Ammar Faizi <[email protected]>,
Michael William Jonathan <[email protected]>
Cc: Alviro Iskandar Setiawan <[email protected]>,
GNU/Weeb Mailing List <[email protected]>
Subject: [PATCH server-haj002 v1 1/6] init_net: Allow trusted traffic from/to local addresses
Date: Thu, 13 Jul 2023 17:28:45 +0200 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
Simplify iptables rules by allowing INPUT traffic from these CIDR
ranges:
ip:
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
ip6:
fc00::/7
Also, allow FORWARD from/to them.
Signed-off-by: Alviro Iskandar Setiawan <[email protected]>
---
init_net.sh | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/init_net.sh b/init_net.sh
index 404e79b..7d21069 100755
--- a/init_net.sh
+++ b/init_net.sh
@@ -41,6 +41,8 @@ $EM sysctl -w net.ipv6.conf.eth0.proxy_ndp=1;
$EM sysctl -w net.ipv6.conf.eth1p.proxy_ndp=1;
$EM sysctl -w net.ipv4.ip_forward=1;
+$EM iptables -t nat -F;
+$EM iptables -t nat -X;
$EM iptables -t nat -I PREROUTING -d $IPV4_PUB -j DNAT --to-destination 10.3.3.2;
$EM iptables -t nat -I OUTPUT -d $IPV4_PUB -j DNAT --to-destination 10.3.3.2;
$EM iptables -t nat -I POSTROUTING -s 10.3.3.0/24 ! -d 10.3.3.0/24 -j SNAT --to-source $IPV4_PUB;
@@ -51,13 +53,28 @@ iptables -t filter -P FORWARD ACCEPT;
iptables -t filter -P OUTPUT ACCEPT;
iptables -t filter -F;
iptables -t filter -X;
+
+iptables -t filter -N ACCEPT_LOCAL_SRC;
+iptables -t filter -A ACCEPT_LOCAL_SRC -s 10.0.0.0/8 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_SRC -s 192.168.0.0/16 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_SRC -s 172.16.0.0/12 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_SRC -j RETURN;
+
+iptables -t filter -N ACCEPT_LOCAL_DST;
+iptables -t filter -A ACCEPT_LOCAL_DST -d 10.0.0.0/8 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_DST -d 192.168.0.0/16 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_DST -d 172.16.0.0/12 -j ACCEPT;
+iptables -t filter -A ACCEPT_LOCAL_DST -j RETURN;
+
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443,48588 -j ACCEPT;
iptables -t filter -A INPUT -p icmp -j ACCEPT;
-iptables -t filter -A INPUT -s 10.3.3.0/24 -j ACCEPT;
+iptables -t filter -A INPUT -j ACCEPT_LOCAL_SRC;
iptables -t filter -A INPUT -i lo -j ACCEPT;
iptables -t filter -P INPUT DROP;
+iptables -t filter -A FORWARD -j ACCEPT_LOCAL_SRC;
+iptables -t filter -A FORWARD -j ACCEPT_LOCAL_DST;
iptables -t filter -P FORWARD DROP;
iptables -t filter -P OUTPUT ACCEPT;
@@ -65,13 +82,20 @@ iptables -t filter -P OUTPUT ACCEPT;
ip6tables -t filter -P INPUT ACCEPT;
ip6tables -t filter -P FORWARD ACCEPT;
ip6tables -t filter -P OUTPUT ACCEPT;
+
ip6tables -t filter -F;
ip6tables -t filter -X;
+
ip6tables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
ip6tables -t filter -A INPUT -p tcp -m multiport --dports 80,443,48588 -j ACCEPT;
ip6tables -t filter -A INPUT -p icmpv6 -j ACCEPT;
+ip6tables -t filter -A INPUT -s fc00::/7 -j ACCEPT;
ip6tables -t filter -A INPUT -i lo -j ACCEPT;
ip6tables -t filter -P INPUT DROP;
+ip6tables -t filter -A FORWARD -s fc00::/7 -j ACCEPT;
+ip6tables -t filter -A FORWARD -d fc00::/7 -j ACCEPT;
ip6tables -t filter -P FORWARD DROP;
ip6tables -t filter -P OUTPUT ACCEPT;
+
+service docker restart;
--
Alviro Iskandar Setiawan
next prev parent reply other threads:[~2023-07-13 15:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-13 15:28 [PATCH server-haj002 v1 0/6] Server update and new service elk.gnuweeb.org Alviro Iskandar Setiawan
2023-07-13 15:28 ` Alviro Iskandar Setiawan [this message]
2023-07-13 15:28 ` [PATCH server-haj002 v1 2/6] mastodon: Enable IPv6 for the masto-net network Alviro Iskandar Setiawan
2023-07-13 15:28 ` [PATCH server-haj002 v1 3/6] mastodon: Fix DNS resolution error Alviro Iskandar Setiawan
2023-07-13 15:28 ` [PATCH server-haj002 v1 4/6] mastodon: Move data directory inside the git project Alviro Iskandar Setiawan
2023-07-13 15:28 ` [PATCH server-haj002 v1 5/6] Add elk server using docker Alviro Iskandar Setiawan
2023-07-13 15:28 ` [PATCH server-haj002 v1 6/6] setup.txt: Add elk setup instructions Alviro Iskandar Setiawan
2023-07-13 15:42 ` [PATCH server-haj002 v1 0/6] Server update and new service elk.gnuweeb.org Ammar Faizi
2023-07-13 16:47 ` Alviro Iskandar Setiawan
2023-07-13 16:54 ` Ammar Faizi
2023-07-14 2:25 ` Michael William Jonathan
2023-07-14 10:32 ` Alviro Iskandar Setiawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox