Improve new UDP rules to DROP by default
This commit is contained in:
parent
ec14ee9f3e
commit
7d3d928e02
14
firewall.rc
14
firewall.rc
|
@ -80,17 +80,17 @@ NTPOK='0.0.0.0/0'
|
||||||
# Allow HTTP/HTTPS/SMTP traffic
|
# Allow HTTP/HTTPS/SMTP traffic
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
# Allow DNS, NTP and traceroute traffic
|
# Allow DNS, NTP and traceroute traffic
|
||||||
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||||
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||||
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
|
|
||||||
################### IPv4 Specific rules
|
################### IPv4 Specific rules
|
||||||
# /sbin/iptables ...
|
# /sbin/iptables ...
|
||||||
|
|
||||||
# Allow DNS, NTP and traceroute traffic
|
# Allow DNS, NTP and traceroute traffic
|
||||||
/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||||
/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||||
/sbin/iptables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
|
|
|
@ -298,7 +298,9 @@ $IPT -P INPUT DROP
|
||||||
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
||||||
|
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
$IPT -A OUTPUT -p udp -j DROP
|
$IPT -A OUTPUT -p udp -j DROP
|
||||||
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||||
|
|
||||||
trap - INT TERM EXIT
|
trap - INT TERM EXIT
|
||||||
|
|
Loading…
Reference in New Issue