{"id":1680,"date":"2019-01-21T12:41:41","date_gmt":"2019-01-21T09:41:41","guid":{"rendered":"http:\/\/surgery.moscow\/smos\/?p=1680"},"modified":"2019-01-21T15:37:02","modified_gmt":"2019-01-21T12:37:02","slug":"ip-tables-%d0%bf%d1%80%d0%b8%d0%bc%d0%b5%d1%80","status":"publish","type":"post","link":"https:\/\/surgery.moscow\/smos\/2019\/01\/21\/ip-tables-%d0%bf%d1%80%d0%b8%d0%bc%d0%b5%d1%80\/","title":{"rendered":"ip tables \u043f\u0440\u0438\u043c\u0435\u0440"},"content":{"rendered":"\n\u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u043f\u0440\u0438\u043c\u0435\u0440 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043a IP \u0442\u0430\u0431\u043b\u0438\u0446 \u0434\u043b\u044f \u0440\u0430\u0437\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0432\u0445\u043e\u0434\u044f\u0449\u0435\u0433\u043e \u0438 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0435\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430 \u043d\u0430 \u0434\u0432\u0430 \u043a\u0430\u043d\u0430\u043b\u0430, \u043e\u0434\u0438\u043d \u043a\u0430\u043d\u0430\u043b \u0434\u043b\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432 (8) \u0442\u0435\u043b\u0435\u0444\u043e\u043d\u0438\u0438 (10), \u0442\u0430\u043a-\u0436\u0435 \u0432 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043d\u043e\u0439 \u0441\u0435\u0442\u0438 \u0435\u0441\u0442\u044c \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0438\u043c\u0435\u044e\u0449\u0438\u0445 \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u043d\u044b\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0432 \u0441\u0435\u0440\u0444\u0438\u043d\u0433\u0443 \u043f\u043e \u043f\u0440\u043e\u0441\u0442\u043e\u0440\u0430\u043c \u0438\u043d\u0435\u0442\u0440\u0435\u043d\u0435\u0442\u0430 \n
\n#!\/bin\/sh\n
\nIPTABLES=\/sbin\/iptables\n
MODPROBE=\/sbin\/modprobe\n
INT_NET_WAN=xxx.xxx.xxx.xxx\/24\n
INT_NET_8=xxx.xxx.xxx.xxx\/24\n
INT_NET_10=xxx.xxx.xxx.xxx\/24\n
IP_WAN=xxx.xxx.xxx.xxx\n
IP_LAN_8=xxx.xxx.xxx.xxx\n
IP_LAN_10=xxx.xxx.xxx.xxx\n
PRIVATE_LOCAL_IP=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx# ip adresses for directors\n
\n
INTERFACE_WAN=eth5\n
INTERFACE_LAN_8=eth0\n
INTERFACE_LAN_10=eth1\n
\nUNPRIVPORTS=1024:65535\t #\u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0438\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u043f\u043e\u0440\u0442\u044b\n
\nANYWHERE=any\/0 \t\t #\u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u0430\u0434\u0440\u0435\u0441\n
MSSQL_LOCAL_SERVER=xxx.xxx.xxx.137\n
HTTPD_MS_LOCAL_SERVER=xxx.xxx.xxx.137\n\n
TEL_IP=xxx.xxx.xxx.0\/27,xxx.xxx.xxx.0\/24\n

\n#whatsApp PORTS tcp 5222;443; udp 3478\nWHATSAPP_IP=31.13.81.48,31.13.81.53,157.240.20.51,31.13.84.48\n

\n# viber ports TCP 443 ( ? and UDP: 5242 4244 5243) \nVIBER_IP=178.162.219.152,151.101.112.233,77.88.21.90,35.210.148.251,77.88.21.90,87.250.247.182,18.201.7.5,18.201.5.105,18.201.7.4,74.125.232.246,64.233.162.95,209.85.233.95,\n

\n# 185.170.204.91 — platforma.ofd , ports 21101\nPLATFORMAOFD_IP=185.170.204.91\n

\n# 194.186.207.162 sberbank pinpad ports 670 (650 , 666, 670)\nSBER_PINPAD_IP=194.186.207.162,194.54.14.89,194.54.14.62\n

\n# \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u043d\u044b\u0435 \u0433\u0440\u0443\u043f\u043f\u044b \u0434\u043e\u043c\u0435\u043d\u043d\u044b\u0445 \u0438\u043c\u0435\u043d\nHTTPS_allow_sites=surgstore.ru, surgery.moscow\n

\nHTTPS_allow_sites_yandex=yandex.ru,yandex.net\n

\nHTTPS_allow_sites_google=www.google.com,google.com,maps.google.com,maps.gstatic.com,ssl.gstatic.com,fonts.gstatic.com,www.gstatic.com,clients1.google.com,tools.google.com,google.ru,csi.gstatic.com,google-analytics.com,tools.google.com\n

\nHTTPS_allow_sites_wiki=upload.wikimedia.org,wikimedia.org,ru.wikipedia.org,meta.wikimedia.org,login.wikimedia.org,www.wikidata.org,wikipedia.org,ru.wikipedia.org,wikimedia.org,ru.wikimedia.org,wikibooks.org,ru.wikibooks.org,wikidata.org\n

\nHTTPS_allow_sites_sber=online.sberbank.ru,stat.online.sberbank.ru,sberbank.ru\n

\n## existing rules and set chain policy setting to DROP\n
echo «[+] Flushing existing iptables rules…»\n
$IPTABLES -F\n
$IPTABLES -F -t nat\n
$IPTABLES -X\n
$IPTABLES -P INPUT DROP\n
$IPTABLES -P OUTPUT DROP\n
$IPTABLES -P FORWARD DROP\n
### load connection-tracking modules\n
$MODPROBE ip_conntrack\n
$MODPROBE iptable_nat\n
$MODPROBE ip_conntrack_ftp\n
$MODPROBE ip_nat_ftp\n\n

\n
###### INPUT chain ######\n
echo «[+] Setting up INPUT chain…»\n
#### interface lo accept\n
$IPTABLES -A INPUT -i lo -j ACCEPT\n\n

\n
### local dns rules \n
\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $IP_LAN_8 —dport 53 -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 -d $IP_LAN_10 —dport 53 -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 53 -m state —state NEW -j ACCEPT\n\n\n##################\n

\n### for HTTP from Internet to local server i think is nesesery \n$IPTABLES -A INPUT -i $INTERFACE_WAN -p tcp -d $IP_WAN —dport 80 -j ACCEPT\n\n

\necho «[+] Setting up INPUT SAMBA chain…»\n### samba rules \n

\n$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 -d $INT_NET_8 —dport 137:138 -j ACCEPT\n
\n$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 445 -j ACCEPT\n
\n$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 139 -j ACCEPT\n

\n##### SQL rules\n# for local users from INT_NET_8\n
\n$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 3389 -j ACCEPT # RDP\n
\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 -m state —state ESTABLISHED,RELATED —dport 3306 -j ACCEPT # MySql\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 80 -j ACCEPT #http yum\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 -d $INT_NET_8 —dport 21 -j ACCEPT # yum ftp\n

\n##### http rules\n# for local users from INT_NET_8\n\n### local dhcpd rules\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -d $IP_LAN_8 —dport 67:69 -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -d $IP_LAN_10 —dport 67:69 -j ACCEPT\n
#dhcp for wan \n
$IPTABLES -A INPUT -i $INTERFACE_WAN -p udp -s $INT_NET_WAN -d $IP_WAN —dport 67:69 -j ACCEPT\n
#$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp -s $INT_NET_8 —sport 137:139 —dport 137:139 -j ACCEPT\n\n
$IPTABLES -A INPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT\n\n

### proxy enable \n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 3128 -j ACCEPT \n\n
### gpg port\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 11371 -j ACCEPT #gpg port\n\n
### ACCEPT rules\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 22 —syn -m state —state NEW -j ACCEPT\n\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p tcp -s $INT_NET_10 —dport 22 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A INPUT -p icmp —icmp-type echo-request -j ACCEPT\n\n\n

### Accept rules for bank\n\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 443 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p tcp -s $INT_NET_8 —dport 9443:9452 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 -p udp —dport 123 -m state —state NEW -j ACCEPT\n$IPTABLES -A INPUT -i $INTERFACE_LAN_10 -p udp -s $INT_NET_10 —dport 123 -m state —state NEW -j ACCEPT\n#######################\n\n

### state tracking rules\n
#$IPTABLES -A INPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options\n
#$IPTABLES -A INPUT -m state —state INVALID -j DROP\n
$IPTABLES -A INPUT -i $INTERFACE_WAN -m state —state ESTABLISHED,RELATED -j ACCEPT\n\n
$IPTABLES -A INPUT -p tcp —dport 53 -j ACCEPT\n
$IPTABLES -A INPUT -p udp —dport 53 -j ACCEPT\n### anti-spoofing rules\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »\n
$IPTABLES -A INPUT -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP\n\n\n

### default INPUT LOG rule\n
$IPTABLES -A INPUT ! -i lo -j LOG —log-prefix «DROP-I » —log-ip-options —log-tcp-options\n
$IPTABLES -A INPUT ! -i lo -j DROP\n\n
###### OUTPUT chain ######\n
echo «[+] Setting up OUTPUT chain…»\n
### state tracking rules\n
$IPTABLES -A OUTPUT -o lo -j ACCEPT\n\n
### rules for OUTPUT packets\n
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 80 -j ACCEPT # out packet to wan\n
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -s $IP_WAN -p tcp —dport 443 -j ACCEPT # out packet to wan\n\n
###############\n\n
$IPTABLES -A OUTPUT -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options\n
$IPTABLES -A OUTPUT -m state —state INVALID -j DROP\n\n
#$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j LOG —log-prefix «out_est » —log-ip-options —log-tcp-options\n
$IPTABLES -A OUTPUT -m state —state ESTABLISHED,RELATED -j ACCEPT\n\n\n

### ACCEPT rules for allowing connections out\n\n
$IPTABLES -A OUTPUT -p tcp —dport 21 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -p tcp —dport 22 -s $INT_NET_8 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -p tcp —dport 25 —syn -m state —state NEW -j ACCEPT\n$IPTABLES -A OUTPUT -p tcp —dport 43 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j LOG —log-prefix «port_123 »\n
$IPTABLES -A OUTPUT -p udp -o $INTERFACE_WAN -s $INT_NET_WAN —dport 123 -m state —state NEW -j ACCEPT\n\n

## this is rules for output packet from Wan inrerface to inretnet\n\n
$IPTABLES -A OUTPUT -p tcp -o $INTERFACE_LAN_10 -s $INT_NET_10 —dport 80 —sport 80 -j DROP\n\n

### local dhcpd rules\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -s $IP_LAN_8 —dport 67:69 -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -s $IP_LAN_10 —dport 67:69 -j ACCEPT\n
$IPTABLES -A OUTPUT -p udp —dport 67:69 -m state —state NEW -j ACCEPT\n\n

#dhcp for wan \n
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -d $INT_NET_WAN -s $IP_WAN —dport 67:69 -j ACCEPT\n

\n### local output dns rules \n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p udp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -p tcp -d $INT_NET_8 -s $IP_LAN_8 —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p udp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -p tcp -d $INT_NET_10 -s $IP_LAN_10 —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p udp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_WAN -p tcp -s $IP_WAN —dport 53 -m state —state NEW -j ACCEPT\n\n
$IPTABLES -A OUTPUT -p tcp —dport 9443:9452 —syn -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -p tcp —dport 11371 —syn -m state —state NEW -j ACCEPT # gpg port\n\n
$IPTABLES -A OUTPUT -p icmp —icmp-type echo-request -j ACCEPT\n

\n#additonall rules for sip-10-8 \n\n
$IPTABLES -A OUTPUT -p tcp —dport 8080 -m state —state NEW -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_8 -d $INT_NET_10 -p tcp —dport 8080 -j ACCEPT\n
$IPTABLES -A OUTPUT -o $INTERFACE_LAN_10 -d $INT_NET_8 -p tcp —dport 8080 -j ACCEPT\n\n\n

### default OUTPUT LOG rule- super rules for monitoring\n
$IPTABLES -A OUTPUT ! -o lo -j LOG —log-prefix «DROP-O » —log-ip-options —log-tcp-options\n\n\n

###### FORWARD chain ######\n
echo «[+] Setting up FORWARD chain…»\n\n\n
# log rules\n\n
### state tracking rules\n
$IPTABLES -A FORWARD -m state —state INVALID -j LOG —log-prefix «DROP INVALID » —log-ip-options —log-tcp-options\n
$IPTABLES -A FORWARD -m state —state INVALID -j DROP\n\n
####\n\n
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp —dport 80 -j ACCEPT\n\n
###########################\n\n
# FTP forward\n
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $PRIVATE_LOCAL_IP -p tcp —dport 21 -j ACCEPT\n\n\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -p tcp -m state —state ESTABLISHED,RELATED -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_8 -p tcp —dport 80 -m state —state NEW -j ACCEPT\n\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 22 -j ACCEPT #ssh \n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 1433 -j ACCEPT #MSSQL \n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3306 -j ACCEPT #MSSQL \n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 2222 -j ACCEPT #ssh \n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 3389 -j ACCEPT #rdp \n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 443 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $PRIVATE_LOCAL_IP -p tcp —dport 9443 -j ACCEPT\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_8 -s $INT_NET_8 -p udp —dport 123 -j ACCEPT\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -i $INTERFACE_LAN_10 -s $INT_NET_10 -p udp —dport 123 -j ACCEPT\n\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_yandex -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_google -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_wiki -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -s $INT_NET_8 -p tcp —dport 443 -d $HTTPS_allow_sites_sber -j ACCEPT\n\n\n
#$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT\n
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 5060:5062 —dport 5060:5062 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p udp —sport 10000:20000 —dport 10000:20000 -j ACCEPT\n\n
$IPTABLES -A FORWARD -i $INTERFACE_WAN -o $INTERFACE_LAN_10 -m state —state ESTABLISHED,RELATED -s $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 -o $INTERFACE_WAN -d $TEL_IP -p tcp —sport 5060:5070 —dport 5060:5070 -j ACCEPT\n\n\n\n\n\n

### anti-spoofing rules\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j LOG —log-prefix «SPOOFED PKT »\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_10 ! -s $INT_NET_10 -j DROP\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j LOG —log-prefix «SPOOFED PKT »\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 ! -s $INT_NET_8 -j DROP\n\n

### PLATFORMA_OFD Rules\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $PLATFORMAOFD_IP -p tcp —dport 21101 -j ACCEPT\n\n

## SBER PINPAD \u043f\u0440\u0430\u0432\u0438\u043b\u043e \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b pinPad \u043e\u0442 \u0441\u0431\u0435\u0440\u0431\u0430\u043d\u043a\u0430\n

$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 650 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $SBER_PINPAD_IP -p tcp —dport 670 -j ACCEPT\n\n

## WhatsApp\n\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 5222 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p tcp —dport 443 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $WHATSAPP_IP -p udp —dport 3478 -j ACCEPT\n\n

## viber 5242 4244 5243\n\n
#$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 443 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 1443 -j ACCEPT\n
$IPTABLES -A FORWARD -i $INTERFACE_LAN_8 -o $INTERFACE_WAN -d $VIBER_IP -p tcp —dport 4244 -j ACCEPT\n\n

### ACCEPT rules\n
# ping rules\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type echo-request -j ACCEPT\n
$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp —icmp-type port-unreachable -j ACCEPT\n
#$IPTABLES -A FORWARD -o $INTERFACE_WAN -p icmp -j ACCEPT\n\n
#super log\n
$IPTABLES -A FORWARD ! -i lo -j LOG —log-prefix «DROP-F » —log-ip-options —log-tcp-options\n\n

###### NAT rules ######\n\n

echo «[+] Setting up NAT rules…»\n\n
# clear proxy enable \n\n
###$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j LOG —log-prefix «pre_eht0_to_proxy » \n
$IPTABLES -t nat -A PREROUTING -i $INTERFACE_LAN_8 -s $INT_NET_8 -p tcp —dport 80 -j DNAT —to $IP_LAN_8:3128 \n\n\n\n
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_8 -o $INTERFACE_WAN -j MASQUERADE \n
$IPTABLES -t nat -A POSTROUTING -s $INT_NET_10 -o $INTERFACE_WAN -j MASQUERADE \n\n\n

echo «[+] Enabling IP forwarding…»\n
echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\n","protected":false},"excerpt":{"rendered":"

\u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u043f\u0440\u0438\u043c\u0435\u0440 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043a IP \u0442\u0430\u0431\u043b\u0438\u0446 \u0434\u043b\u044f \u0440\u0430\u0437\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0432\u0445\u043e\u0434\u044f\u0449\u0435\u0433\u043e \u0438 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0435\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430 \u043d\u0430 \u0434\u0432\u0430 \u043a\u0430\u043d\u0430\u043b\u0430, \u043e\u0434\u0438\u043d \u043a\u0430\u043d\u0430\u043b \u0434\u043b\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u043e\u0432 (8) \u0442\u0435\u043b\u0435\u0444\u043e\u043d\u0438\u0438<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,22],"tags":[],"class_list":["post-1680","post","type-post","status-publish","format-standard","hentry","category-internet","category-technology"],"_links":{"self":[{"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/posts\/1680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/comments?post=1680"}],"version-history":[{"count":4,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/posts\/1680\/revisions"}],"predecessor-version":[{"id":1687,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/posts\/1680\/revisions\/1687"}],"wp:attachment":[{"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/media?parent=1680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/categories?post=1680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/surgery.moscow\/smos\/wp-json\/wp\/v2\/tags?post=1680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}