Improve new UDP rules to DROP by default

This commit is contained in:
Gregory Colpart 2012-11-14 00:55:35 +01:00
parent ec14ee9f3e
commit 7d3d928e02
2 changed files with 9 additions and 7 deletions

View File

@ -80,17 +80,17 @@ NTPOK='0.0.0.0/0'
# Allow HTTP/HTTPS/SMTP traffic # Allow HTTP/HTTPS/SMTP traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
# Allow DNS, NTP and traceroute traffic # Allow DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
################### IPv4 Specific rules ################### IPv4 Specific rules
# /sbin/iptables ... # /sbin/iptables ...
# Allow DNS, NTP and traceroute traffic # Allow DNS, NTP and traceroute traffic
/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT /sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT /sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT /sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

View File

@ -298,7 +298,9 @@ $IPT -P INPUT DROP
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP) # par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT $IPT -P OUTPUT ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT [ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP $IPT -A OUTPUT -p udp -j DROP
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP [ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT trap - INT TERM EXIT