# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*- # firewall.bash.libvirt.9 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :LIBVIRT_PRT - [0:0] #D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid -A POSTROUTING -j LIBVIRT_PRT COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :LIBVIRT_PRT - [0:0] # was ! -o lo - -o wlan4 # let resolve.conf redirect to lo - this rule cannot be removed #-A OUTPUT -o wlan4 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53 #-A OUTPUT -o wlan4 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53 # .onion mapped addresses redirection to Tor. ###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040 ## Log. #D-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] #D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid # blocks -A INPUT -i wlan6 -s 5.1.56.52 -p tcp -j DROP -A INPUT -i wlan6 -s 5.39.72.2 -p tcp -j DROP -A INPUT -i wlan4 -s 37.191.192.147 -p tcp -j DROP -A INPUT -i wlan4 -s 51.79.22.224 -p tcp -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -f -j DROP -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT ### this is required for outgoing pings -A INPUT -i wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid -A INPUT -i wlan4 -p icmp -j ACCEPT # these are NOT needed #!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " #!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j ACCEPT #!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " #!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j ACCEPT # these are NOT needed #!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 1 -j ACCEPT # these are NOT needed #!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 216 -j ACCEPT #?# let dhcp through? #?-A INPUT -p udp --sport 68 -j ACCEPT #?-A INPUT -p udp --sport 67 -j ACCEPT -A INPUT -i wlan4 -p udp --sport 137 -j DROP -A INPUT -i wlan4 -p udp --sport 138 -j DROP -A INPUT -i wlan4 -p udp --sport 139 -j DROP ### this is required for outgoing pings -A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid -A INPUT -i virbr1 -p icmp -j ACCEPT #D#-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: " -A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT #D#-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: " -A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT #D#-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: " -A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT #D#-A INPUT -i virbr1 -p tcp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: " -A INPUT -i virbr1 -p tcp --sport 7001 -j ACCEPT #D#-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: " -A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT #D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid #D#-A INPUT -j DROP -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #D#-A OUTPUT -o wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid -A OUTPUT -o wlan4 -p icmp -j ACCEPT #?-A OUTPUT -d 10.16.238.81/24 -j ACCEPT #?-A OUTPUT -d 10.152.152.0/24 -j ACCEPT #?-A OUTPUT -d 10.0.2.0/24 -j ACCEPT # The ntp user is allowed to connect to services listening on the ntp port... # If root runs ntpdate manually you will see requests to port 53 UID=0 #D#-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " -A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT #D#-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: " -A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT # ssh - specifically forbid ssh out the wlan -A OUTPUT -o wlan4 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: " -A OUTPUT -o wlan4 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o wlan4 -m owner --gid-owner 1 -j ACCEPT # necessary and sufficient -A OUTPUT -o wlan4 -m owner --gid-owner 216 -j ACCEPT #D#-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid -A OUTPUT -o virbr1 -p icmp -j ACCEPT #D#-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: " -A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT #D#-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: " -A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT #D#-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: " -A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT #D#-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: " -A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT #D#-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: " -A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT #??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN #?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " -A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " -A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT -A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT # FixMe: sic this is what libvirt did -i --dport # FixMe: I will disable them as I dont think theyre needed or wanted #no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT #no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT #no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT #no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT #no #no # FixMe:sic this is what libvirt did -i --dport #no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT #no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT #no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT #no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT #no #no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT #no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT #no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT #no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT #no #no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT #no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT #no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT #no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT -A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: " #D#-A OUTPUT -j DROP COMMIT # Generated Mon 23 Nov 2020 10:02:17 PM UTC # Whonix firewall for wlan=wlan4 IP=10.16.238.81 NET=10.16.238.81/24 LIBVIRT_FW=1