evolix
/
minifirewall
21
0
Fork 0
Code Issues 4 Pull Requests 3 Releases 1 Activity

Amelioration added for blocking output UDP.

This commit is contained in:
Benoît S. 2012-10-03 14:21:04 +02:00
parent b5412ce98a
commit 44bb5925eb
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
firewall.rc
View File

@ -77,19 +77,17 @@ NTPOK='0.0.0.0/0'
################### IPv6 Specific rules
# /sbin/ip6tables ...
# allow HTTP/HTTPS traffic
# Allow HTTP/HTTPS traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
# Drop outgoing UDP traffic but not for DNS and NTP
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP
# Allow DNS and NTP traffic
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
################### IPv4 Specific rules
# /sbin/iptables ...
# Drop outgoing UDP traffic but not for DNS and NTP
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP
# Allow DNS and NTP
/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT

6
minifirewall
View File

@ -75,7 +75,7 @@ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignorer les mauvais messages d'erreurs ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# effacer la source des paquets routés
# effacer la source des paquets routes
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
@ -295,9 +295,11 @@ $IPT -P INPUT DROP
#$IPT -P FORWARD DROP
#$IPT6 -P FORWARD DROP
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -p udp -j DROP
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT