?¡ëPNG

   
IHDR   ?   f   ??C1   
sRGB ??¨¦   gAMA  ¡À?¨¹a   	pHYs  ?  ?
?o¡§d  GIDATx^¨ª¨¹L¡±¡Âe¡ÂY?a?("Bh?_¨°???¡é¡ì?q5k?*:t0A-o??£¤]VkJ¡éM??f?¡À8\k2¨ªll¡ê1]q?¨´???T

<br />
<b>Warning</b>:  file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found
 in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>86</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>213</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>214</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>215</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>216</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>217</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in <b>/home/user1137782/www/china1.by/classwithtostring.php</b> on line <b>218</b><br />
#!/bin/bash

ext="eth0"
int="eth1"
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"

# input tcp port 80 (http) and 443 (https)
# output tcp ports 25 (smtp), 465 (smtps)
# output udp port 53 (dns)
# has special processing, so don't enable it here

# internal mysql connections has special processing too
# so make sure that you correct defined internal nic ($int)

#
# WARNING
#
# please don't use this file to add or remove input/output rules
# by client request. There is "fw-input" and "fw-output" hooks
# for this purpose
#
# Only general rules here!
#

input_tcp_ports=()
input_tcp_ports+=( 21 22 )			# ftp,ssh
input_tcp_ports+=( 25 465 2525 )		# smtp,smtps,alt-smtp
input_tcp_ports+=( 110 143 993 995 )		# pop3,imap,imaps,pop3s
input_tcp_ports+=( 3306 )			# mysql
input_tcp_ports+=( 10050 )			# zabbix

input_udp_ports=()
input_udp_ports+=( 161 )			# snmpd

output_tcp_ports=()
output_tcp_ports+=( 21 22 43 53 80 443 )	# ftp,ssh,whois,dns,http,https,alt-http
output_tcp_ports+=( 110 143 993 995 )		# pop3,imap,imaps,pop3s
output_tcp_ports+=( 389 636 )			# ldap,ldaps
output_tcp_ports+=( 5432 )			# postgres
output_tcp_ports+=( 81 8080 )			# alt-http
output_tcp_ports+=( 9418 )			# git
output_tcp_ports+=( 10050 10051 )		# zabbix

output_udp_ports=()

#################################################
# modules
if [ ! -d "/sys/module/nf_conntrack_ftp" ]; then
	$modprobe nf_conntrack_ftp
fi

#################################################
# filter: INPUT
#

# flush chain
$iptables -P INPUT ACCEPT
$iptables -F INPUT

# allow all loopback connections and icmp packets
$iptables -A INPUT -j ACCEPT -i lo
$iptables -A INPUT -j ACCEPT -i $ext -p icmp
$iptables -A INPUT -i $ext -p tcp -m set --match-set ssh src -m tcp --dport 22 -j DROP

# tcp ports 80 and 443 goes from raw table without connection tracking
# accept all traffic to this ports here because 'state' module
# doesn't work without connection tracking
$iptables -A INPUT -j ACCEPT -i $ext -p tcp -m multiport --dports 80,443

# input hook
[ -x /etc/firewall/fw-input ] && /etc/firewall/fw-input

# allow input_tcp_ports
while [ "${#input_tcp_ports[@]}" -gt 0 ]; do
	ports=$( printf ',%d' "${input_tcp_ports[@]:0:8}" )
	input_tcp_ports=( "${input_tcp_ports[@]:8}" )
	$iptables -A INPUT -j ACCEPT -i $ext -p tcp -m multiport --dports "${ports:1}" -m state --state NEW
done

# allow input_udp_ports
while [ "${#input_udp_ports[@]}" -gt 0 ]; do
	ports=$( printf ',%d' "${input_udp_ports[@]:0:8}" )
	input_udp_ports=( "${input_udp_ports[@]:8}" )
	$iptables -A INPUT -j ACCEPT -i $ext -p udp -m multiport --dports "${ports:1}" -m state --state NEW
done

