evolix
/
minifirewall
16
0
Fork 0
Code Issues 4 Pull Requests 1 Releases Activity
Browse Source

Improve new UDP rules to DROP by default

systemd
Gregory Colpart 9 years ago
parent
ec14ee9f3e
commit
7d3d928e02
2 changed files with 9 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      firewall.rc
  2. 2
      minifirewall

14
firewall.rc
View File

@ -80,17 +80,17 @@ NTPOK='0.0.0.0/0'
# Allow HTTP/HTTPS/SMTP traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
# Allow DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
################### IPv4 Specific rules
# /sbin/iptables ...
# Allow DNS, NTP and traceroute traffic
/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

2
minifirewall
View File

@ -298,7 +298,9 @@ $IPT -P INPUT DROP
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT

Write Preview
Loading…
Cancel
Save