Moves rules from firewall.rc to minifirewall core.

This commit is contained in:
Benoît S. 2014-05-22 17:38:00 +02:00
parent 57ae4df6e7
commit 5275f8d7e2
2 changed files with 5 additions and 6 deletions

View File

@ -93,8 +93,3 @@ NTPOK='0.0.0.0/0'
################### IPv4 Specific rules
# /sbin/iptables ...
# Allow DNS, NTP and traceroute traffic
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

View File

@ -227,6 +227,7 @@ for x in $DNSSERVEURS
do
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
done
# HTTP
@ -278,7 +279,8 @@ for x in $SMTPSECUREOK
# autoriser synchronisation ntpdate
for x in $NTPOK
do
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
done
# ICMP
@ -299,8 +301,10 @@ $IPT -P INPUT DROP
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP