asdf

2026-02-13 22:34:54 -06:00
parent c23940fc6f
commit e306c81c12
2 changed files with 0 additions and 0 deletions
--- a/seedbox/old/iptables-seedbox.sh
+++ b/seedbox/old/iptables-seedbox.sh
@@ -0,0 +1,67 @@
+#!/bin/sh -ex
+#
+# this is a "kill switch" for wireguard
+# block all traffic outside of the tunnel
+# --------------------------------------------------------------------
+
+# flush
+iptables -F
+
+# refuse all default
+iptables -P OUTPUT DROP
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+# permit samba / NFS to truenas (192.168.100.143)
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111
+iptables -A INPUT -s 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 137 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p udp -m udp --dport 138 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 139 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 111 -m state --state NEW,ESTABLISHED,RELATED
+iptables -A OUTPUT -d 192.168.100.143/24 -j ACCEPT -p tcp -m tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED
+
+# permit qbittorrent-nox access on LAN subnet
+iptables -A INPUT -j ACCEPT -s 192.168.100.0/24 -p tcp --dport 8080 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d 192.168.100.0/24 -p tcp --sport 8080 -m state --state ESTABLISHED
+
+# permit ssh on LAN subnet
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
+iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
+iptables -A OUTPUT -d 192.168.100.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED
+
+# allow dns to pihole
+PIHOLE_IP=192.168.100.200
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p tcp --dport 53 -m state --state NEW
+iptables -A OUTPUT -j ACCEPT -d $PIHOLE_IP/24 -p udp --dport 53 -m state --state NEW
+
+# -/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/
+
+# permit outgoing wireguard traffic on 51820 to the mullvad server
+WIREGUARD_SERVER=38.240.225.36
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+iptables -A OUTPUT -d $WIREGUARD_SERVER/32 -p udp --dport 51820 -j ACCEPT
+
+# permit any local traffic
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# ========== dont think we need tun on wireguard ===================
+#iptables -A INPUT -i tun+ -j ACCEPT
+#iptables -A OUTPUT -o tun+ -j ACCEPT
+# ========== dont think we need tun on wireguard ===================
+
+# permit replies to traffic sent out
+iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# save
+/etc/init.d/iptables save
+