=^.^=

Enable USB Keyboard for Qubes dom0

Full documentation is available at https://www.qubes-os.org/doc/usb-qubes/. You should read the Security Warning about USB Input Devices before doing this.

To enable a USB keyboard for dom0 (making it available to all VMs) modify /etc/qubes-rpc/policy/qubes.InputKeyboard on dom0 to reflect:
#sys-usb dom0 allow,user=root sys-usb dom0 ask,default_target=dom0 $anyvm $anyvm deny

You will then be prompted to grant USB keyboards access any time they are connected. To also allow USB keyboards to enter the LUKS and login passwords please refer to the official documentation.

Comparing proc and ps Process Counts

Some rootkits and malicious versions of ps will hide processes from stdout but leave /proc alone. You can compare the number of processes ps reports to the number of processes being tracked inside /proc to help determine if your ps is lying to you. Note that a race condition exists here, it is possible on a server with lots of new processes being spawned naturally that the number reported will change between the execution of the two commands so it may be necessary to run this script multiple times to get a clear picture. Since speed is essential it is important to run them together in a script rather than individually.

#!/bin/bash ls /proc | grep "^[0-9]" | wc -l ps aux | wc -l

A New NATO Phonetic Alphabet to Make Voice Calls Fun Again

If you're like me you spend a lot of time on the phone with people who are challenged with aural disabilities (customer service reps, level 1 tech support, etc.). To bring a little joy to the experience I have painstakingly developed a new NATO Phonetic Alphabet you can use to brighten everyone's day.

A as in Asshole
B as in Bitch
C as in Cunt
D as in Dick
E as in Ecstasy
F as in Fuck
G as in Gabapentin
H as in Heroin
I as in Injection
J as in Junk
K as in Ketamine
L as in Lick
M as in Molly
N as in Naloxone
O as in Orgasm
P as in Penis
Q as in Quaalude
R as in Rohypnol
S as in Sex
T as in Tramadol
U as in Urine
V as in Vagina
W as in Watersports
X as in Xanax
Y as in Yiff
Z as in Zoloft

You're welcome.

Disable (Most) Annoying and Useless Emergency Alerts on Android

REMAIN INDOORS! DO NOT THINK OF THE EVENT!

It's a quiet, snowy Sunday morning. Finally slipping off to sleep with the cat curled up on my chest I am treated to the banshee's serenade of an Android emergency alert. Maybe if I ignore it it will go away.... it cries out again. And again. The damn thing will not leave you alone until you physically get up and throw your phone out the window. Or acknowledge receipt of the message. Your call; no judgement.

[attachment-nsEiot]
WARNING EVERYTHING IS FINE!!!

EMERGENCY ALERTS EMERGENCY ALERT / ALERTE D'URGENCE
This is a Province of Ontario emergency bulletin which applies to people within ten (10) kilometres of the Pickering Nuclear Generating Station. An incident was reported at the Pickering Nuclear Generating Station. There has been NO abnormal release of radioactivity from the station and emergency staff are responding to the situation. People near the Pickering Nuclear Generating Station DO NOT need to take any protective actions at this time. Remain tuned to local media for further information and instructions.

Let me get this straight, wise overlords. You just woke and put the fear of god into me - in the most obnoxious and irritating way posible - to tell me that:

  • DON'T PANIC! - Everything is OK.
  • The alert only applies to people within 10 KM of Pickering WHICH IS 100 KM AWAY.
  • This message has no useful details; glue your docile plebeian eyes to local media for further trauma.

I quickly found out people as far as Ottawa received the same message. Evidently in this golden age of geolocation the alerts system is lazily province-wide. Maybe that makes sense in Bumscrew Delaware but you can fit a dozen european countries in a province the size of Ontario.

Which reminds me... didn't I disable this crap after the third missing child alert that happened 100 miles away and was resolved within 10 minutes without the child even having the baseline courtesy to lose a leg (or at least a finger)...

[attachment-ZwxDq5]
Forgive me for taking you seriously...

Oh. Silly me. It seems I left "Emergency Alerts" enabled, on the assumption that it would only give me a fun surprise heart attack for serious issues, like those pertaining to "extreme threats to life and property". Do forgive my stupidity for assuming this classification would not also become abused by the same power-drunk, trigger-happy freakout artists (or whatever title is properly attributed to the officials at the wheel).

The exact location of the Emergency Alert settings differs depending on your version of Android. The simplest route is to use the built-in search function:

  1. Open the Settings app.
  2. Use the Search bar along the top of the screen to search for Emergency Alert.
  3. Tap on the first result, which should simply be titled Emergency Alert.
  4. You should now be presented with the settings page similar to the figure shown above.
  5. Disable each of the alert types you no longer wish to receive. In the United States "Extreme alerts" might be called "Presidential alerts" or an additional option may be present to distinguish an alert type pursuant to legislation recently enacted there.
  6. In case there are additional alert types it may be impossible to disable, you may wish to additionally disable vibration, the text-to-speech option abd disable the Alert reminder. On my Android it is sadly not possible to change the alert tone.

I've heard reports that even with Extreme Alerts disabled this particular type of alert bypasses your settings. However it has been conjectured by some users that having the DnD mode enabled does block the sound.

[attachment-i0JqGj]
Well that's embarrassing...

Yep, not 20 minutes later my screed was rendered impotent by another goddamned alert that gave zero regard to my updated settings.

Sorry folks, at least if you follow these steps you will reduce the number of lower level alerts you receive!

Can't win em all I guess... q.q

Forensic Gateway Firewall

#!/bin/sh IPT="/sbin/iptables" IP6="/sbin/ip6tables" LOGPREFIX="netfilter:" IFext="eth0" IPext="192.168.0.251/32" NEText="192.168.0.0/24" IFint="eth1" IPint="192.168.124.1/32" NETint="192.168.124.0/24" BCASTint="192.168.124.255/32" IFwifi="wlan0" IPwifi="192.168.125.1/32" NETwifi="192.168.125.0/24" BCASTwifi="192.168.125.255/32" BLTIMEOUT=86400 if [ $1 = "stats" ] then watch -n 10 $IPT -v -L -n --line-numbers exit fi echo "###########################################################################################################################" echo "# Forensic Firewall v. 1" echo "# Details/Updates: http://foxpa.ws/forensic-firewall" echo "# -------------------------------------------------------------------------------------------------------------------------" echo "# Configures this host as a NAT gateway for hostile wired and wireless networks to facilitate traffic analysis." echo "# Ideal for a Raspberry Pi with USB Ethernet dongle or similar configuration." echo "# Don't forget to edit this script to reflect your environment and disable sections that are inefficient for your use case." echo "# -------------------------------------------------------------------------------------------------------------------------" echo "# Syslog prefix: $LOGPREFIX" echo "# Upstream config: Interface: $IFext, IP: $IPext, Network: $NEText" echo "# Wired config: Interface: $IFint, IP: $IPint, Network: $NETint, Broadcast: $BCASTint" echo "# Wireless config: Interface: $IFwifi, IP: $IPwifi, Network: $NETwifi, Broadcast: $BCASTwifi" echo "###########################################################################################################################" echo echo "Kill IPv6..." $IP6 -F $IP6 -X $IP6 -P INPUT DROP $IP6 -P OUTPUT DROP $IP6 -P FORWARD DROP echo "Sterilize iptables..." $IPT -F -t nat $IPT -F -t raw $IPT -F $IPT -X echo "Whitelist upstream SSH for testing ruleset changes, comment this..." $IPT -A INPUT -i $IFext -p tcp --dport 22 -j ACCEPT echo "Prepare obsessive-compulsive REJECT chains..." # https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml $IPT -N REJECT_NET $IPT -A REJECT_NET -j REJECT --reject-with icmp-net-unreachable $IPT -N REJECT_HOST $IPT -A REJECT_HOST -j REJECT --reject-with icmp-host-unreachable $IPT -N REJECT_PROHIBIT $IPT -A REJECT_PROHIBIT -j REJECT --reject-with icmp-admin-prohibited $IPT -N REJECT_PROHIBIT_NET $IPT -A REJECT_PROHIBIT_NET -j REJECT --reject-with icmp-net-prohibited $IPT -N REJECT_PROHIBIT_HOST $IPT -A REJECT_PROHIBIT_HOST -j REJECT --reject-with icmp-net-prohibited $IPT -N REJECT_TCP $IPT -A REJECT_TCP -p tcp -j REJECT --reject-with tcp-reset $IPT -N REJECT_UDP $IPT -A REJECT_UDP -p udp -j REJECT --reject-with icmp-port-unreachable $IPT -N REJECT_ICMP $IPT -A REJECT_ICMP -p icmp -j REJECT $IPT -N REJECT_RFC $IPT -A REJECT_RFC -p tcp -j REJECT_TCP $IPT -A REJECT_RFC -p udp -j REJECT_UDP $IPT -A REJECT_RFC -p icmp -j REJECT_ICMP $IPT -A REJECT_RFC -j REJECT echo "Log everything for psad IDS integration (inefficient, disable if not using psad)..." $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -A INPUT -j LOG --log-tcp-options --log-prefix "$LOGPREFIX " $IPT -A FORWARD -j LOG --log-tcp-options --log-prefix "$LOGPREFIX " echo "Initialize INPUT, FORWARD, OUTPUT chains..." $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT $IPT -A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A FORWARD -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -i lo -j ACCEPT echo "Initialize general logging chains..." # levels: 7 debug 6 info 5 notice 4 warning 3 err 2 crit 1 alert 0 emerg $IPT -N breakout $IPT -A breakout -j LOG -m limit --limit 3/minute --log-level warning --log-prefix "$LOGPREFIX Breakout Attempt: " $IPT -A breakout -j REJECT_NET $IPT -N spill $IPT -A spill -j LOG -m limit --limit 3/minute --log-level notice --log-prefix "$LOGPREFIX spill Attempt: " $IPT -A spill -j DROP $IPT -N invalid $IPT -A invalid -j LOG -m limit --limit 3/minute --log-level info --log-prefix "$LOGPREFIX Invalid Attempt: " $IPT -A invalid -j DROP $IPT -N attack $IPT -A attack -j LOG -m limit --limit 3/minute --log-level alert --log-prefix "$LOGPREFIX ACTIVE ATTACK: " $IPT -A attack -j DROP $IPT -N brute $IPT -A brute -j LOG -m limit --limit 3/minute --log-level alert --log-prefix "$LOGPREFIX ACTIVE ATTACK: " $IPT -A brute -j REJECT_RFC $IPT -N dos $IPT -A dos -j LOG -m limit --limit 3/minute --log-level emerg --log-prefix "$LOGPREFIX ACTIVE DoS: " $IPT -A dos -j DROP $IPT -N whoops $IPT -A whoops -j LOG -m limit --limit 3/minute --log-level warning --log-prefix "$LOGPREFIX BLOCKED spill: " $IPT -A whoops -j DROP echo "Prepare blacklists..." $IPT -A INPUT -p tcp -m recent --rcheck --seconds $BLTIMEOUT --name TCP-PORTSCAN -j REJECT_TCP $IPT -A FORWARD -p udp -m recent --rcheck --seconds $BLTIMEOUT --name UDP-PORTSCAN -j REJECT_UDP $IPT -A INPUT -p tcp -m recent --rcheck --seconds $BLTIMEOUT --name TCP-FLOOD -j REJECT_TCP $IPT -A FORWARD -p udp -m recent --rcheck --seconds $BLTIMEOUT --name UDP-FLOOD -j REJECT_UDP $IPT -A INPUT -p tcp -m recent --name TCP-PORTSCAN --remove $IPT -A INPUT -p udp -m recent --name UDP-PORTSCAN --remove $IPT -A INPUT -p tcp -m recent --name TCP-FLOOD --remove $IPT -A INPUT -p udp -m recent --name UDP-FLOOD --remove $IPT -N scan $IPT -A scan -j LOG -m limit --limit 3/minute --log-level alert --log-prefix "$LOGPREFIX SCANNER BLACKLIST: " $IPT -A scan -p tcp -m tcp -m recent --set --name TCP-PORTSCAN -j REJECT_TCP $IPT -A scan -p udp -m recent --set --name UDP-PORTSCAN -j REJECT_UDP $IPT -N flood $IPT -A flood -j LOG -m limit --limit 3/minute --log-level alert --log-prefix "$LOGPREFIX FLOODER BLACKLIST: " $IPT -A flood -p tcp -m recent --set --name TCP-FLOOD -j DROP $IPT -A flood -p udp -m recent --set --name UDP-FLOOD -j DROP echo "Block broadcasts..." $IPT -A INPUT -d 255.255.255.255/32 -j DROP $IPT -A INPUT -d $BCASTint -j DROP $IPT -A INPUT -d $BCASTwifi -j DROP echo "Disable multicast..." $IPT -A INPUT -m pkttype --pkt-type multicast -j spill $IPT -A FORWARD -m pkttype --pkt-type multicast -j spill $IPT -A OUTPUT -m pkttype --pkt-type multicast -j spill $IPT -A INPUT -p igmp -j spill $IPT -A FORWARD -p igmp -j spill $IPT -A OUTPUT -p igmp -j spill $IPT -A INPUT -s 224.0.0.0/3 -j spill $IPT -A FORWARD -s 224.0.0.0/3 -j spill $IPT -A OUTPUT -s 224.0.0.0/3 -j spill echo "Ignore invalid..." $IPT -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID -j invalid $IPT -A FORWARD -p tcp -m tcp -m conntrack --ctstate INVALID -j invalid $IPT -A OUTPUT -p tcp -m tcp -m conntrack --ctstate INVALID -j invalid echo "Neutralize IP spoofing..." $IPT -t raw -I PREROUTING -m rpfilter --invert -j DROP $IPT -A INPUT ! -i lo -s 127.0.0.0/8 -j invalid $IPT -A INPUT -s 0.0.0.0/8 -j invalid $IPT -A INPUT -s 10.0.0.0/8 -j invalid $IPT -A INPUT -s 100.64.0.0/10 -j invalid $IPT -A INPUT -s 169.254.0.0/16 -j invalid $IPT -A INPUT -s 172.16.0.0/12 -j invalid $IPT -A INPUT -s 192.0.0.0/24 -j invalid $IPT -A INPUT -s 192.0.2.0/24 -j invalid $IPT -A INPUT -s 198.18.0.0/15 -j invalid $IPT -A INPUT -s 198.51.100.0/24 -j invalid $IPT -A INPUT -s 203.0.113.0/24 -j invalid $IPT -A INPUT -i $IFint -s $NEText -j invalid $IPT -A INPUT -i $IFwifi -s $NEText -j invalid $IPT -A FORWARD -s 192.168.0.0/16 -i $IFext -j invalid echo "Drop floods..." $IPT -A INPUT -p icmp -m icmp --icmp-type address-mask-request -m comment --comment "SMURF ICMP address-mask-request" -j dos $IPT -A INPUT -p icmp -m icmp --icmp-type timestamp-request -m comment --comment "SMURF ICMP timestamp-request" -j dos $IPT -A FORWARD -p icmp -m icmp --icmp-type address-mask-request -m comment --comment "SMURF ICMP address-mask-request" -j dos $IPT -A FORWARD -p icmp -m icmp --icmp-type timestamp-request -m comment --comment "SMURF ICMP timestamp-request" -j dos $IPT -A INPUT -f -m comment --comment "Fragmentation Attack" -j dos $IPT -A FORWARD -f -m comment --comment "Fragmentation Attack" -j dos echo "Mitigate floods..." $IPT -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -m comment --comment "Mitigate SMURF" -j ACCEPT $IPT -A FORWARD -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -m comment --comment "Mitigate SMURF" -j ACCEPT $IPT -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 1/second -m comment --comment "Mitigate Ping of Death/SMURF" -j ACCEPT $IPT -A FORWARD -p icmp -m icmp --icmp-type echo-request -m limit --limit 1/second -m comment --comment "Mitigate Ping of Death/SMURF" -j ACCEPT $IPT -A INPUT -m limit --limit 20/second --limit-burst 40 -m comment --comment "Limit UDP rate" -j flood $IPT -A FORWARD -m limit --limit 20/second --limit-burst 40 -m comment --comment "Limit UDP rate" -j flood $IPT -N SYN_FLOOD $IPT -A SYN_FLOOD -m limit --limit 1/second --limit-burst 4 -j LOG --log-prefix "$LOGPREFIX SYN Flood" $IPT -A SYN_FLOOD -j flood $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN NONE -m conntrack --ctstate NEW -m comment --comment "Fork possible SYN flood" -j SYN_FLOOD $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN NONE -m conntrack --ctstate NEW -m comment --comment "Fork possible SYN flood" -j SYN_FLOOD echo "Detect scans (inefficient, useful for syslog monitoring - should probably be disabled if using psad)..." # Requires psd match extension #$IPT -A INPUT -m psd -m limit --limit 5/minute -m comment --comment "iptables portscan match module" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST RST -m comment --comment "Furtive Scanner" -m limit --limit 1/second -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST RST -m comment --comment "Furtive Scanner" -m limit --limit 1/second -j scan $IPT -A INPUT -p tcp -m multiport --dports 10,11 --tcp-flags ALL SYN -m limit --limit 3/minute --limit-burst 5 -m comment --comment "Probable SYN Scan" -j scan $IPT -A FORWARD -p tcp -m multiport --dports 10,11 --tcp-flags ALL SYN -m limit --limit 3/minute --limit-burst 5 -m comment --comment "Probable SYN Scan" -j scan $IPT -A INPUT -p tcp -m tcp --dport telnet -m comment --comment "Telnet (IoT) Probe Input Trigger" -j scan $IPT -A FORWARD -p tcp -m tcp --dport telnet -m comment --comment "Telnet (IoT) Probe Forward Trigger" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -m comment --comment "FIN" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,PSH PSH -m comment --comment "PSH" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment "URG" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL ALL -m comment --comment "XMAS scan" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -m comment --comment "NULL scan" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m comment --comment "pscan" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "pscan 2" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m comment --comment "pscan 2" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL SYN,FIN -m comment --comment "SYNFIN-SCAN" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -m comment --comment "NMAP-XMAS-SCAN" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL FIN -m comment --comment "FIN-SCAN" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,SYN,FIN -m comment --comment "NMAP-ID" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "SYN-RST" -j scan $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN NONE -m conntrack --ctstate NEW -m comment --comment "ACK Scan" -j scan $IPT -A INPUT -p udp -m length --length 0:28 -m comment --comment "UDP Scan (high chance of false positive)" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ACK,FIN FIN -m comment --comment "FIN" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ACK,PSH PSH -m comment --comment "PSH" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment "URG" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL ALL -m comment --comment "XMAS scan" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL NONE -m comment --comment "NULL scan" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m comment --comment "pscan" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -m comment --comment "pscan 2" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m comment --comment "pscan 2" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL SYN,FIN -m comment --comment "SYNFIN-SCAN" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -m comment --comment "NMAP-XMAS-SCAN" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL FIN -m comment --comment "FIN-SCAN" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags ALL URG,PSH,SYN,FIN -m comment --comment "NMAP-ID" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "SYN-RST" -j scan $IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN NONE -m conntrack --ctstate NEW -m comment --comment "ACK Scan" -j scan $IPT -A FORWARD -p udp -m length --length 0:28 -m comment --comment "UDP Scan (high chance of false positive)" -j scan # Kill any surviving invalid new TCP connections that were not initiated with a SYN packet. # Use -I in production to skip wasteful scan detection chains above. $IPT -A INPUT -p tcp -m tcp --tcp-flags SYN NONE -m conntrack --ctstate NEW -m comment --comment "Drop TCP connection not started with SYN" -j DROP echo "Configure services available to the upstream interface..." $IPT -A INPUT -i $IFext -p tcp --dport 22 -m comment --comment "Accept incoming SSH connections" -j ACCEPT $IPT -A INPUT -i $IFext -p tcp --dport 80 -m comment --comment "Accept incoming HTTP connections" -j ACCEPT $IPT -A INPUT -i $IFext -p tcp --dport 443 -m comment --comment "Accept incoming HTTPS conenctions" -j ACCEPT $IPT -A INPUT -i $IFext -p udp --sport 53 -m comment --comment "Accept DNS responses" -j ACCEPT $IPT -A INPUT -i $IFext -p udp --sport 123 -m comment --comment "Accept NTP responses" -j ACCEPT $IPT -A INPUT -i $IFext -p icmp -m comment --comment "Accept ICMP Traffic" -j ACCEPT echo "Protect the upstream subnet from the analysis interfaces..." $IPT -A FORWARD -d $NEText -i $IFint -j breakout $IPT -A FORWARD -d $NEText -i $IFwifi -j breakout echo "Protect this host's upstream IP from the analysis interfaces..." $IPT -A INPUT -d $IPext -i $IFint -j breakout $IPT -A INPUT -d $IPext -i $IFwifi -j breakout echo "Construct the NAT..." #$IPT -A FORWARD -o $IFint -i $IFext -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #$IPT -A FORWARD -o $IFint -i $IFwifi -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -o $IFext -i $IFint -s $NETint -j ACCEPT $IPT -A FORWARD -o $IFext -i $IFwifi -s $NETwifi -j ACCEPT $IPT -t nat -A POSTROUTING -o $IFext -j MASQUERADE echo "Configure gateway services for the analysis subnets..." $IPT -A INPUT -p tcp -m tcp -d $IPint --dport 53 -j ACCEPT $IPT -A INPUT -p tcp -m tcp -d $IPwifi --dport 53 -j ACCEPT $IPT -A INPUT -p udp -m udp -d $IPint --dport 53 -j ACCEPT $IPT -A INPUT -p udp -m udp -d $IPwifi --dport 53 -j ACCEPT $IPT -I INPUT -i $IFint -p udp -d 255.255.255.255/32 --dport 67:68 --sport 67:68 -j ACCEPT $IPT -I INPUT -i $IFwifi -p udp -d 255.255.255.255/32 --dport 67:68 --sport 67:68 -j ACCEPT $IPT -A INPUT -d $IPint -j REJECT_RFC $IPT -A INPUT -d $IPwifi -j REJECT_RFC echo "Preemptive/redundant protection from spills into analysis interfaces from this host (i.e: Chromium SSDP, avahi...)" $IPT -A OUTPUT -o $IFint -p udp -m udp --dport 1900 -j whoops $IPT -A OUTPUT -o $IFint -p udp -m udp --sport 1900 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --dport 1900 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --sport 1900 -j whoops $IPT -A OUTPUT -o $IFint -p udp -m udp --dport 5353 -j whoops $IPT -A OUTPUT -o $IFint -p udp -m udp --sport 5353 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --dport 5353 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --sport 5353 -j whoops $IPT -A OUTPUT -o $IFint -p udp -m udp --dport 5355 -j whoops $IPT -A OUTPUT -o $IFint -p udp -m udp --sport 5355 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --dport 5355 -j whoops $IPT -A OUTPUT -o $IFwifi -p udp -m udp --sport 5355 -j whoops $IPT -A OUTPUT -o $IFint -p tcp -m tcp --dport 5355 -j whoops $IPT -A OUTPUT -o $IFint -p tcp -m tcp --sport 5355 -j whoops $IPT -A OUTPUT -o $IFwifi -p tcp -m tcp --dport 5355 -j whoops $IPT -A OUTPUT -o $IFwifi -p tcp -m tcp --sport 5355 -j whoops echo "Finalize ruleset..." $IPT -A INPUT -j REJECT_RFC $IPT -A FORWARD -j REJECT_HOST