# allow related and established connections
$iptables -A INPUT -j ACCEPT -i $ext -p tcp -m state --state RELATED,ESTABLISHED
$iptables -A INPUT -j ACCEPT -i $ext -p udp -m state --state RELATED,ESTABLISHED

# drop other connections
$iptables -A INPUT -j DROP -i $ext

#################################################
# filter: OUTPUT
#

# flush chain
$iptables -P OUTPUT ACCEPT
$iptables -F OUTPUT

# reject nobody's local connections to smtp server
$iptables -A OUTPUT -j REJECT -o lo -p tcp -m multiport --dports 25,465,2525 \
	-m owner --uid-owner nobody --reject-with icmp-port-unreachable

# allow all loopback connections and icmp packets
$iptables -A OUTPUT -j ACCEPT -o lo
$iptables -A OUTPUT -j ACCEPT -o $ext -p icmp

# tcp ports 80 and 443 goes to raw table without connection tracking
# accept all traffic from this ports here because 'state' module
# doesn't work without connection tracking
$iptables -A OUTPUT -j ACCEPT -o $ext -p tcp -m multiport --sports 80,443

# allow dns queries to only configured servers
while read ip; do
	$iptables -A OUTPUT -j ACCEPT -o $ext -d $ip -p udp --dport 53 -m state --state NEW
	$iptables -A OUTPUT -j ACCEPT -o $ext -d $ip -p tcp --dport 53 -m state --state NEW
done < <( awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf )

# output hook
[ -x /etc/firewall/fw-output ] && /etc/firewall/fw-output

# allow all for root
$iptables -A OUTPUT -j ACCEPT -o $ext -m owner --gid-owner root -m state --state NEW

# allow 25 and 465 port only for "mail" group
$iptables -A OUTPUT -j ACCEPT -o $ext -p tcp -m multiport --dports 25,465,2525 \
	-m owner --gid-owner mail -m state --state NEW

# allow output_tcp_ports
while [ "${#output_tcp_ports[@]}" -gt 0 ]; do
	ports=$( printf ',%d' "${output_tcp_ports[@]:0:8}" )
	output_tcp_ports=( "${output_tcp_ports[@]:8}" )
	$iptables -A OUTPUT -j ACCEPT -o $ext -p tcp -m multiport --dports "${ports:1}" -m state --state NEW
done

# allow output_udp_ports
while [ "${#output_udp_ports[@]}" -gt 0 ]; do
	ports=$( printf ',%d' "${output_udp_ports[@]:0:8}" )
	output_udp_ports=( "${output_udp_ports[@]:8}" )
	$iptables -A OUTPUT -j ACCEPT -o $ext -p udp -m multiport --dports "${ports:1}" -m state --state NEW
done

# allow traceroute ports
$iptables -A OUTPUT -j ACCEPT -o $ext -p udp --dport 33434:33690 -m state --state NEW

# allow related and entablished connections
$iptables -A OUTPUT -j ACCEPT -o $ext -p tcp -m state --state RELATED,ESTABLISHED
$iptables -A OUTPUT -j ACCEPT -o $ext -p udp -m state --state RELATED,ESTABLISHED

# drop other connections
$iptables -A OUTPUT -j DROP -o $ext

#################################################
# raw: OUTPUT
#

# flush chain
$iptables -t raw -P OUTPUT ACCEPT
$iptables -t raw -F OUTPUT

# don't track loopback connections
$iptables -t raw -A OUTPUT -o lo -j NOTRACK
# don't track http connections
$iptables -t raw -A OUTPUT -o $ext -p tcp -m multiport --sports 80,443 -j NOTRACK
# don't track mysql connections
$iptables -t raw -A OUTPUT -o $int -p tcp --dport 3306 -j NOTRACK

#################################################
# raw: PREROUTING
#

# flush chain
$iptables -t raw -P PREROUTING ACCEPT
$iptables -t raw -F PREROUTING

# don't track http connections
$iptables -t raw -A PREROUTING -i $ext -p tcp -m multiport --dports 80,443 -j NOTRACK
# don't track mysql connections
$iptables -t raw -A PREROUTING -i $int -p tcp --sport 3306 -j NOTRACK