# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall # Version 20.12 — 2020-12-01 22:55:35 # Main interface INT='eth0' # IPv6 IPV6=on # Docker Mode # Changes the behaviour of minifirewall to not break the containers' network # For instance, turning it on will disable nat table purge # Also, we'll add the DOCKER-USER chain, in iptable DOCKER='off' # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='' # Trusted IPv4 addresses for private and semi-public services TRUSTEDIPS='' # Privilegied IPv4 addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='' # Local services IPv4/IPv6 restrictions ####################################### # Protected services # (add also in Public services if needed) SERVICESTCP1p='22222' SERVICESUDP1p='' # Public services (IPv4/IPv6) SERVICESTCP1='22222' SERVICESUDP1='' # Semi-public services (IPv4) SERVICESTCP2='22' SERVICESUDP2='' # Private services (IPv4) SERVICESTCP3='5666' SERVICESUDP3='' # Standard output IPv4 access restrictions ########################################## # DNS authorizations # (if you have local DNS server, set DNSSERVEURS='' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set # HTTPSITES='security.debian.org pub.evolix.org security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org deb.freexian.com' HTTPSITES='' # HTTPS authorizations HTTPSSITES='' # FTP authorizations FTPSITES='' # SSH authorizations SSHOK='' # SMTP authorizations SMTPOK='' # SMTP secure authorizations (ports TCP/465 and TCP/587) SMTPSECUREOK='' # NTP authorizations NTPOK='' # IPv6 Specific rules ##################### # Example: allow SSH from Trusted IPv6 addresses /sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT # Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT # Example: allow output DNS, NTP and traceroute traffic /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT # Example: allow DHCPv6 /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT # IPv4 Specific rules ##################### # /sbin/iptables ...