diff --git a/firewall.rc b/firewall.rc index 0c230b9..d349e75 100644 --- a/firewall.rc +++ b/firewall.rc @@ -77,19 +77,17 @@ NTPOK='0.0.0.0/0' ################### IPv6 Specific rules # /sbin/ip6tables ... -# allow HTTP/HTTPS traffic +# Allow HTTP/HTTPS traffic /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -# Drop outgoing UDP traffic but not for DNS and NTP -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT -/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP +# Allow DNS and NTP traffic +/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT ################### IPv4 Specific rules # /sbin/iptables ... -# Drop outgoing UDP traffic but not for DNS and NTP -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT -/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP +# Allow DNS and NTP +/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT \ No newline at end of file diff --git a/minifirewall b/minifirewall index d37a4b3..4363658 100755 --- a/minifirewall +++ b/minifirewall @@ -75,7 +75,7 @@ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignorer les mauvais messages d'erreurs ICMP echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -# effacer la source des paquets routés +# effacer la source des paquets routes for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done @@ -295,9 +295,11 @@ $IPT -P INPUT DROP #$IPT -P FORWARD DROP #$IPT6 -P FORWARD DROP -# par defaut tout peut sortir (sinon voir OUTPUTDROP) +# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP) $IPT -P OUTPUT ACCEPT [ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT +$IPT -A OUTPUT -p udp -j DROP +[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP trap - INT TERM EXIT