You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
106 lines
3.4 KiB
106 lines
3.4 KiB
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall |
|
# Version 20.12 — 2020-12-01 22:55:35 |
|
|
|
# Main interface |
|
INT='eth0' |
|
|
|
# IPv6 |
|
IPV6=on |
|
|
|
# Docker Mode |
|
# Changes the behaviour of minifirewall to not break the containers' network |
|
# For instance, turning it on will disable nat table purge |
|
# Also, we'll add the DOCKER-USER chain, in iptable |
|
DOCKER='off' |
|
|
|
# Trusted IPv4 local network |
|
# ...will be often IP/32 if you don't trust anything |
|
INTLAN='192.168.0.2/32' |
|
|
|
# Trusted IPv4 addresses for private and semi-public services |
|
TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146' |
|
|
|
# Privilegied IPv4 addresses for semi-public services |
|
# (no need to add again TRUSTEDIPS) |
|
PRIVILEGIEDIPS='' |
|
|
|
|
|
# Local services IPv4/IPv6 restrictions |
|
####################################### |
|
|
|
# Protected services |
|
# (add also in Public services if needed) |
|
SERVICESTCP1p='22222' |
|
SERVICESUDP1p='' |
|
|
|
# Public services (IPv4/IPv6) |
|
SERVICESTCP1='22222' |
|
SERVICESUDP1='' |
|
|
|
# Semi-public services (IPv4) |
|
SERVICESTCP2='22' |
|
SERVICESUDP2='' |
|
|
|
# Private services (IPv4) |
|
SERVICESTCP3='5666' |
|
SERVICESUDP3='' |
|
|
|
# Standard output IPv4 access restrictions |
|
########################################## |
|
|
|
# DNS authorizations |
|
# (if you have local DNS server, set 0.0.0.0/0) |
|
DNSSERVEURS='0.0.0.0/0' |
|
|
|
# HTTP authorizations |
|
# (you can use DNS names but set cron to reload minifirewall regularly) |
|
# (if you have HTTP proxy, set 0.0.0.0/0) |
|
# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org' |
|
HTTPSITES='0.0.0.0/0' |
|
|
|
# HTTPS authorizations |
|
HTTPSSITES='0.0.0.0/0' |
|
|
|
# FTP authorizations |
|
FTPSITES='' |
|
|
|
# SSH authorizations |
|
SSHOK='0.0.0.0/0' |
|
|
|
# SMTP authorizations |
|
SMTPOK='0.0.0.0/0' |
|
|
|
# SMTP secure authorizations (ports TCP/465 and TCP/587) |
|
SMTPSECUREOK='' |
|
|
|
# NTP authorizations |
|
NTPOK='0.0.0.0/0' |
|
|
|
|
|
# IPv6 Specific rules |
|
##################### |
|
|
|
# Example: allow SSH from Trusted IPv6 addresses |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT |
|
|
|
# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT |
|
|
|
# Example: allow output DNS, NTP and traceroute traffic |
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT |
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT |
|
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT |
|
|
|
# Example: allow DHCPv6 |
|
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT |
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT |
|
|
|
# IPv4 Specific rules |
|
##################### |
|
|
|
# /sbin/iptables ...
|
|
|