Reorganize ports for services, rename 'default_ports.conf' to 'ports.conf'.
This commit is contained in:
parent
4967e6549d
commit
c6de143b1e
@ -1,40 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Define Ports for Services
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
# - Web Server Ports
|
|
||||||
# -
|
|
||||||
http_ports="80,443"
|
|
||||||
|
|
||||||
# - FTP Servers Passive Portrange
|
|
||||||
# -
|
|
||||||
ftp_passive_port_range="50000:50400"
|
|
||||||
|
|
||||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
|
||||||
# -
|
|
||||||
mail_user_ports="587,465,110,995,143,993"
|
|
||||||
|
|
||||||
# - SSH Ports
|
|
||||||
# -
|
|
||||||
# - comma separated list
|
|
||||||
ssh_ports="22"
|
|
||||||
|
|
||||||
# - VPN Service
|
|
||||||
vpn_ports="1194 1195"
|
|
||||||
|
|
||||||
# - Mumble Server
|
|
||||||
# -
|
|
||||||
mumble_ports="64738"
|
|
||||||
|
|
||||||
# - XyMon Service (usually TCP port 1984)
|
|
||||||
# -
|
|
||||||
# - NOT YET IMPLEMENTED
|
|
||||||
# -
|
|
||||||
xymon_port=1984
|
|
||||||
|
|
||||||
# - Munin Server Port (usually TCP port 4949)
|
|
||||||
# -
|
|
||||||
munin_remote_port="4949"
|
|
||||||
@ -6,45 +6,6 @@
|
|||||||
## ----------------------------------------------------------------
|
## ----------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Define Ports for Services
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
# - Web Server Ports
|
|
||||||
# -
|
|
||||||
http_ports="80,443"
|
|
||||||
|
|
||||||
# - FTP Servers Passive Portrange
|
|
||||||
# -
|
|
||||||
ftp_passive_port_range="50000:50400"
|
|
||||||
|
|
||||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
|
||||||
# -
|
|
||||||
mail_user_ports="587,465,110,995,143,993"
|
|
||||||
|
|
||||||
# - SSH Ports
|
|
||||||
# -
|
|
||||||
# - comma separated list
|
|
||||||
ssh_ports="22"
|
|
||||||
|
|
||||||
# - VPN Service
|
|
||||||
vpn_ports="1194 1195"
|
|
||||||
|
|
||||||
# - Mumble Server
|
|
||||||
# -
|
|
||||||
mumble_ports="64738"
|
|
||||||
|
|
||||||
# - XyMon Service (usually TCP port 1984)
|
|
||||||
# -
|
|
||||||
# - NOT YET IMPLEMENTED
|
|
||||||
# -
|
|
||||||
xymon_port=1984
|
|
||||||
|
|
||||||
# - Munin Server Port (usually TCP port 4949)
|
|
||||||
# -
|
|
||||||
munin_remote_port="4949"
|
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
||||||
# -------------
|
# -------------
|
||||||
@ -456,26 +417,3 @@ kernel_activate_rp_filter=true
|
|||||||
# -
|
# -
|
||||||
kernel_log_martians=false
|
kernel_log_martians=false
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Some further Ports/IP-Address Configuration
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
# - unpriviligierte Ports
|
|
||||||
# -
|
|
||||||
unprivports="1024:65535"
|
|
||||||
|
|
||||||
# - Loopback
|
|
||||||
loopback="127.0.0.0/8"
|
|
||||||
|
|
||||||
# - Private Networks
|
|
||||||
priv_class_a="10.0.0.0/8"
|
|
||||||
priv_class_b="172.16.0.0/12"
|
|
||||||
priv_class_c="192.168.0.0/16"
|
|
||||||
|
|
||||||
# - Multicast Addresse
|
|
||||||
class_d_multicast="224.0.0.0/4"
|
|
||||||
|
|
||||||
# Reserved Addresse
|
|
||||||
class_e_reserved="240.0.0.0/5"
|
|
||||||
|
|
||||||
|
|||||||
@ -6,21 +6,6 @@
|
|||||||
## ----------------------------------------------------------------
|
## ----------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Some Ports/IP-Address Configuration
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
# - unpriviligierte Ports
|
|
||||||
# -
|
|
||||||
unprivports="1024:65535"
|
|
||||||
|
|
||||||
# unique local address (ULA) - private address block
|
|
||||||
ula_block="fc00::/7"
|
|
||||||
|
|
||||||
# - Loopback
|
|
||||||
loopback="::1/128"
|
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
||||||
# -------------
|
# -------------
|
||||||
|
|||||||
79
conf/ports.conf
Normal file
79
conf/ports.conf
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Define Ports for Services
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
# - Web Server Ports
|
||||||
|
# -
|
||||||
|
http_ports="80,443"
|
||||||
|
|
||||||
|
# - FTP Servers Passive Portrange
|
||||||
|
# -
|
||||||
|
ftp_passive_port_range="50000:50400"
|
||||||
|
|
||||||
|
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
||||||
|
# -
|
||||||
|
mail_user_ports="587,465,110,995,143,993"
|
||||||
|
|
||||||
|
# - SSH Ports
|
||||||
|
# -
|
||||||
|
# - comma separated list
|
||||||
|
ssh_ports="22"
|
||||||
|
|
||||||
|
# - VPN Service
|
||||||
|
vpn_ports="1194 1195"
|
||||||
|
|
||||||
|
# - Mumble Server
|
||||||
|
# -
|
||||||
|
mumble_ports="64738"
|
||||||
|
|
||||||
|
# - XyMon Service (usually TCP port 1984)
|
||||||
|
# -
|
||||||
|
# - NOT YET IMPLEMENTED
|
||||||
|
# -
|
||||||
|
xymon_port=1984
|
||||||
|
|
||||||
|
# - Munin Server Port (usually TCP port 4949)
|
||||||
|
# -
|
||||||
|
munin_remote_port="4949"
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Predefined Ports
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
# - unpriviligierte Ports
|
||||||
|
# -
|
||||||
|
unprivports="1024:65535"
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Some IPv4-Address Configuration
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
# - Loopback
|
||||||
|
loopback_ipv4="127.0.0.0/8"
|
||||||
|
|
||||||
|
# - Private Networks
|
||||||
|
priv_class_a="10.0.0.0/8"
|
||||||
|
priv_class_b="172.16.0.0/12"
|
||||||
|
priv_class_c="192.168.0.0/16"
|
||||||
|
|
||||||
|
# - Multicast Addresse
|
||||||
|
class_d_multicast="224.0.0.0/4"
|
||||||
|
|
||||||
|
# Reserved Addresse
|
||||||
|
class_e_reserved="240.0.0.0/5"
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Some IPv6-Address Configuration
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
# unique local address (ULA) - private address block
|
||||||
|
ula_block="fc00::/7"
|
||||||
|
|
||||||
|
# - Loopback
|
||||||
|
loopback_ipv6="::1/128"
|
||||||
@ -22,7 +22,7 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
|
|||||||
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
|
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
|
||||||
|
|
||||||
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
|
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
|
||||||
conf_default_ports=${ipt_conf_dir}/default_ports.conf
|
conf_ports=${ipt_conf_dir}/ports.conf
|
||||||
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
|
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
|
||||||
conf_main=${ipt_conf_dir}/main_ipv6.conf
|
conf_main=${ipt_conf_dir}/main_ipv6.conf
|
||||||
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
|
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
|
||||||
@ -111,10 +111,10 @@ else
|
|||||||
source $conf_logging
|
source $conf_logging
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f "$conf_default_ports" ]]; then
|
if [[ ! -f "$conf_ports" ]]; then
|
||||||
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
|
fatal "Missing configuration for default_ports - file '$conf_ports'"
|
||||||
else
|
else
|
||||||
source $conf_default_ports
|
source $conf_ports
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f "$conf_interfaces" ]]; then
|
if [[ ! -f "$conf_interfaces" ]]; then
|
||||||
@ -619,25 +619,25 @@ done
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
if $log_spoofed || $log_all ; then
|
if $log_spoofed || $log_all ; then
|
||||||
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||||
$ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||||
$ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||||||
$ip6t -A INPUT -i $_dev -s $loopback -j DROP
|
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
||||||
$ip6t -A FORWARD -i $_dev -s $loopback -j DROP
|
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Don't allow spoofing from that server
|
# Don't allow spoofing from that server
|
||||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||||||
$ip6t -A OUTPUT -o $_dev -s $loopback -j DROP
|
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||||||
$ip6t -A FORWARD -o $_dev -s $loopback -j DROP
|
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@ -22,7 +22,7 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
|
|||||||
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
|
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
|
||||||
|
|
||||||
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
|
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
|
||||||
conf_default_ports=${ipt_conf_dir}/default_ports.conf
|
conf_ports=${ipt_conf_dir}/ports.conf
|
||||||
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
|
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
