From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1689262139; bh=67HuupzhumRpcFquwSQPE52vkwv5sBvRd01grY+zfJQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZUMzCY2l+VxTKYQsP8ZAvjoIidDOog/+bE3EyMguxriAyQ7aSI5l5JJkPnFu5tlyi 71KBwnCRtNLsLKzJxBiAzLSvOgYCD2cbQrdCv5F2qp4bLO88SMzVtyVO20W+cI5zTh LdUIoIgB7AI/tzXJR0p/ViImZIGZo6n9EFOF4pih8a17B5Dl4ZcmhqWULQvDUq2G/x cUf9Q5iUNGHtUo2V2+rs+rnNQeAg9SueQRyWCoHsSlL6uW2gx0hVcj4V9VWi2krGLT 1UdKjzrFRDBMSc+0ZsIskbqv2q80N47oaf8VASyryzjV8UF0RNLiM8JV6DIZdgdmny mBjwKwcJkzTHQ== Received: from server-haj002.. (server-haj002.gnuweeb.org [45.83.104.102]) by gnuweeb.org (Postfix) with ESMTPSA id BFE8024AC5F; Thu, 13 Jul 2023 22:28:58 +0700 (WIB) From: Alviro Iskandar Setiawan To: Ammar Faizi , Michael William Jonathan Cc: Alviro Iskandar Setiawan , GNU/Weeb Mailing List Subject: [PATCH server-haj002 v1 1/6] init_net: Allow trusted traffic from/to local addresses Date: Thu, 13 Jul 2023 17:28:45 +0200 Message-Id: <20230713152850.5565-2-alviro.iskandar@gnuweeb.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230713152850.5565-1-alviro.iskandar@gnuweeb.org> References: <20230713152850.5565-1-alviro.iskandar@gnuweeb.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: Simplify iptables rules by allowing INPUT traffic from these CIDR ranges: ip: 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 ip6: fc00::/7 Also, allow FORWARD from/to them. Signed-off-by: Alviro Iskandar Setiawan --- init_net.sh | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/init_net.sh b/init_net.sh index 404e79b..7d21069 100755 --- a/init_net.sh +++ b/init_net.sh @@ -41,6 +41,8 @@ $EM sysctl -w net.ipv6.conf.eth0.proxy_ndp=1; $EM sysctl -w net.ipv6.conf.eth1p.proxy_ndp=1; $EM sysctl -w net.ipv4.ip_forward=1; +$EM iptables -t nat -F; +$EM iptables -t nat -X; $EM iptables -t nat -I PREROUTING -d $IPV4_PUB -j DNAT --to-destination 10.3.3.2; $EM iptables -t nat -I OUTPUT -d $IPV4_PUB -j DNAT --to-destination 10.3.3.2; $EM iptables -t nat -I POSTROUTING -s 10.3.3.0/24 ! -d 10.3.3.0/24 -j SNAT --to-source $IPV4_PUB; @@ -51,13 +53,28 @@ iptables -t filter -P FORWARD ACCEPT; iptables -t filter -P OUTPUT ACCEPT; iptables -t filter -F; iptables -t filter -X; + +iptables -t filter -N ACCEPT_LOCAL_SRC; +iptables -t filter -A ACCEPT_LOCAL_SRC -s 10.0.0.0/8 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_SRC -s 192.168.0.0/16 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_SRC -s 172.16.0.0/12 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_SRC -j RETURN; + +iptables -t filter -N ACCEPT_LOCAL_DST; +iptables -t filter -A ACCEPT_LOCAL_DST -d 10.0.0.0/8 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_DST -d 192.168.0.0/16 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_DST -d 172.16.0.0/12 -j ACCEPT; +iptables -t filter -A ACCEPT_LOCAL_DST -j RETURN; + iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; iptables -t filter -A INPUT -p tcp -m multiport --dports 80,443,48588 -j ACCEPT; iptables -t filter -A INPUT -p icmp -j ACCEPT; -iptables -t filter -A INPUT -s 10.3.3.0/24 -j ACCEPT; +iptables -t filter -A INPUT -j ACCEPT_LOCAL_SRC; iptables -t filter -A INPUT -i lo -j ACCEPT; iptables -t filter -P INPUT DROP; +iptables -t filter -A FORWARD -j ACCEPT_LOCAL_SRC; +iptables -t filter -A FORWARD -j ACCEPT_LOCAL_DST; iptables -t filter -P FORWARD DROP; iptables -t filter -P OUTPUT ACCEPT; @@ -65,13 +82,20 @@ iptables -t filter -P OUTPUT ACCEPT; ip6tables -t filter -P INPUT ACCEPT; ip6tables -t filter -P FORWARD ACCEPT; ip6tables -t filter -P OUTPUT ACCEPT; + ip6tables -t filter -F; ip6tables -t filter -X; + ip6tables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -t filter -A INPUT -p tcp -m multiport --dports 80,443,48588 -j ACCEPT; ip6tables -t filter -A INPUT -p icmpv6 -j ACCEPT; +ip6tables -t filter -A INPUT -s fc00::/7 -j ACCEPT; ip6tables -t filter -A INPUT -i lo -j ACCEPT; ip6tables -t filter -P INPUT DROP; +ip6tables -t filter -A FORWARD -s fc00::/7 -j ACCEPT; +ip6tables -t filter -A FORWARD -d fc00::/7 -j ACCEPT; ip6tables -t filter -P FORWARD DROP; ip6tables -t filter -P OUTPUT ACCEPT; + +service docker restart; -- Alviro Iskandar Setiawan