evolix
/
minifirewall
21
0
Fork 0
Code Issues 4 Pull Requests 3 Releases 1 Activity

Improve rocks-solid comportment of the firewall script !

This commit is contained in:
Gregory Colpart 2011-10-21 02:10:24 +02:00
parent b72c47223a
commit 11ca1d1599
2 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
firewall.rc
View File

@ -77,3 +77,8 @@ NTPOK='0.0.0.0/0'
# /sbin/iptables .... # /sbin/iptables ....
# /sbin/iptables .... # /sbin/iptables ....
# /sbin/iptables .... # /sbin/iptables ....
# allow HTTP/HTTPS IPv6 traffic
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT

49
minifirewall
View File

@ -1,4 +1,4 @@
#!/bin/sh -e #!/bin/sh
# minifirewall is shellscripts for easy firewalling on a standalone server # minifirewall is shellscripts for easy firewalling on a standalone server
# See http://git.evolix.org/?p=evolinux/minifirewall.git;a=summary # See http://git.evolix.org/?p=evolinux/minifirewall.git;a=summary
@ -12,7 +12,7 @@
# Script netfilter/iptables # Script netfilter/iptables
# http://netfilter.org/ # http://netfilter.org/
# #
# Designed for Linux kernel 2.4/2.6 # Designed for Linux kernel 2.6
# http://www.kernel.org/ # http://www.kernel.org/
# Description # Description
@ -37,7 +37,6 @@ DESC="minifirewall"
NAME="minifirewall" NAME="minifirewall"
### ###
# Configuration des variables # Configuration des variables
### ###
@ -64,6 +63,10 @@ case "$1" in
echo "Demarrage regles IPTables..." echo "Demarrage regles IPTables..."
# Stop and warn if error!
set -e
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
# 1.Protections diverses # 1.Protections diverses
# ne pas repondre aux ping broadcast # ne pas repondre aux ping broadcast
@ -114,16 +117,16 @@ $IPT -A LOG_ACCEPT -j ACCEPT
configfile="/etc/firewall.rc" configfile="/etc/firewall.rc"
if ! test -f $configfile; then if ! test -f $configfile; then
echo "$configfile does not exist" >&2 echo "$configfile does not exist" >&2
exit 1 exit 1
fi fi
tmpfile=`mktemp` tmpfile=`mktemp`
. $configfile 2>$tmpfile >&2 . $configfile 2>$tmpfile >&2
if [ -s $tmpfile ]; then if [ -s $tmpfile ]; then
echo "$configfile returns standard or error output (see below). Stopping." echo "$configfile returns standard or error output (see below). Stopping."
cat $tmpfile cat $tmpfile
exit 1 exit 1
fi fi
rm $tmpfile rm $tmpfile
@ -147,21 +150,6 @@ for x in $PRIVILEGIEDIPS
# chain for restrictions (blacklist ips/ranges) # chain for restrictions (blacklist ips/ranges)
$IPT -N NEEDRESTRICT $IPT -N NEEDRESTRICT
# politique
# par defaut rien ne rentre
$IPT -P INPUT DROP
$IPT6 -P INPUT DROP
# par defaut rien ne transite (obsolete, notamment pour les VM)
#echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPT -P FORWARD DROP
#$IPT6 -P FORWARD DROP
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
# On autorise tout sur l'interface loopback # On autorise tout sur l'interface loopback
$IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT
$IPT6 -A INPUT -i lo -j ACCEPT $IPT6 -A INPUT -i lo -j ACCEPT
@ -296,7 +284,22 @@ for x in $NTPOK
$IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT
$IPT6 -A INPUT -p icmpv6 -j ACCEPT $IPT6 -A INPUT -p icmpv6 -j ACCEPT
# politique
# par defaut rien ne rentre
$IPT -P INPUT DROP
$IPT6 -P INPUT DROP
# par defaut rien ne transite (obsolete, notamment pour les VM)
#echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPT -P FORWARD DROP
#$IPT6 -P FORWARD DROP
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
trap - INT TERM EXIT
echo "Fin du chargement des regles... " echo "Fin du chargement des regles... "
;; ;;