Simple and flexible firewall for Linux server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

102 lines
3.1 KiB

6 years ago
  1. # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
  2. # Version 20.12 — 2020-12-01 22:55:35
  3. # Main interface
  4. INT='eth0'
  5. # IPv6
  6. IPV6=on
  7. # Docker Mode
  8. # Changes the behaviour of minifirewall to not break the containers' network
  9. # For instance, turning it on will disable nat table purge
  10. # Also, we'll add the DOCKER-USER chain, in iptable
  11. DOCKER='off'
  12. # Trusted IPv4 local network
  13. # ...will be often IP/32 if you don't trust anything
  14. INTLAN='192.168.0.2/32'
  15. # Trusted IPv4 addresses for private and semi-public services
  16. TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'
  17. # Privilegied IPv4 addresses for semi-public services
  18. # (no need to add again TRUSTEDIPS)
  19. PRIVILEGIEDIPS=''
  20. # Local services IPv4/IPv6 restrictions
  21. #######################################
  22. # Protected services
  23. # (add also in Public services if needed)
  24. SERVICESTCP1p='22222'
  25. SERVICESUDP1p=''
  26. # Public services (IPv4/IPv6)
  27. SERVICESTCP1='22222'
  28. SERVICESUDP1=''
  29. # Semi-public services (IPv4)
  30. SERVICESTCP2='22'
  31. SERVICESUDP2=''
  32. # Private services (IPv4)
  33. SERVICESTCP3='5666'
  34. SERVICESUDP3=''
  35. # Standard output IPv4 access restrictions
  36. ##########################################
  37. # DNS authorizations
  38. # (if you have local DNS server, set 0.0.0.0/0)
  39. DNSSERVEURS='0.0.0.0/0'
  40. # HTTP authorizations
  41. # (you can use DNS names but set cron to reload minifirewall regularly)
  42. # (if you have HTTP proxy, set 0.0.0.0/0)
  43. HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
  44. # HTTPS authorizations
  45. HTTPSSITES='0.0.0.0/0'
  46. # FTP authorizations
  47. FTPSITES=''
  48. # SSH authorizations
  49. SSHOK='0.0.0.0/0'
  50. # SMTP authorizations
  51. SMTPOK='0.0.0.0/0'
  52. # SMTP secure authorizations (ports TCP/465 and TCP/587)
  53. SMTPSECUREOK=''
  54. # NTP authorizations
  55. NTPOK='0.0.0.0/0'
  56. # IPv6 Specific rules
  57. #####################
  58. # Example: allow input HTTP/HTTPS/SMTP/DNS traffic
  59. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
  60. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
  61. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
  62. /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  63. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  64. # Example: allow output DNS, NTP and traceroute traffic
  65. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
  66. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
  67. #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
  68. # Example: allow DHCPv6
  69. /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
  70. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
  71. # IPv4 Specific rules
  72. #####################
  73. # /sbin/iptables ...