#!/bin/bash

# Устанавливаем переменные окружения:
LAN="eth1"
WAN="eth0"
VPN="ppp0"
LAN_IP_RANGE="192.168.110.0/24"
LAN_IP="192.168.110.1"
WAN_IP="172.20.85.281"
LIBER_IP="192.168.110.100"
SNAKE_IP="192.168.110.101"
SSH_PORT="22828"

# Включаем форвардинг пакетов и подгружаем модули:
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Очищаем существующие таблицы правил:
iptables --flush
iptables --delete-chain
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table mangle --flush
iptables --table mangle --delete-chain

# Устанавливаем политики запрета всего:
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Разрешаем локальный траффик для loopback:
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
iptables --append INPUT ! --in-interface lo --destination 127.0.0.0/8 --jump REJECT

# Явно разрешаем доступ к SSH из внутренней сети:
iptables --append INPUT --protocol tcp --in-interface $LAN --destination-port $SSH_PORT --jump ACCEPT

# Явно разрешаем пинг:
iptables --append INPUT --protocol icmp --icmp-type 8 --jump ACCEPT

# Запрещаем все пакеты, которые не могут быть идентифицированы и поэтому не могут иметь определенного статуса:
iptables --append INPUT --match state --state INVALID --jump DROP
iptables --append FORWARD --match state --state INVALID --jump DROP

# Приводит к связыванию системных ресурсов, так что реальный обмен данными становится невозможным, запрещаем:
iptables --append INPUT --protocol tcp ! --syn --match state --state NEW --jump DROP
iptables --append OUTPUT --protocol tcp ! --syn --match state --state NEW --jump DROP

# Разрешаем траффик для внутренней сети:
iptables --append INPUT --in-interface $LAN --jump ACCEPT
iptables --append OUTPUT --out-interface $LAN --jump ACCEPT

# Разрешаем входящие пакеты уже инициированных соединений, а также дочерние от них:
iptables --append INPUT --protocol all --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Разрешаем исходящие пакеты новых, а так же уже инициированных и их дочерних соединений:
iptables --append OUTPUT --protocol all --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT
# Разрешаем форвардинг для новых, а так же уже инициированных и их дочерних соединений:
iptables --append FORWARD --protocol all --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

# Включаем фрагментацию пакетов. Необходимо из за разных значений MTU:
iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

# Разрешаем доступ из внутренней сети наружу:
iptables --append FORWARD --in-interface $LAN --out-interface $WAN --jump ACCEPT
iptables --append FORWARD --in-interface $LAN --out-interface $VPN --jump ACCEPT

# Разрешаем доступ снаружи во внутреннюю сеть:
iptables --append FORWARD --in-interface $WAN --out-interface $LAN --jump ACCEPT
iptables --append FORWARD --in-interface $VPN --out-interface $LAN --jump ACCEPT

# NAT-маскарадинг:
iptables --table nat --append POSTROUTING --out-interface $WAN --source $LAN_IP_RANGE --jump MASQUERADE
iptables --table nat --append POSTROUTING --out-interface $VPN --source $LAN_IP_RANGE --jump MASQUERADE


################
#
# Проброс портов
#
# Правила для каждого проброса:
# 1 - Проброс внешнего порта на адрес в LAN
# 2 - Перенаправление пакетов через NAT при обращении LAN-клиента к LAN-службе по ее WAN адресу
# 3 - На случай, если клиент - сам маршрутизатор
# 4 - Разрешающее правило для форвардинга из WAN в LAN

# Greylink DC++
iptables --table nat --append PREROUTING \
        --protocol tcp --destination $WAN_IP --dport 22612 --jump DNAT --to-destination $LIBER_IP

iptables --table nat ---append POSTROUTING \
        --protocol tcp --destination $LAN_IP --dport 22612 --jump SNAT --to-source $LIBER_IP

iptables --table nat --append OUTPUT \
        --protocol tcp --destination $WAN_IP --dport 22612 --jump DNAT --to-destination $LIBER_IP

iptables --insert FORWARD 1 \
        --protocol tcp --match tcp --in-interface $WAN --out-interface $LAN \
        --destination $LIBER_IP --dport 22612 --jump ACCEPT

iptables --table nat --append PREROUTING \
        --protocol tcp --destination $WAN_IP --dport 22682 --jump DNAT --to-destination $LIBER_IP

iptables --table nat ---append POSTROUTING \
        --protocol tcp --destination $LAN_IP --dport 22682 --jump SNAT --to-source $LIBER_IP

iptables --table nat --append OUTPUT \
        --protocol tcp --destination $WAN_IP --dport 22682 --jump DNAT --to-destination $LIBER_IP

iptables --insert FORWARD 1 \
        --protocol tcp --match tcp --in-interface $WAN --out-interface $LAN \
        --destination $LIBER_IP --dport 22682 --jump ACCEPT

iptables --table nat ---append POSTROUTING \
        --protocol tcp --destination $LAN_IP --dport 22612 --jump SNAT --to-source $LIBER_IP

# eth0 подключен к интернету.
# eth1 подключен к частной подсети.
 
# Внешний интерфейс сервера
IF_EXT="ens3"
 
# Внутренние интерфейсы (обслуживающие ВПН-клиентов)
IF_INT="ppp+"
 
# Сеть, адреса из которой будут получать ВПН-клиенты
NET_INT="112.128.72.0/24"
 
LOOP="127.0.0.1"
 
 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s ${NET_INT} -o eth0 -j MASQUERADE
-t nat -A POSTROUTING -s ${NET_INT} -j MASQUERADE -o ${IF_EXT}
-t nat -A POSTROUTING -o eth0 -s ${NET_INT} -j MASQUERADE
COMMIT
 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
 
#
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol none -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i eth0 -o ${IF_INT} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ${IF_INT} -o eth0 -j ACCEPT
-A FORWARD -s ${NET_INT} -d ${NET_INT} -i ${IF_INT} -o ${IF_INT} -j ACCEPT
-A FORWARD -j DROP
 
 
# Разрешаем весь трафик на петлевом интерфейсе
-A INPUT -i lo -j ACCEPT
 
# Запретить внешним пакетам использовать петлевой адрес
-A INPUT -i eth0 -s ${LOOP} -j DROP
-A FORWARD -i eth0 -s ${LOOP} -j DROP
-A INPUT -i eth0 -d ${LOOP} -j DROP
-A FORWARD -i eth0 -d ${LOOP} -j DROP
 
# Все, что приходит из Интернета, должно иметь настоящий интернет-адрес
-A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
-A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
-A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
-A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
 
# Разрешаем всё для ВПН-клиентов
-A INPUT -i ${IF_INT} -s ${NET_INT} -j ACCEPT
 
 
# Разрешаем входящие соединения к L2TP
# Но только с шифрованием!
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
 
# Разрешаем IPSec
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
 
# Разрешаем доступ к серверу по SSH
-A INPUT -m tcp -p tcp --dport 2002 -j ACCEPT
 
 
# Разрешаем входящие ответы на исходящие соединения
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# NAT для локальной сети (ВПН-клиентов)
-A FORWARD -i ${IF_INT} -o ${IF_EXT} -s ${NET_INT} -j ACCEPT
-A FORWARD -i ${IF_EXT} -o ${IF_INT} -d ${NET_INT} -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Блокировать исходящие NetBios (если у вас запущены машины с Windows
# в частной подсети). Это не повлияет на NetBios
# трафик, который проходит через VPN-туннель, но он остановится
# локальные машины Windows от вещания себя
# интернет.
-A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
-A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
-A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
-A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
 
# Проверка правильности адреса источника на пакетах, выходящих в интернет
-A FORWARD -s ! ${NET_INT} -i eth1 -j DROP
 
# Разрешить локальную петлю
-A INPUT -s ${LOOP} -j ACCEPT
-A INPUT -d ${LOOP} -j ACCEPT
 
# Drop входящих эхо-запросов
-A INPUT -p icmp --icmp-type echo-request -j DROP
 
# Drop пакетов из частных подсетей
-A INPUT -i eth1 -j DROP
-A FORWARD -i eth1 -j DROP
 
# Сохранять состояние соединений из локальной машины и частных подсетей
-A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state NEW -o eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Самба ВКЛ
-A INPUT -p tcp -m tcp --dport 445 –s ${NET_INT} -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 –s ${NET_INT} -j ACCEPT
-A INPUT -p udp -m udp --dport 137 –s ${NET_INT} -j ACCEPT
-A INPUT -p udp -m udp --dport 138 –s ${NET_INT} -j ACCEPT
 
-A INPUT -i eth0 -s ${NET_INT} -p udp --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -d ${NET_INT} -p udp --sport 137:138 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -s ${NET_INT} -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -d ${NET_INT} -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -d ${NET_INT} -p udp --sport 445 -m state --state ESTABLISHED -j ACCEPT
 
-I INPUT -i eth0 -p tcp --dport 137 -j DROP
-I INPUT -i eth0 -p tcp --dport 138 -j DROP
-I INPUT -i eth0 -p tcp --dport 139 -j DROP
-I INPUT -i eth0 -p tcp --dport 445 -j DROP
-I INPUT -i eth0 -p tcp --dport 1701 -j DROP
 
COMMIT

 Screen 0: minimum 8 x 8, current 1920 x 1080, maximum 32767 x 32767
eDP1 connected primary 1920x1080+0+0 (normal left inverted right x axis y axis) 310mm x 170mm
   1920x1080     60.05*+  59.93  
   1680x1050     59.88  
   1400x1050     59.98  
   1600x900      60.00    59.95    59.82  
   1280x1024     60.02  
   1400x900      59.96    59.88  
   1280x960      60.00  
   1368x768      60.00    59.88    59.85  
   1280x800      59.81    59.91  
   1280x720      59.86    60.00    59.74  
   1024x768      60.00  
   1024x576      60.00    59.90    59.82  
   960x540       60.00    59.63    59.82  
   800x600       60.32    56.25  
   864x486       60.00    59.92    59.57  
   640x480       59.94  
   720x405       59.51    60.00    58.99  
   640x360       59.84    59.32    60.00  
HDMI1 disconnected (normal left inverted right x axis y axis)
VIRTUAL1 disconnected (normal left inverted right x axis y axis)

 Providers: number : 1
Provider 0: id: 0x46 cap: 0xb, Source Output, Sink Output, Sink Offload crtcs: 4 outputs: 3 associated providers: 0 name:Intel

 00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers (rev 08)
	Subsystem: Lenovo Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers
	Kernel driver in use: skl_uncore
00:02.0 VGA compatible controller: Intel Corporation UHD Graphics 620 (rev 07)
	Subsystem: Lenovo UHD Graphics 620
	Kernel driver in use: i915
	Kernel modules: i915
00:04.0 Signal processing controller: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Thermal Subsystem (rev 08)
	Subsystem: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Thermal Subsystem
	Kernel driver in use: proc_thermal
	Kernel modules: processor_thermal_device
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
	Subsystem: Lenovo Sunrise Point-LP USB 3.0 xHCI Controller
	Kernel driver in use: xhci_hcd
	Kernel modules: xhci_pci
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21)
	Subsystem: Lenovo Sunrise Point-LP Thermal subsystem
	Kernel driver in use: intel_pch_thermal
	Kernel modules: intel_pch_thermal
00:15.0 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #0 (rev 21)
	Subsystem: Lenovo Sunrise Point-LP Serial IO I2C Controller
	Kernel driver in use: intel-lpss
	Kernel modules: intel_lpss_pci
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
	Subsystem: Lenovo Sunrise Point-LP CSME HECI
	Kernel driver in use: mei_me
	Kernel modules: mei_me
00:17.0 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 21)
	Subsystem: Lenovo 82801 Mobile SATA Controller [RAID mode]
	Kernel driver in use: ahci
	Kernel modules: ahci
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #1 (rev f1)
	Kernel driver in use: pcieport
00:1c.5 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #6 (rev f1)
	Kernel driver in use: pcieport
00:1f.0 ISA bridge: Intel Corporation Sunrise Point LPC Controller/eSPI Controller (rev 21)
	Subsystem: Lenovo Sunrise Point LPC Controller/eSPI Controller
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
	Subsystem: Lenovo Sunrise Point-LP PMC
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
	Subsystem: Lenovo Sunrise Point-LP HD Audio
	Kernel driver in use: snd_hda_intel
	Kernel modules: snd_hda_intel, snd_soc_skl
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
	Subsystem: Lenovo Sunrise Point-LP SMBus
	Kernel driver in use: i801_smbus
	Kernel modules: i2c_i801
01:00.0 Display controller: Advanced Micro Devices, Inc. [AMD/ATI] Lexa PRO [Radeon RX 550/550X] (rev c3)
	Subsystem: Lenovo Lexa PRO [Radeon RX 550/550X]
	Kernel driver in use: amdgpu
	Kernel modules: amdgpu
02:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)
	Subsystem: Lenovo QCA9377 802.11ac Wireless Network Adapter
	Kernel driver in use: ath10k_pci
	Kernel modules: ath10k_pci

# sudo libinput list-devices
event7  - Chalkboard Electronics HID Touchscreen: libinput bug: missing tablet capabilities: resolution. Ignoring this device.

