Adding rules to block outgoing UDP trafic except for DNS and NTP.
This commit is contained in:
parent
e7a7f26951
commit
b5412ce98a
23
firewall.rc
23
firewall.rc
|
|
@ -74,13 +74,22 @@ SMTPSECUREOK=''
|
||||||
# NTP
|
# NTP
|
||||||
NTPOK='0.0.0.0/0'
|
NTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
|
################### IPv6 Specific rules
|
||||||
|
# /sbin/ip6tables ...
|
||||||
|
|
||||||
################### Specific rules
|
# allow HTTP/HTTPS traffic
|
||||||
# /sbin/iptables ....
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
# /sbin/iptables ....
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
# /sbin/iptables ....
|
|
||||||
|
|
||||||
# allow HTTP/HTTPS IPv6 traffic
|
# Drop outgoing UDP traffic but not for DNS and NTP
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 53 -j ACCEPT
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp --dport 123 -j ACCEPT
|
||||||
|
/sbin/ip6tables -A OUTPUT -d ::/0 -p udp -j DROP
|
||||||
|
|
||||||
|
################### IPv4 Specific rules
|
||||||
|
# /sbin/iptables ...
|
||||||
|
|
||||||
|
# Drop outgoing UDP traffic but not for DNS and NTP
|
||||||
|
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
|
||||||
|
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp --dport 123 -j ACCEPT
|
||||||
|
/sbin/iptables -A OUTPUT -d 0.0.0.0/0 -p udp -j DROP
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue