User:Djgera/papucho

From ArchWiki
Jump to navigation Jump to search

Software configuration

iptables

/etc/iptables/iptables.rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 172.16.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
#-A POSTROUTING -s 10.6.93.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.6.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3
-A POSTROUTING -s 10.17.93.0/28 ! -d 192.168.91.0/28 -o net0 -j SNAT --to-source 192.168.91.3

COMMIT


*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
#-A INPUT -i net0.7 -j ACCEPT
#-A INPUT -i ppp0 -j ACCEPT

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A INPUT -i net0 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p udp -m udp --dport 161 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT


#-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 1194 -j ACCEPT
#-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j LOG
-A INPUT ! -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 1194 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 2049 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 192.168.91.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 192.168.91.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 192.168.91.2/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.91.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j ACCEPT
-A INPUT -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j ACCEPT


-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.92.0/28 -i net0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.92.0/28 -i net0 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.92.4/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.92.6/32 -i net0 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 22 -j ACCEPT


-A INPUT -i ap1 -m pkttype --pkt-type multicast -j ACCEPT

-A INPUT -i ap1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 172.16.93.0/28 -i ap1 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 172.16.93.0/28 -i ap1 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 172.16.93.4/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 172.16.93.6/32 -i ap1 -p tcp -m tcp --dport 9091 -j ACCEPT


-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.6.93.8/32 -i tun6 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.6.93.0/28 -i tun6 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.6.93.0/28 -i tun6 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.6.93.4/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.6.93.6/32 -i tun6 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 10.17.93.0/28 -i tun17 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 10.17.93.0/28 -i tun17 -p udp -m udp --dport 5001 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 5901 -j ACCEPT

-A INPUT -s 10.17.93.4/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 10.17.93.6/32 -i tun17 -p tcp -m tcp --dport 9091 -j ACCEPT

-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 05:00:00 --timestop 12:00:00 --weekdays Mon -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Tue -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 05:20:00 --timestop 12:00:00 --weekdays Wen -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Thu -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 05:40:00 --timestop 12:00:00 --weekdays Fri -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Sat -j DROP
#-A FORWARD -s 172.16.93.8/32 -i ap1 -o net0 -m time --timestart 06:30:00 --timestop 12:00:00 --weekdays Sun -j DROP

-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.91.0/28 -i net0 -o tun6 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o tun17 -j ACCEPT
-A FORWARD -s 192.168.91.0/28 -i net0 -o ap1 -j ACCEPT

-A FORWARD -s 172.16.93.0/28 -i ap1 -o net0 -j ACCEPT

-A FORWARD -s 10.6.93.0/28 -i tun6 -o net0 -j ACCEPT
-A FORWARD -s 10.17.93.0/28 -i tun17 -o net0 -j ACCEPT

-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-proto-unreachable

#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 05:00:00 --timestop 12:00:00 --weekdays Mon -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Tue -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 05:20:00 --timestop 12:00:00 --weekdays Wen -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Thu -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 05:40:00 --timestop 12:00:00 --weekdays Fri -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 06:00:00 --timestop 12:00:00 --weekdays Sat -j DROP
#-A OUTPUT -o net0 -m owner --uid-owner 1001 -m time --timestart 06:30:00 --timestop 12:00:00 --weekdays Sun -j DROP


COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.91.3/32 -i net0 -p tcp -m tcp --dport 55555 -j CT --notrack
-A PREROUTING -d 192.168.91.3/32 -i net0 -p udp -m udp --dport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p tcp -m tcp --sport 55555 -j CT --notrack
-A OUTPUT -s 192.168.91.3/32 -o net0 -p udp -m udp --sport 55555 -j CT --notrack
COMMIT

openvpn-udp (SERVER)

/etc/openvpn/server/djgera-udp.conf
port 1194
proto udp4
dev tun17

ca ca.crt
cert djgera.crt
key djgera.key

dh none

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ncp-disable
cipher AES-256-GCM

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.17.93.3 255.255.255.240
route-gateway 10.17.93.3
push "route-gateway 10.17.93.3"

keepalive 10 120

tls-crypt tc.key

compress lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
client-config-dir ccd-udp
/etc/openvpn/server/ccd-udp/djgera-android
ifconfig-push 10.17.93.6 255.255.255.240
/etc/openvpn/server/ccd-udp/djgera-netbook
ifconfig-push 10.17.93.4 255.255.255.240

openvpn-tcp (SERVER)

/etc/openvpn/server/djgera-tcp.conf
port 1194
proto tcp4-server
dev tun6

ca ca.crt
cert djgera.crt
key djgera.key

dh none

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ncp-disable
cipher AES-256-GCM

remote-cert-tls client

mode server
tls-server
topology subnet
push "topology subnet"
ifconfig 10.6.93.3 255.255.255.240
route-gateway 10.6.93.3
push "route-gateway 10.6.93.3"

keepalive 10 120

tls-crypt tc.key

compress lzo

persist-key
persist-tun

verb 3

push "route 192.168.91.0 255.255.255.240"
client-config-dir ccd-tcp
/etc/openvpn/server/ccd-tcp/djgera-android
ifconfig-push 10.6.93.6 255.255.255.240
/etc/openvpn/server/ccd-tcp/djgera-netbook
ifconfig-push 10.6.93.4 255.255.255.240

openvpn-udp (CLIENT)

djgera-android-udp.conf
client

dev tun

proto udp4
remote <HOST>
port 8080

nobind

persist-key
persist-tun

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ncp-disable
cipher AES-256-GCM

remote-cert-tls server

compress lzo

tls-crypt tc.key

ca ca.crt
cert djgera-android.crt
key djgera-android.key

openvpn-tcp (CLIENT)

djgera-netbook-tcp.conf
client

dev tun

proto tcp4-client
remote <HOST>
port 8080
http-proxy <PROXY> 80

nobind

persist-key
persist-tun

tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ncp-disable
cipher AES-256-GCM

remote-cert-tls server

compress lzo

tls-crypt tc.key

ca ca.crt
cert djgera-netbook.crt
key djgera-netbook.key