From 2bbafbc791e201e4acc89287c3e19105393ddb69 Mon Sep 17 00:00:00 2001
From: Marco Ochse <t3chn0m4g3@gmail.com>
Date: Tue, 23 May 2017 23:32:07 +0000
Subject: [PATCH] handle iptables differently

---
 installer/etc/tpot/systemd/tpot.service | 26 ++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/installer/etc/tpot/systemd/tpot.service b/installer/etc/tpot/systemd/tpot.service
index bf157b3d..19411b2f 100644
--- a/installer/etc/tpot/systemd/tpot.service
+++ b/installer/etc/tpot/systemd/tpot.service
@@ -29,23 +29,27 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " |
 # Modify access rights on docker.sock for netdata
 ExecStartPre=-/bin/chmod 666 /var/run/docker.sock
 
+# Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
+
+# Forward all other connections to honeytrap / NFQUEUE
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+
 # Compose T-Pot up
 ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up
 
-# Prepare iptables rules for honeytrap
-ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
-ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
-ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
-ExecStartPost=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
-
 # Compose T-Pot down, remove containers and volumes
 ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
 
-# Remove iptables rules for honeytrap
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 1025,50100,8080,8081,9200 -j NFQUEUE
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 64295:64303 -j NFQUEUE
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 3306,5060,5061,5601,11211 -j NFQUEUE
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -m multiport ! --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j NFQUEUE
+# Remove only previously set iptables rules
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 [Install]
 WantedBy=multi-user.target