233 lines
11 KiB
Plaintext
233 lines
11 KiB
Plaintext
|
# firewall.conf.new.9
|
||
|
*mangle
|
||
|
:PREROUTING ACCEPT [0:0]
|
||
|
:INPUT ACCEPT [0:0]
|
||
|
:FORWARD ACCEPT [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
:POSTROUTING ACCEPT [0:0]
|
||
|
:LIBVIRT_PRT - [0:0]
|
||
|
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
|
||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||
|
COMMIT
|
||
|
*nat
|
||
|
:PREROUTING ACCEPT [0:0]
|
||
|
:INPUT ACCEPT [0:0]
|
||
|
:OUTPUT ACCEPT [0:0]
|
||
|
:POSTROUTING ACCEPT [0:0]
|
||
|
:LIBVIRT_PRT - [0:0]
|
||
|
# was ! -o lo - -o wlan6
|
||
|
# let resolve.conf redirect to lo - this rule cannot be removed
|
||
|
#-A OUTPUT -o wlan6 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||
|
#-A OUTPUT -o wlan6 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||
|
|
||
|
# .onion mapped addresses redirection to Tor.
|
||
|
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
|
||
|
|
||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
|
||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
|
||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
|
||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
|
||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
|
||
|
COMMIT
|
||
|
*filter
|
||
|
:INPUT DROP [0:0]
|
||
|
:FORWARD DROP [0:0]
|
||
|
:OUTPUT DROP [0:0]
|
||
|
:LIBVIRT_FWI - [0:0]
|
||
|
:LIBVIRT_FWO - [0:0]
|
||
|
:LIBVIRT_FWX - [0:0]
|
||
|
:LIBVIRT_INP - [0:0]
|
||
|
:LIBVIRT_OUT - [0:0]
|
||
|
|
||
|
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
|
||
|
|
||
|
# blocks wlan
|
||
|
-A INPUT -s 217.182.196.70 -p tcp -j DROP
|
||
|
-A INPUT -s 185.213.20.105 -p tcp -j DROP
|
||
|
-A INPUT -s 185.32.222.237 -p tcp -j DROP
|
||
|
-A INPUT -s 92.223.105.174 -p tcp -j DROP
|
||
|
-A INPUT -s 195.201.168.111 -p tcp -j DROP
|
||
|
-A INPUT -s 51.15.115.217 -p tcp -j DROP
|
||
|
-A INPUT -s 89.163.224.33 -p tcp -j DROP
|
||
|
-A INPUT -s 130.193.15.49 -p tcp -j DROP
|
||
|
-A INPUT -s 95.216.19.207 -p tcp -j DROP
|
||
|
-A INPUT -s 176.158.122.84 -p tcp -j DROP
|
||
|
-A INPUT -s 80.66.135.13 -p tcp -j DROP
|
||
|
-A INPUT -s 176.9.118.73 -p tcp -j DROP
|
||
|
-A INPUT -s 109.236.90.209 -p tcp -j DROP
|
||
|
-A INPUT -s 51.79.22.224 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 37.191.192.147 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 5.1.56.52 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 5.39.72.2 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 51.38.81.39 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 136.243.4.139 -m tcp -p tcp -j DROP
