Source files in /etc/default/minifirewall.d
This commit is contained in:
parent
9898ff9e62
commit
c48534146a
26
minifirewall
26
minifirewall
|
@ -61,6 +61,7 @@ chain_exists()
|
|||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="/etc/default/minifirewall"
|
||||
includesdir="/etc/default/minifirewall.d"
|
||||
|
||||
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||
DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||
|
@ -133,14 +134,25 @@ if ! test -f $configfile; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
tmpfile=`mktemp`
|
||||
. $configfile 2>$tmpfile >&2
|
||||
if [ -s $tmpfile ]; then
|
||||
echo "$configfile returns standard or error output (see below). Stopping." >&2
|
||||
cat $tmpfile
|
||||
exit 1
|
||||
source_file_or_error() {
|
||||
file=$1
|
||||
echo "...sourcing '${file}\`"
|
||||
tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX)
|
||||
. ${file} 2>${tmpfile} >&2
|
||||
if [ -s ${tmpfile} ]; then
|
||||
echo "${file} returns standard or error output (see below). Stopping." >&2
|
||||
cat ${tmpfile}
|
||||
exit 1
|
||||
fi
|
||||
rm ${tmpfile}
|
||||
}
|
||||
source_file_or_error ${configfile}
|
||||
if [ -d "${includesdir}" ]; then
|
||||
includefiles=$(find ${includesdir} -type f -readable -not -name '*.*')
|
||||
for includefile in ${includefiles}; do
|
||||
source_file_or_error "${includefile}"
|
||||
done
|
||||
fi
|
||||
rm $tmpfile
|
||||
|
||||
# Trusted ip addresses
|
||||
$IPT -N ONLYTRUSTED
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
||||
# Version 20.12 — 2020-12-01 22:55:35
|
||||
# shellcheck shell=sh disable=SC2034
|
||||
|
||||
# Main interface
|
||||
INT='eth0'
|
||||
|
@ -77,26 +78,8 @@ SMTPSECUREOK=''
|
|||
NTPOK='0.0.0.0/0'
|
||||
|
||||
|
||||
# IPv6 Specific rules
|
||||
# Includes
|
||||
#####################
|
||||
|
||||
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Example: allow output DNS, NTP and traceroute traffic
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
|
||||
# Example: allow DHCPv6
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
||||
|
||||
# IPv4 Specific rules
|
||||
#####################
|
||||
|
||||
# /sbin/iptables ...
|
||||
# Files in /etc/default/minifirewall.d/* (without "." in name)
|
||||
# are automatically included in alphanumerical order.
|
7
minifirewall.d/default-input-v6
Normal file
7
minifirewall.d/default-input-v6
Normal file
|
@ -0,0 +1,7 @@
|
|||
# shellcheck shell=sh disable=SC2034
|
||||
# allow input HTTP/HTTPS/SMTP/DNS traffic
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
4
minifirewall.d/dhcp-v6.example
Normal file
4
minifirewall.d/dhcp-v6.example
Normal file
|
@ -0,0 +1,4 @@
|
|||
# shellcheck shell=sh disable=SC2034
|
||||
# allow DHCPv6
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
3
minifirewall.d/dns-output-v6
Normal file
3
minifirewall.d/dns-output-v6
Normal file
|
@ -0,0 +1,3 @@
|
|||
# shellcheck shell=sh disable=SC2034
|
||||
# allow DNS output
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
3
minifirewall.d/ntp-output-v6
Normal file
3
minifirewall.d/ntp-output-v6
Normal file
|
@ -0,0 +1,3 @@
|
|||
# shellcheck shell=sh disable=SC2034
|
||||
# allow NTP output
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
3
minifirewall.d/traceroute-output-v6.example
Normal file
3
minifirewall.d/traceroute-output-v6.example
Normal file
|
@ -0,0 +1,3 @@
|
|||
# shellcheck shell=sh disable=SC2034
|
||||
# allow traceroute output
|
||||
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
Loading…
Reference in a new issue