evolix
/
minifirewall
16
0
Fork 0
Code Issues 4 Pull Requests 1 Releases 0 Activity
Simple and flexible firewall for Linux server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 Commits
7 Branches
112 KiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
minifirewall/minifirewall.conf

102 lines
3.1 KiB
Raw Permalink Normal View History

Update copyright and add version number
2 months ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Patch to have compatibility with poor non-IPv6 server
9 years ago
Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm
1 year ago
Improve configuration file
5 years ago
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements
11 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Put our IPs back in the TRUSTEDIPS variable The TRUSTEDIPS variable is the public reference for Evolix IPs
3 weeks ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien
5 months ago
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements
11 years ago
Improve configuration file
5 years ago
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien
5 months ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
new policy for default ports: we close almost all to be sure that nothing works if we don't configure it nouvelle politique d'ouverture des ports par défaut : on ferme quasi tout pour que rien ne marche ou presque si on ne configure rien
5 months ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Add NEEDRESTRICT chain to deny some services by free rules Somes improvements
11 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm
1 year ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Allow all DNS requests by default
10 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Remove volatile.debian.org from HTTPSITES This domain doesn't exist anymore.
1 month ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Open HTTPS by default
10 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Fix a bug with var name, and remove _ (uniformization)
9 years ago
Added a SMTP_SECURE_OK rule (port 465) Signed-off-by: Gregory Colpart <reg@evolix.fr>
10 years ago
Improve configuration file
5 years ago
We authorize now all NTP traffic by default
9 years ago
Import files from http://www.gcolpart.com/hacks/
11 years ago
Improve configuration file
5 years ago
Adding rules to block outgoing UDP trafic except for DNS and NTP.
8 years ago
Improve new UDP rules to DROP by default
8 years ago
Add default rule for IPv6 DNS responses
6 years ago
Allow Input DNS on IPv6. Used when a slave respond to a master notification in bind for example.
6 years ago
Improve rocks-solid comportment of the firewall script !
9 years ago
Improve configuration file
5 years ago
Improve new UDP rules to DROP by default
8 years ago
Duplicate rule
6 years ago
Improve rocks-solid comportment of the firewall script !
9 years ago
Improve configuration file
5 years ago
use same syntax for all ip6tables rules
6 years ago
Adding rules for DHCPv6.
7 years ago
Improve configuration file
5 years ago
Last committer removed the IPv4 UDP rules?! Re-adding.
8 years ago
 
  1. # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
  2. # Version 20.12 — 2020-12-01 22:55:35
  3. 

  4. # Main interface
  5. INT='eth0'
  6. 

  7. # IPv6
  8. IPV6=on
  9. 

  10. # Docker Mode
  11. # Changes the behaviour of minifirewall to not break the containers' network
  12. # For instance, turning it on will disable nat table purge
  13. # Also, we'll add the DOCKER-USER chain, in iptable
  14. DOCKER='off'
  15. 

  16. # Trusted IPv4 local network
  17. # ...will be often IP/32 if you don't trust anything
  18. INTLAN='192.168.0.2/32'
  19. 

  20. # Trusted IPv4 addresses for private and semi-public services
  21. TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'
  22. 

  23. # Privilegied IPv4 addresses for semi-public services
  24. # (no need to add again TRUSTEDIPS)
  25. PRIVILEGIEDIPS=''
  26. 

  27. 

  28. # Local services IPv4/IPv6 restrictions
  29. #######################################
  30. 

  31. # Protected services
  32. # (add also in Public services if needed)
  33. SERVICESTCP1p='22222'
  34. SERVICESUDP1p=''
  35. 

  36. # Public services (IPv4/IPv6)
  37. SERVICESTCP1='22222'
  38. SERVICESUDP1=''
  39. 

  40. # Semi-public services (IPv4)
  41. SERVICESTCP2='22'
  42. SERVICESUDP2=''
  43. 

  44. # Private services (IPv4)
  45. SERVICESTCP3='5666'
  46. SERVICESUDP3=''
  47. 

  48. 

  49. # Standard output IPv4 access restrictions
  50. ##########################################
  51. 

  52. # DNS authorizations
  53. # (if you have local DNS server, set 0.0.0.0/0)
  54. DNSSERVEURS='0.0.0.0/0'
  55. 

  56. # HTTP authorizations
  57. # (you can use DNS names but set cron to reload minifirewall regularly)
  58. # (if you have HTTP proxy, set 0.0.0.0/0)
  59. HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
  60. 

  61. # HTTPS authorizations
  62. HTTPSSITES='0.0.0.0/0'
  63. 

  64. # FTP authorizations
  65. FTPSITES=''
  66. 

  67. # SSH authorizations
  68. SSHOK='0.0.0.0/0'
  69. 

  70. # SMTP authorizations
  71. SMTPOK='0.0.0.0/0'
  72. 

  73. # SMTP secure authorizations (ports TCP/465 and TCP/587)
  74. SMTPSECUREOK=''
  75. 

  76. # NTP authorizations
  77. NTPOK='0.0.0.0/0'
  78. 

  79. 

  80. # IPv6 Specific rules
  81. #####################
  82. 

  83. # Example: allow input HTTP/HTTPS/SMTP/DNS traffic
  84. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
  85. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
  86. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
  87. /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  88. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  89. 

  90. # Example: allow output DNS, NTP and traceroute traffic
  91. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
  92. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
  93. #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
  94. 

  95. # Example: allow DHCPv6
  96. /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
  97. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
  98. 

  99. # IPv4 Specific rules
  100. #####################
  101. 

  102. # /sbin/iptables ...