diff --git a/shadow/iptables/rules.v4 b/shadow/iptables/rules.v4 new file mode 100644 index 0000000..562e6c4 --- /dev/null +++ b/shadow/iptables/rules.v4 @@ -0,0 +1,134 @@ +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*mangle +:PREROUTING ACCEPT [756:126788] +:INPUT ACCEPT [715:122089] +:FORWARD ACCEPT [40:4623] +:OUTPUT ACCEPT [420:58795] +:POSTROUTING ACCEPT [460:63418] +:LIBVIRT_PRT - [0:0] +-A POSTROUTING -j LIBVIRT_PRT +-A LIBVIRT_PRT -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*filter +:INPUT DROP [387:104781] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [42:5859] +:DOCKER - [0:0] +:DOCKER-ISOLATION-STAGE-1 - [0:0] +:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-USER - [0:0] +:LIBVIRT_FWI - [0:0] +:LIBVIRT_FWO - [0:0] +:LIBVIRT_FWX - [0:0] +:LIBVIRT_INP - [0:0] +:LIBVIRT_OUT - [0:0] +:f2b-sshd - [0:0] +-A INPUT -j LIBVIRT_INP +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -p icmp -j ACCEPT +-A INPUT -i virbr100 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 5353 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 5353 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 1022 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 2022 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p tcp -m tcp --dport 5353 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 5353 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 51820 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 1194 -j ACCEPT +-A FORWARD -j DOCKER-USER +-A FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o docker0 -j DOCKER +-A FORWARD -i docker0 ! -o docker0 -j ACCEPT +-A FORWARD -i docker0 -o docker0 -j ACCEPT +-A FORWARD -j LIBVIRT_FWX +-A FORWARD -j LIBVIRT_FWI +-A FORWARD -j LIBVIRT_FWO +-A FORWARD -o br-8be00fb1442a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o br-8be00fb1442a -j DOCKER +-A FORWARD -i br-8be00fb1442a ! -o br-8be00fb1442a -j ACCEPT +-A FORWARD -i br-8be00fb1442a -o br-8be00fb1442a -j ACCEPT +-A FORWARD -d 192.168.123.141/32 -p tcp -m tcp --dport 80 -j ACCEPT +-A OUTPUT -j LIBVIRT_OUT +-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -o virbr100 -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -i br-8be00fb1442a ! -o br-8be00fb1442a -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -j RETURN +-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP +-A DOCKER-ISOLATION-STAGE-2 -o br-8be00fb1442a -j DROP +-A DOCKER-ISOLATION-STAGE-2 -j RETURN +-A DOCKER-USER -j RETURN +-A LIBVIRT_FWI -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A LIBVIRT_FWI -o virbr100 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -s 192.168.123.0/24 -i virbr100 -j ACCEPT +-A LIBVIRT_FWO -i virbr100 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT +-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWX -i virbr100 -o virbr100 -j ACCEPT +-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT +-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT +-A LIBVIRT_INP -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -p udp -m udp --dport 5353 -j ACCEPT +-A LIBVIRT_INP -p tcp -m tcp --dport 5353 -j ACCEPT +-A LIBVIRT_INP -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -p tcp -m tcp --dport 67 -j ACCEPT +-A LIBVIRT_OUT -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -p udp -m udp --dport 5353 -j ACCEPT +-A LIBVIRT_OUT -p tcp -m tcp --dport 5353 -j ACCEPT +-A LIBVIRT_OUT -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -p tcp -m tcp --dport 68 -j ACCEPT +-A f2b-sshd -j RETURN +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*nat +:PREROUTING ACCEPT [409:105569] +:INPUT ACCEPT [22:1288] +:OUTPUT ACCEPT [1:76] +:POSTROUTING ACCEPT [12:818] +:DOCKER - [0:0] +:LIBVIRT_PRT - [0:0] +-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p tcp -m tcp --dport 5353 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 5353 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 51820 -j DNAT --to-destination 192.168.123.101:51820 +-A PREROUTING -i eno1 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.123.101:1194 +-A PREROUTING -i eno1 -p tcp -m tcp --dport 21080 -j DNAT --to-destination 192.168.123.141:80 +-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE +-A POSTROUTING -j LIBVIRT_PRT +-A POSTROUTING -s 172.18.0.0/16 ! -o br-8be00fb1442a -j MASQUERADE +-A DOCKER -i docker0 -j RETURN +-A DOCKER -i br-8be00fb1442a -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 diff --git a/shadow/iptables/rules.v4.backup b/shadow/iptables/rules.v4.backup new file mode 100644 index 0000000..cdd5e34 --- /dev/null +++ b/shadow/iptables/rules.v4.backup @@ -0,0 +1,248 @@ +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*mangle +:PREROUTING ACCEPT [756:126788] +:INPUT ACCEPT [715:122089] +:FORWARD ACCEPT [40:4623] +:OUTPUT ACCEPT [420:58795] +:POSTROUTING ACCEPT [460:63418] +:LIBVIRT_PRT - [0:0] +-A POSTROUTING -j LIBVIRT_PRT +-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A LIBVIRT_PRT -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*filter +:INPUT DROP [387:104781] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [42:5859] +:DOCKER - [0:0] +:DOCKER-ISOLATION-STAGE-1 - [0:0] +:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-USER - [0:0] +:LIBVIRT_FWI - [0:0] +:LIBVIRT_FWO - [0:0] +:LIBVIRT_FWX - [0:0] +:LIBVIRT_INP - [0:0] +:LIBVIRT_OUT - [0:0] +:f2b-sshd - [0:0] +-A INPUT -j LIBVIRT_INP +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -p icmp -j ACCEPT +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -i virbr100 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr100 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT +-A INPUT -i virbr100 -j ACCEPT +-A INPUT -i virbr100 