Improve rocks-solid comportment of the firewall script !
This commit is contained in:
parent
b72c47223a
commit
11ca1d1599
|
@ -77,3 +77,8 @@ NTPOK='0.0.0.0/0'
|
||||||
# /sbin/iptables ....
|
# /sbin/iptables ....
|
||||||
# /sbin/iptables ....
|
# /sbin/iptables ....
|
||||||
# /sbin/iptables ....
|
# /sbin/iptables ....
|
||||||
|
|
||||||
|
# allow HTTP/HTTPS IPv6 traffic
|
||||||
|
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
|
49
minifirewall
49
minifirewall
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh
|
||||||
|
|
||||||
# minifirewall is shellscripts for easy firewalling on a standalone server
|
# minifirewall is shellscripts for easy firewalling on a standalone server
|
||||||
# See http://git.evolix.org/?p=evolinux/minifirewall.git;a=summary
|
# See http://git.evolix.org/?p=evolinux/minifirewall.git;a=summary
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
# Script netfilter/iptables
|
# Script netfilter/iptables
|
||||||
# http://netfilter.org/
|
# http://netfilter.org/
|
||||||
#
|
#
|
||||||
# Designed for Linux kernel 2.4/2.6
|
# Designed for Linux kernel 2.6
|
||||||
# http://www.kernel.org/
|
# http://www.kernel.org/
|
||||||
|
|
||||||
# Description
|
# Description
|
||||||
|
@ -37,7 +37,6 @@ DESC="minifirewall"
|
||||||
NAME="minifirewall"
|
NAME="minifirewall"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
###
|
###
|
||||||
# Configuration des variables
|
# Configuration des variables
|
||||||
###
|
###
|
||||||
|
@ -64,6 +63,10 @@ case "$1" in
|
||||||
|
|
||||||
echo "Demarrage regles IPTables..."
|
echo "Demarrage regles IPTables..."
|
||||||
|
|
||||||
|
# Stop and warn if error!
|
||||||
|
set -e
|
||||||
|
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
|
||||||
|
|
||||||
# 1.Protections diverses
|
# 1.Protections diverses
|
||||||
|
|
||||||
# ne pas repondre aux ping broadcast
|
# ne pas repondre aux ping broadcast
|
||||||
|
@ -114,16 +117,16 @@ $IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
configfile="/etc/firewall.rc"
|
configfile="/etc/firewall.rc"
|
||||||
|
|
||||||
if ! test -f $configfile; then
|
if ! test -f $configfile; then
|
||||||
echo "$configfile does not exist" >&2
|
echo "$configfile does not exist" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tmpfile=`mktemp`
|
tmpfile=`mktemp`
|
||||||
. $configfile 2>$tmpfile >&2
|
. $configfile 2>$tmpfile >&2
|
||||||
if [ -s $tmpfile ]; then
|
if [ -s $tmpfile ]; then
|
||||||
echo "$configfile returns standard or error output (see below). Stopping."
|
echo "$configfile returns standard or error output (see below). Stopping."
|
||||||
cat $tmpfile
|
cat $tmpfile
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
rm $tmpfile
|
rm $tmpfile
|
||||||
|
|
||||||
|
@ -147,21 +150,6 @@ for x in $PRIVILEGIEDIPS
|
||||||
# chain for restrictions (blacklist ips/ranges)
|
# chain for restrictions (blacklist ips/ranges)
|
||||||
$IPT -N NEEDRESTRICT
|
$IPT -N NEEDRESTRICT
|
||||||
|
|
||||||
# politique
|
|
||||||
|
|
||||||
# par defaut rien ne rentre
|
|
||||||
$IPT -P INPUT DROP
|
|
||||||
$IPT6 -P INPUT DROP
|
|
||||||
|
|
||||||
# par defaut rien ne transite (obsolete, notamment pour les VM)
|
|
||||||
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
||||||
#$IPT -P FORWARD DROP
|
|
||||||
#$IPT6 -P FORWARD DROP
|
|
||||||
|
|
||||||
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
|
|
||||||
$IPT -P OUTPUT ACCEPT
|
|
||||||
$IPT6 -P OUTPUT ACCEPT
|
|
||||||
|
|
||||||
# On autorise tout sur l'interface loopback
|
# On autorise tout sur l'interface loopback
|
||||||
$IPT -A INPUT -i lo -j ACCEPT
|
$IPT -A INPUT -i lo -j ACCEPT
|
||||||
$IPT6 -A INPUT -i lo -j ACCEPT
|
$IPT6 -A INPUT -i lo -j ACCEPT
|
||||||
|
@ -296,7 +284,22 @@ for x in $NTPOK
|
||||||
$IPT -A INPUT -p icmp -j ACCEPT
|
$IPT -A INPUT -p icmp -j ACCEPT
|
||||||
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
||||||
|
|
||||||
|
# politique
|
||||||
|
|
||||||
|
# par defaut rien ne rentre
|
||||||
|
$IPT -P INPUT DROP
|
||||||
|
$IPT6 -P INPUT DROP
|
||||||
|
|
||||||
|
# par defaut rien ne transite (obsolete, notamment pour les VM)
|
||||||
|
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||||
|
#$IPT -P FORWARD DROP
|
||||||
|
#$IPT6 -P FORWARD DROP
|
||||||
|
|
||||||
|
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
|
||||||
|
$IPT -P OUTPUT ACCEPT
|
||||||
|
$IPT6 -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
trap - INT TERM EXIT
|
||||||
|
|
||||||
echo "Fin du chargement des regles... "
|
echo "Fin du chargement des regles... "
|
||||||
;;
|
;;
|
||||||
|
|
Loading…
Reference in New Issue