libvirt_cloud/roles/ansible-gentoo_install/files/firewall.conf

172 lines
7.1 KiB
Plaintext
Raw Permalink Normal View History

2024-01-05 11:12:55 +00:00
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo
-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
## Log.
-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Generated by iptables-save v1.8.5 on Wed Nov 4 01:14:37 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted. RELATED?
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
# let dhcp through? - YES
-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
-A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
# -A INPUT -i wlan6 -p udp -j DROP
-A INPUT -i wlan6 -j DROP
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o: --log-uid
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
# st-routers.mcast.net.
-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# gateway
#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Nov 4 01:14:37 2020