From b5412ce98ae17424e3b5bb9a98204c362e6313a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 22 Aug 2012 16:21:28 +0200 Subject: [PATCH] Adding rules to block outgoing UDP trafic except for DNS and NTP. --- firewall.rc | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/firewall.rc b/firewall.rc index e167d2b..0c230b9 100644 --- a/firewall.rc +++ b/firewall.rc @@ -74,13 +74,22 @@ SMTPSECUREOK='' # NTP NTPOK='0.0.0.0/0' +################### IPv6 Specific rules +# /sbin/ip6tables ... -################### Specific rules -# /sbin/iptables .... -# /sbin/iptables .... -# /sbin/iptables .... +# allow HTTP/HTTPS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -# allow HTTP/HTTPS IPv6 traffic -/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +# Drop outgoing UDP traffic but not for DNS and NTP +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT +/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP +################### IPv4 Specific rules +# /sbin/iptables ... + +# Drop outgoing UDP traffic but not for DNS and NTP +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT +/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP