Initial commit.

2021-05-24 22:18:33 +03:00
commit e2954d55f4
3701 changed files with 330017 additions and 0 deletions
--- a/csf/disabled/csfpost.sh
+++ b/csf/disabled/csfpost.sh
@@ -0,0 +1,32 @@
+# enable kernel ppp modules
+service pptpd stop
+modprobe ppp_generic
+modprobe ppp_deflate
+modprobe ppp_async
+modprobe ppp_mppe
+modprobe ppp_synctty
+service pptpd start
+
+# iptables rules for redirect to external ip from localnet when request sent to external ip
+/sbin/iptables -t nat -A PREROUTING -p tcp -d 89.121.131.74 --dport 80 -j DNAT --to 192.168.1.2:80
+/sbin/iptables -t nat -A PREROUTING -p tcp -d 89.121.131.74 --dport 443 -j DNAT --to 192.168.1.2:443
+
+# NAT reflection
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.1.2
+/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 89.121.131.74/32 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.1.2
+
+# drop SMTP connections based on connection rate
+#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
+#iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
+
+# ipset
+#ipset flush
+#ipset -X smtpdrop
+#ipset -N smtpdrop hash:net
+#for i in `cat /etc/csf/ipuri-blocate.txt `; do ipset -A smtpdrop $i; done
+#iptables -A INPUT -p all -m set --match-set smtpdrop src -j DROP
--- a/csf/disabled/csfpre.sh
+++ b/csf/disabled/csfpre.sh
@@ -0,0 +1,25 @@
+# accept pptp traffic
+iptables -A INPUT -i eth0 -p gre -j ACCEPT
+iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+iptables -A INPUT -i eth0 -p 51 -j ACCEPT
+iptables -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+iptables -A INPUT -p udp --dport 1701 -j DROP
+
+#iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
+iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
+iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
+iptables -I FORWARD 5 -i eth+ -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 6 -s 192.168.43.0/24 -o eth+ -j ACCEPT
+
+# Uncomment to DROP traffic between VPN clients themselves
+# iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
+# iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
+iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source 192.168.1.2
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source 192.168.1.2
+
+###
+iptables -A OUTPUT -p gre -j ACCEPT
+iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
+iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE