Improve new UDP rules to DROP by default
This commit is contained in:
parent
ec14ee9f3e
commit
7d3d928e02
14
firewall.rc
14
firewall.rc
|
@ -80,17 +80,17 @@ NTPOK='0.0.0.0/0'
|
|||
# Allow HTTP/HTTPS/SMTP traffic
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Allow DNS, NTP and traceroute traffic
|
||||
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
|
||||
################### IPv4 Specific rules
|
||||
# /sbin/iptables ...
|
||||
|
||||
# Allow DNS, NTP and traceroute traffic
|
||||
/sbin/iptables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
|
|
|
@ -298,7 +298,9 @@ $IPT -P INPUT DROP
|
|||
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
||||
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp -j DROP
|
||||
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||
|
||||
trap - INT TERM EXIT
|
||||
|
|
Loading…
Reference in New Issue