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr100 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT +-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd +-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 1022 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 2022 -m state --state NEW,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i virbr100 -j ACCEPT +-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 51820 -j ACCEPT +-A FORWARD -j DOCKER-USER +-A FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o docker0 -j DOCKER +-A FORWARD -i docker0 ! -o docker0 -j ACCEPT +-A FORWARD -i docker0 -o docker0 -j ACCEPT +-A FORWARD -j LIBVIRT_FWX +-A FORWARD -j LIBVIRT_FWI +-A FORWARD -j LIBVIRT_FWO +-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT +-A FORWARD -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -s 192.168.123.0/24 -i virbr100 -j ACCEPT +-A FORWARD -i virbr100 -o virbr100 -j ACCEPT +-A FORWARD -o virbr100 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i virbr100 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT +-A FORWARD -i virbr0 -o virbr0 -j ACCEPT +-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i eno1 -p udp -m udp --dport 1194 -j ACCEPT +-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT +-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT +-A FORWARD -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -s 192.168.123.0/24 -i virbr100 -j ACCEPT +-A FORWARD -i virbr100 -o virbr100 -j ACCEPT +-A FORWARD -o virbr100 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i virbr100 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT +-A FORWARD -i virbr0 -o virbr0 -j ACCEPT +-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -o br-8be00fb1442a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o br-8be00fb1442a -j DOCKER +-A FORWARD -i br-8be00fb1442a ! -o br-8be00fb1442a -j ACCEPT +-A FORWARD -i br-8be00fb1442a -o br-8be00fb1442a -j ACCEPT +-A FORWARD -d 192.168.123.141/32 -p tcp -m tcp --dport 80 -j ACCEPT +-A OUTPUT -j LIBVIRT_OUT +-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -o virbr100 -j ACCEPT +-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -o virbr100 -j ACCEPT +-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -i br-8be00fb1442a ! -o br-8be00fb1442a -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -j RETURN +-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP +-A DOCKER-ISOLATION-STAGE-2 -o br-8be00fb1442a -j DROP +-A DOCKER-ISOLATION-STAGE-2 -j RETURN +-A DOCKER-USER -j RETURN +-A LIBVIRT_FWI -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A LIBVIRT_FWI -o virbr100 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -s 192.168.123.0/24 -i virbr100 -j ACCEPT +-A LIBVIRT_FWO -i virbr100 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT +-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable +-A LIBVIRT_FWX -i virbr100 -o virbr100 -j ACCEPT +-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT +-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT +-A LIBVIRT_INP -i virbr100 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr100 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT +-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT +-A LIBVIRT_OUT -o virbr100 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr100 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr100 -p tcp -m tcp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT +-A f2b-sshd -s 222.187.254.41/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 207.46.227.197/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 125.77.23.30/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.175.216/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 94.200.202.26/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 103.80.36.218/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 62.234.126.132/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 106.52.248.175/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 104.248.5.69/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 129.211.49.227/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 112.85.42.176/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.15.62/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.30.112/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.175.167/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.52.39/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 207.154.215.119/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 36.91.76.171/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 134.175.19.71/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 144.217.243.216/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 210.206.92.137/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.30.76/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 49.51.90.173/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -s 222.186.190.2/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-sshd -j RETURN +-A f2b-sshd -j RETURN +-A f2b-sshd -j RETURN +-A f2b-sshd -j RETURN +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 +# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024 +*nat +:PREROUTING ACCEPT [409:105569] +:INPUT ACCEPT [22:1288] +:OUTPUT ACCEPT [1:76] +:POSTROUTING ACCEPT [12:818] +:DOCKER - [0:0] +:LIBVIRT_PRT - [0:0] +-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 51820 -j DNAT --to-destination 192.168.123.101:51820 +-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.123.101:1194 +-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53 +-A PREROUTING -i eno1 -p tcp -m tcp --dport 21080 -j DNAT --to-destination 192.168.123.141:80 +-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER +-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER +-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE +-A POSTROUTING -j LIBVIRT_PRT +-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +-A POSTROUTING -s 172.18.0.0/16 ! -o br-8be00fb1442a -j MASQUERADE +-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +-A DOCKER -i docker0 -j RETURN +-A DOCKER -i br-8be00fb1442a -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +COMMIT +# Completed on Sun Nov 17 01:37:49 2024 \ No newline at end of file diff --git a/shadow/nginx-sites-enabled-default b/shadow/nginx-sites-enabled-default index f9dbf39..20a9f45 100644 --- a/shadow/nginx-sites-enabled-default +++ b/shadow/nginx-sites-enabled-default @@ -212,6 +212,88 @@ server { return 404; # managed by Certbot } +server { + server_name jellyfin.home.hrajfrisbee.cz; # managed by Certbot + + + # Security headers for media streaming + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + # Increase body size for high-res movie posters + client_max_body_size 20M; + + location / { + # Proxy to your Synology or VM IP and Jellyfin port (default 8096) + proxy_pass https://docker-30:443; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering for smoother streaming + proxy_buffering off; + } + + listen 8443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = jellyfin.home.hrajfrisbee.cz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80 ; + server_name jellyfin.home.hrajfrisbee.cz; + return 404; # managed by Certbot + + +} + + +server { + + root /srv/webs/random-shit; + server_name random-shit.hrajfrisbee.cz; # managed by Certbot + + # Enable directory browsing + autoindex on; + + # Optional: Show file sizes in MB/GB instead of bytes + autoindex_exact_size off; + + # Optional: Show file timestamps in your local server time + autoindex_localtime on; + + # Optional: Choose format (html, xml, json, or jsonp) + autoindex_format html; + + + listen 8443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = random-shit.hrajfrisbee.cz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80 ; + server_name random-shit.hrajfrisbee.cz; + return 404; # managed by Certbot +} server { @@ -240,8 +322,8 @@ server { ssl_certificate_key /etc/letsencrypt/live/vault.hrajfrisbee.cz/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - } + server { if ($host = vault.hrajfrisbee.cz) { return 301 https://$host$request_uri; @@ -250,6 +332,32 @@ server { listen 80 ; server_name vault.hrajfrisbee.cz; return 404; # managed by Certbot +} +server { + server_name maru-hleda-byt.home.hrajfrisbee.cz; # managed by Certbot + location / { + proxy_pass http://docker-30:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 8443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = maru-hleda-byt.home.hrajfrisbee.cz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80 ; + server_name maru-hleda-byt.home.hrajfrisbee.cz; + return 404; # managed by Certbot } \ No newline at end of file diff --git a/shadow/nginx.conf b/shadow/nginx.conf index 78d1571..7d1fa9c 100644 --- a/shadow/nginx.conf +++ b/shadow/nginx.conf @@ -64,7 +64,10 @@ http { stream { map $ssl_preread_server_name $backend { # Passthrough to K8s + ghost.lab.home.hrajfrisbee.cz k8s_gatewayapi; + ~^.+\.lab\.home\.hrajfrisbee\.cz$ k8s_ingress; + lab\.home\.hrajfrisbee\.cz$ k8s_ingress; default local_https; } @@ -73,6 +76,10 @@ stream { server docker-30:9443; } + upstream k8s_gatewayapi { + server docker-30:9444; + } + upstream local_https { server 127.0.0.1:8443; # Loop back to http block } diff --git a/vms/utility-101-shadow/named.conf.local b/vms/utility-101-shadow/named.conf.local new file mode 100644 index 0000000..cc1b7fc --- /dev/null +++ b/vms/utility-101-shadow/named.conf.local @@ -0,0 +1,54 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +key "acme-update-key" { + algorithm hmac-sha512; + secret "T6R1TpLGegHwFWO/I1LwtdGePRD+w00Oe4mJECW7qfheKJ/7FxlINH+Yk2vMvJCVNojj8BWoFAyEFCwGBpGROQ=="; +}; + +zone "czechultimate.cz" { + type master; + file "/etc/bind/zones/czechultimate.cz.dns"; + inline-signing yes; + auto-dnssec maintain; + key-directory "/etc/bind/keys"; + allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; }; + also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; }; +}; + +zone "hrajfrisbee.cz" { + type master; + file "/etc/bind/zones/hrajfrisbee.cz.dns"; + allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; }; + also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; }; + + update-policy { + // Allow ACME challenges only for lab.home subdomain + grant acme-update-key name _acme-challenge.lab.home.hrajfrisbee.cz. TXT; + + // If you need wildcards under lab.home (e.g. _acme-challenge.foo.lab.home.hrajfrisbee.cz): + grant acme-update-key subdomain _acme-challenge.lab.home.hrajfrisbee.cz. TXT; + }; +}; + +// points at zlutazimnice nameservers @nic.cz - cannot be working +zone "fraktalbar.cz" { + type master; + file "/etc/bind/zones/fraktalbar.cz.dns"; + allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; }; + also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; }; +}; + +// points at zlutazimnice nameservers @nic.cz - cannot be working +zone "vegtral.cz" { + type master; + file "/etc/bind/zones/vegtral.cz.dns"; + allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; }; + also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; }; +}; + diff --git a/vms/utility-101-shadow/readme.md b/vms/utility-101-shadow/readme.md new file mode 100644 index 0000000..1049a9f --- /dev/null +++ b/vms/utility-101-shadow/readme.md @@ -0,0 +1,7 @@ +## named tweaks + +1. Generate TSIG key + +```bash +tsig-keygen -a hmac-sha512 acme-update-key +``` \ No newline at end of file