|
||||||
conf_main=${ipt_conf_dir}/main_ipv4.conf
|
conf_main=${ipt_conf_dir}/main_ipv4.conf
|
||||||
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
|
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
|
||||||
@ -111,10 +111,10 @@ else
|
|||||||
source $conf_logging
|
source $conf_logging
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f "$conf_default_ports" ]]; then
|
if [[ ! -f "$conf_ports" ]]; then
|
||||||
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
|
fatal "Missing configuration for default_ports - file '$conf_ports'"
|
||||||
else
|
else
|
||||||
source $conf_default_ports
|
source $conf_ports
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f "$conf_interfaces" ]]; then
|
if [[ ! -f "$conf_interfaces" ]]; then
|
||||||
@ -779,7 +779,7 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
||||||
$ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
||||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
||||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
||||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
||||||
@ -788,7 +788,7 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
|
||||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
|
||||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
|
||||||
$ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
|
||||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
|
||||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
|
||||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
|
||||||
@ -801,7 +801,7 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
# Retfuse packets claiming to be from a Class C private network.
|
# Retfuse packets claiming to be from a Class C private network.
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
|
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
|
||||||
# Refuse packets claiming to be from loopback interface.
|
# Refuse packets claiming to be from loopback interface.
|
||||||
$ipt -A INPUT -i $_dev -s $loopback -j DROP
|
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
|
||||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
|
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
|
||||||
# Refuse Class E reserved IP addresses.
|
# Refuse Class E reserved IP addresses.
|
||||||
@ -816,7 +816,7 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
# Refuse packets claiming to be from a Class C private network.
|
# Refuse packets claiming to be from a Class C private network.
|
||||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
|
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
|
||||||
# Refuse packets claiming to be from loopback interface.
|
# Refuse packets claiming to be from loopback interface.
|
||||||
$ipt -A FORWARD -i $_dev -s $loopback -j DROP
|
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
|
||||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
|
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
|
||||||
# Refuse Class E reserved IP addresses.
|
# Refuse Class E reserved IP addresses.
|
||||||
@ -836,14 +836,14 @@ done
|
|||||||
# quench to the loopback.
|
# quench to the loopback.
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
if $log_to_lo || $log_all ; then
|
if $log_to_lo || $log_all ; then
|
||||||
$ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
$ipt -A INPUT -i $_dev -d $loopback -j DROP
|
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -d $loopback -j DROP
|
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -857,23 +857,23 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
||||||
$ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
$ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
$ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
$ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
|
||||||
$ipt -A FORWARD -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $loopback -j DROP
|
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
|
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
|
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
|
||||||
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
|
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
|
||||||
$ipt -A FORWARD -o $_dev -s $loopback -j DROP
|
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user