|
||
|
-A INPUT -s 95.211.136.23 -m tcp -p tcp -j DROP
|
||
|
|
||
|
## DROP INVALID
|
||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||
|
-A INPUT -m state --state INVALID -j DROP
|
||
|
|
||
|
## DROP INVALID SYN PACKETS
|
||
|
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||
|
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||
|
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||
|
|
||
|
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||
|
-A INPUT -f -j DROP
|
||
|
## DROP INCOMING MALFORMED XMAS PACKETS
|
||
|
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||
|
## DROP INCOMING MALFORMED NULL PACKETS
|
||
|
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||
|
|
||
|
-A INPUT -i lo -j ACCEPT
|
||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||
|
### this is required for outgoing pings
|
||
|
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||
|
-A INPUT -i wlan6 -p icmp -j ACCEPT
|
||
|
|
||
|
#!-A INPUT -i wlan6 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||
|
#!-A INPUT -i wlan6 -m udp -p udp --sport 123 -m owner --gid-owner 226 -j ACCEPT
|
||
|
#!-A INPUT -i wlan6 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||
|
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
|
||
|
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
|
||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 216 -j ACCEPT
|
||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 1 -j ACCEPT
|
||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 115 -j ACCEPT
|
||
|
|
||
|
### let dhcp through?
|
||
|
#?-A INPUT -p udp --sport 68 -j ACCEPT
|
||
|
#?-A INPUT -p udp --sport 67 -j ACCEPT
|
||
|
-A INPUT -i wlan6 -p udp --sport 137 -j DROP
|
||
|
-A INPUT -i wlan6 -p udp --sport 138 -j DROP
|
||
|
-A INPUT -i wlan6 -p udp --sport 139 -j DROP
|
||
|
### this is required for outgoing pings
|
||
|
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||
|
-A INPUT -i virbr1 -p icmp -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9040 -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
|
||
|
-A INPUT -i virbr1 -p udp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
|
||
|
-A INPUT -i virbr1 -p udp --sport 7001 -j ACCEPT
|
||
|
|
||
|
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
|
||
|
#D#-A INPUT -j DROP
|
||
|
##-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
|
||
|
##-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
|
||
|
-A INPUT -j LIBVIRT_INP
|
||
|
-A FORWARD -j LIBVIRT_FWX
|
||
|
-A FORWARD -j LIBVIRT_FWI
|
||
|
-A FORWARD -j LIBVIRT_FWO
|
||
|
-A OUTPUT -o lo -j ACCEPT
|
||
|
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||
|
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
|
||
|
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||
|
#? WHY?!
|
||
|
##-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
|
||
|
##-A OUTPUT -d 10.16.238.0/24 -j ACCEPT
|
||
|
##-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
|
||
|
##-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
|
||
|
|
||
|
# The ntp user is allowed to connect to services listening on the ntp port...
|
||
|
# If root runs ntpdate manually you will see requests to port 53 UID=0
|
||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
|
||
|
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||
|
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
|
||
|
-A OUTPUT -o wlan6 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
|
||
|
-A OUTPUT -o wlan6 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
|
||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 216 -j ACCEPT
|
||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 115 -j ACCEPT
|
||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||
|
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
|
||
|
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
|
||
|
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||
|
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
|
||
|
-A OUTPUT -j LIBVIRT_OUT
|
||
|
|
||
|
# blocks virbr1
|
||
|
-A LIBVIRT_FWI -s 217.182.196.70 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 185.213.20.105 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 185.32.222.237 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 92.223.105.174 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 195.201.168.111 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 51.15.115.217 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 89.163.224.33 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 130.193.15.49 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 95.216.19.207 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 176.158.122.84 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 80.66.135.13 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 176.9.118.73 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 109.236.90.209 -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 51.79.22.224 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 37.191.192.147 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 5.1.56.52 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 5.39.72.2 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 51.38.81.39 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 136.243.4.139 -m tcp -p tcp -j DROP
|
||
|
-A LIBVIRT_FWI -s 95.211.136.23 -m tcp -p tcp -j DROP
|
||
|
|
||
|
# Drop any TCP Acknowlegements they are not needed an they trigger the logs
|
||
|
# https://serverfault.com/questions/578735/for-what-is-a-general-allow-ack-rule-in-iptables-good-for
|
||
|
# This creates a hole in the firewall big enough to portscan through;
|
||
|
# nmap even has a flag to do an ACK scan which this rule will permit. Michael Hampton
|
||
|
# -A LIBVIRT_FWI -i wlan6 -m tcp -p tcp --tcp-flags ACK ACK -j DROP
|
||
|
|
||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||
|
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||
|
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||
|
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||
|
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||
|
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||
|
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
|
||
|
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||
|
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||
|
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
|
||
|
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
|
||
|
# FixMe: sic this is what libvirt did -i --dport
|
||
|
# FixMe: I will disable them as I dont think theyre needed
|
||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
|
||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
|
||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
|
||
|
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
|
||
|
-A OUTPUT -j DROP
|
||
|
COMMIT
|
||
|
# Completed on Wed Nov 4 01:14:37 2020
|
||
|
# Whonix firewall for wlan6 10.16.238.64 10.16.238.64/24 LIBVIRT_FW=1
|
||
|
# WORKS with Gateway tor - ssh
|
||
|
|