$ sudo evtest /dev/input/event7
Input driver version is 1.0.1
Input device ID: bus 0x3 vendor 0x4d8 product 0xf723 version 0x111
Input device name: "Chalkboard Electronics HID Touchscreen"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 320 (BTN_TOOL_PEN)
    Event code 321 (BTN_TOOL_RUBBER)
    Event code 330 (BTN_TOUCH)
    Event code 331 (BTN_STYLUS)
  Event type 3 (EV_ABS)
    Event code 0 (ABS_X)
      Value    709
      Min        0
      Max     1366
    Event code 1 (ABS_Y)
      Value    366
      Min        0
      Max      768
    Event code 24 (ABS_PRESSURE)
      Value      0
      Min        0
      Max      768
    Event code 26 (ABS_TILT_X)
      Value      0
      Min   -32767
      Max      768
    Event code 27 (ABS_TILT_Y)
      Value      0
      Min   -32767
      Max      768
  Event type 4 (EV_MSC)
    Event code 4 (MSC_SCAN)
Properties:
  Property type 1 (INPUT_PROP_DIRECT)
Testing ... (interrupt to exit)
Event: time 1565182265.863028, type 4 (EV_MSC), code 4 (MSC_SCAN), value d0042
Event: time 1565182265.863028, type 1 (EV_KEY), code 330 (BTN_TOUCH), value 1
Event: time 1565182265.863028, type 1 (EV_KEY), code 320 (BTN_TOOL_PEN), value 1
Event: time 1565182265.863028, type 3 (EV_ABS), code 0 (ABS_X), value 557
Event: time 1565182265.863028, type 3 (EV_ABS), code 1 (ABS_Y), value 479
Event: time 1565182265.863028, type 3 (EV_ABS), code 24 (ABS_PRESSURE), value 768
Event: time 1565182265.863028, -------------- SYN_REPORT ------------
Event: time 1565182266.088009, type 4 (EV_MSC), code 4 (MSC_SCAN), value d0042
Event: time 1565182266.088009, type 1 (EV_KEY), code 330 (BTN_TOUCH), value 0
Event: time 1565182266.088009, type 1 (EV_KEY), code 320 (BTN_TOOL_PEN), value 0
Event: time 1565182266.088009, type 3 (EV_ABS), code 24 (ABS_PRESSURE), value 0
Event: time 1565182266.088009, -------------- SYN_REPORT ------------

$ sudo xinput_calibrator 
Error: No calibratable devices found.

# ls /usr/share/X11/xorg.conf.d/
10-quirks.conf  40-libinput.conf  70-synaptics.conf

# cat /usr/share/X11/xorg.conf.d/40-libinput.conf 
# Match on all types of devices but joysticks
#
# If you want to configure your devices, do not copy this file.
# Instead, use a config snippet that contains something like this:
#
# Section "InputClass"
#   Identifier "something or other"
#   MatchDriver "libinput"
#
#   MatchIsTouchpad "on"
#   ... other Match directives ...
#   Option "someoption" "value"
# EndSection
#
# This applies the option any libinput device also matched by the other
# directives. See the xorg.conf(5) man page for more info on
# matching devices.

Section "InputClass"
        Identifier "libinput pointer catchall"
        MatchIsPointer "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
EndSection

Section "InputClass"
        Identifier "libinput keyboard catchall"
        MatchIsKeyboard "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
EndSection

Section "InputClass"
        Identifier "libinput touchpad catchall"
        MatchIsTouchpad "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
EndSection

Section "InputClass"
        Identifier "libinput touchscreen catchall"
        MatchIsTouchscreen "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
EndSection

Section "InputClass"
        Identifier "libinput touchscreen catchall"
        MatchIsTouchscreen "on"
        MatchDevicePath "/dev/input/event7"
        Driver "libinput"
EndSection

Section "InputClass"
        Identifier "libinput tablet catchall"
        MatchIsTablet "on"
        MatchDevicePath "/dev/input/event*"
        Driver "libinput"
EndSection

# $ cat /usr/share/X11/xorg.conf.d/70-synaptics.conf 
# Example xorg.conf.d snippet that assigns the touchpad driver
# to all touchpads. See xorg.conf.d(5) for more information on
# InputClass.
# DO NOT EDIT THIS FILE, your distribution will likely overwrite
# it when updating. Copy (and rename) this file into
# /etc/X11/xorg.conf.d first.
# Additional options may be added in the form of
#   Option "OptionName" "value"
#
Section "InputClass"
        Identifier "touchpad catchall"
        Driver "synaptics"
        MatchIsTouchpad "on"
# This option is recommend on all Linux systems using evdev, but cannot be
# enabled by default. See the following link for details:
# http://who-t.blogspot.com/2010/11/how-to-ignore-configuration-errors.html
#       MatchDevicePath "/dev/input/event*"
EndSection

Section "InputClass"
        Identifier "touchpad ignore duplicates"
        MatchIsTouchpad "on"
        MatchOS "Linux"
        MatchDevicePath "/dev/input/mouse*"
        Option "Ignore" "on"
EndSection

# This option enables the bottom right corner to be a right button on clickpads
# and the right and middle top areas to be right / middle buttons on clickpads
# with a top button area.
# This option is only interpreted by clickpads.
Section "InputClass"
        Identifier "Default clickpad buttons"
        MatchDriver "synaptics"
        Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0"
        Option "SecondarySoftButtonAreas" "58% 0 0 15% 42% 58% 0 15%"
EndSection

# This option disables software buttons on Apple touchpads.
# This option is only interpreted by clickpads.
Section "InputClass"
        Identifier "Disable clickpad buttons on Apple touchpads"
        MatchProduct "Apple|bcm5974"
        MatchDriver "synaptics"
        Option "SoftButtonAreas" "0 0 0 0 0 0 0 0"
EndSection

$ cat /var/log/Xorg.0.log | grep event7
[   206.241] (II) config/udev: Adding input device Intel HID 5 button array (/dev/input/event7)
[   206.241] (**) Option "Device" "/dev/input/event7"
[   206.242] (II) event7  - Intel HID 5 button array: is tagged by udev as: Keyboard
[   206.242] (II) event7  - Intel HID 5 button array: device is a keyboard
[   206.243] (II) event7  - Intel HID 5 button array: device removed
[   206.278] (**) Option "config_info" "udev:/sys/devices/platform/INT33D5:00/input/input8/event7"
[   206.280] (II) event7  - Intel HID 5 button array: is tagged by udev as: Keyboard
[   206.280] (II) event7  - Intel HID 5 button array: device is a keyboard
[   221.134] (II) event7  - Intel HID 5 button array: device removed

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::12b4:39c6:6569:8a23  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1913061  bytes 2610591991 (2.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 977956  bytes 167211904 (167.2 MB)
        TX errors 0  dropped 943 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::8bb8:312b:c03a:74ec  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 720  bytes 42932 (42.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1512  bytes 351472 (351.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

smtpd_client_restrictions:
  permit_sasl_authenticated,
  check_client_access: pcre:/etc/post/client_checks.pcre,
  reject_unknow_client_hostname,
  # ................

$ cat client_checks.pcre


/^.*[.]slack[.]com$/ ACCEPT

 NOQUEUE: reject: RCPT from unknown[11.22.33.44]: 450 4.7.25 Client host rejected: cannot find your hostname, [11.22.33.44]; from=<fdsafds-fdsfds-43243-4324-fds4-dsfds-000000@mail.slack.com> to=<me@my_domain.com proto=ESMTP helo=<a11-22.smtp-out.amazonses.com>

/usr/bin/rsync \
-a \
--delete \
--numeric-ids \
--relative \
--delete-excluded \
--rsh=/usr/bin/ssh -p111 user@mysite.ru:/home/mysite.ru /media/.sync/mysite.ru

ssh -p111 user@mysite.ru # работает

ssh -p111 user@mysite.ru:/home/mysite.ru # выдает ошибку

ssh: Could not resolve hostname mysite.ru:/home/mysite.ru: Name or service not known!

    smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination,
      reject_unauthenticated_sender_login_mismatch,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
    #  reject_unknown_recipient_domain
      reject_unauth_pipelining,
      reject_non_fqdn_sender,
      reject_unauth_destination,
      reject_non_fqdn_hostname,
      reject_invalid_hostname,
      reject_rbl_client bl.spamcop.net,
      check_recipient_access regexp:/etc/postfix/my_checker.rgx, # <--------- !
      permit

    /somename\d*@\d{4}[.]com/ REJECT test_message_reject123

    from=<SomeName33445566@1234.com>

    From: Some name <SomeName33445566@1234.com>

Table_1 - messages
---------------------
 id|topic_id|message|
---------------------
 1 | 80777  | mes1  |
---------------------
 2 | 80777  | mes2  |
---------------------
 3 | 80779  | mes3  |
---------------------

Table_2 - topics
--------------------------
   id  | posted | author |
--------------------------
 80776 | data   | name 1 |
--------------------------
 80777 | data   | name 2 |
--------------------------
 80778 | data   | name 3 |
--------------------------

mysql> SELECT topic_id, message FROM Table_1 WHERE topic_id NOT IN (SELECT id FROM Table_2);
Empty set (5.88 sec) !!!