Moves rules from firewall.rc to minifirewall core.
This commit is contained in:
parent
57ae4df6e7
commit
5275f8d7e2
|
@ -93,8 +93,3 @@ NTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
################### IPv4 Specific rules
|
################### IPv4 Specific rules
|
||||||
# /sbin/iptables ...
|
# /sbin/iptables ...
|
||||||
|
|
||||||
# Allow DNS, NTP and traceroute traffic
|
|
||||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
||||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
||||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
|
||||||
|
|
|
@ -227,6 +227,7 @@ for x in $DNSSERVEURS
|
||||||
do
|
do
|
||||||
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
|
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
|
||||||
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# HTTP
|
# HTTP
|
||||||
|
@ -278,7 +279,8 @@ for x in $SMTPSECUREOK
|
||||||
# autoriser synchronisation ntpdate
|
# autoriser synchronisation ntpdate
|
||||||
for x in $NTPOK
|
for x in $NTPOK
|
||||||
do
|
do
|
||||||
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
|
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
|
||||||
|
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# ICMP
|
# ICMP
|
||||||
|
@ -299,8 +301,10 @@ $IPT -P INPUT DROP
|
||||||
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
||||||
|
$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
$IPT -A OUTPUT -p udp -j DROP
|
$IPT -A OUTPUT -p udp -j DROP
|
||||||
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue