Merge branch 'master' of ssh://git.evolix.org/git/evolinux/minifirewall
Conflicts: firewall.rc
This commit is contained in:
commit
f84add886a
23
firewall.rc
23
firewall.rc
|
@ -6,6 +6,8 @@
|
||||||
# Interface concernee
|
# Interface concernee
|
||||||
INT='eth0'
|
INT='eth0'
|
||||||
|
|
||||||
|
IPV6=on
|
||||||
|
|
||||||
# IP associee (plus utilisee dans les scripts)
|
# IP associee (plus utilisee dans les scripts)
|
||||||
# INTIP='192.168.0.2'
|
# INTIP='192.168.0.2'
|
||||||
# reseau beneficiant d'acces privilegies
|
# reseau beneficiant d'acces privilegies
|
||||||
|
@ -72,14 +74,19 @@ SMTPSECUREOK=''
|
||||||
# NTP
|
# NTP
|
||||||
NTPOK='0.0.0.0/0'
|
NTPOK='0.0.0.0/0'
|
||||||
|
|
||||||
|
################### IPv6 Specific rules
|
||||||
|
# /sbin/ip6tables ...
|
||||||
|
|
||||||
################### Specific rules
|
# Allow HTTP/HTTPS/SMTP traffic
|
||||||
# /sbin/iptables ....
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
# /sbin/iptables ....
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
# /sbin/iptables ....
|
|
||||||
|
|
||||||
# allow HTTP/HTTPS/SMTP IPv6 traffic
|
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
################### IPv4 Specific rules
|
||||||
|
# /sbin/iptables ...
|
||||||
|
|
||||||
|
# Allow DNS, NTP and traceroute traffic
|
||||||
|
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||||
|
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||||
|
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||||
|
|
||||||
|
|
22
minifirewall
22
minifirewall
|
@ -75,7 +75,7 @@ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||||
# Ignorer les mauvais messages d'erreurs ICMP
|
# Ignorer les mauvais messages d'erreurs ICMP
|
||||||
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||||
|
|
||||||
# effacer la source des paquets routés
|
# effacer la source des paquets routes
|
||||||
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
||||||
echo 0 > $i
|
echo 0 > $i
|
||||||
done
|
done
|
||||||
|
@ -152,9 +152,9 @@ $IPT -N NEEDRESTRICT
|
||||||
|
|
||||||
# On autorise tout sur l'interface loopback
|
# On autorise tout sur l'interface loopback
|
||||||
$IPT -A INPUT -i lo -j ACCEPT
|
$IPT -A INPUT -i lo -j ACCEPT
|
||||||
$IPT6 -A INPUT -i lo -j ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -A INPUT -i lo -j ACCEPT
|
||||||
# if OUTPUTDROP
|
# if OUTPUTDROP
|
||||||
#$IPT -A OUTPUT -o lo -j ACCEPT
|
$IPT -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
# on evite pas mal de paquets "martiens" effet de bord de virus
|
# on evite pas mal de paquets "martiens" effet de bord de virus
|
||||||
# notamment W32/Blaster qui attaquait windowsupdate.com
|
# notamment W32/Blaster qui attaquait windowsupdate.com
|
||||||
|
@ -185,13 +185,13 @@ for x in $SERVICESUDP1p
|
||||||
for x in $SERVICESTCP1
|
for x in $SERVICESTCP1
|
||||||
do
|
do
|
||||||
$IPT -A INPUT -p tcp --dport $x -j ACCEPT
|
$IPT -A INPUT -p tcp --dport $x -j ACCEPT
|
||||||
$IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
for x in $SERVICESUDP1
|
for x in $SERVICESUDP1
|
||||||
do
|
do
|
||||||
$IPT -A INPUT -p udp --dport $x -j ACCEPT
|
$IPT -A INPUT -p udp --dport $x -j ACCEPT
|
||||||
$IPT6 -A INPUT -p udp --dport $x -j ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# Services semi-publics
|
# Services semi-publics
|
||||||
|
@ -282,22 +282,24 @@ for x in $NTPOK
|
||||||
|
|
||||||
# ICMP
|
# ICMP
|
||||||
$IPT -A INPUT -p icmp -j ACCEPT
|
$IPT -A INPUT -p icmp -j ACCEPT
|
||||||
$IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
||||||
|
|
||||||
# politique
|
# politique
|
||||||
|
|
||||||
# par defaut rien ne rentre
|
# par defaut rien ne rentre
|
||||||
$IPT -P INPUT DROP
|
$IPT -P INPUT DROP
|
||||||
$IPT6 -P INPUT DROP
|
[ $IPV6 != 'off' ] && $IPT6 -P INPUT DROP
|
||||||
|
|
||||||
# par defaut rien ne transite (obsolete, notamment pour les VM)
|
# par defaut rien ne transite (obsolete, notamment pour les VM)
|
||||||
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||||
#$IPT -P FORWARD DROP
|
#$IPT -P FORWARD DROP
|
||||||
#$IPT6 -P FORWARD DROP
|
#$IPT6 -P FORWARD DROP
|
||||||
|
|
||||||
# par defaut tout peut sortir (sinon voir OUTPUTDROP)
|
# par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
$IPT6 -P OUTPUT ACCEPT
|
[ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
|
||||||
|
$IPT -A OUTPUT -p udp -j DROP
|
||||||
|
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||||
|
|
||||||
trap - INT TERM EXIT
|
trap - INT TERM EXIT
|
||||||
|
|
||||||
|
@ -346,7 +348,6 @@ trap - INT TERM EXIT
|
||||||
$IPT -t nat -L -n -v --line-numbers
|
$IPT -t nat -L -n -v --line-numbers
|
||||||
$IPT -t mangle -L -n -v --line-numbers
|
$IPT -t mangle -L -n -v --line-numbers
|
||||||
$IPT6 -L -n -v --line-numbers
|
$IPT6 -L -n -v --line-numbers
|
||||||
$IPT6 -t nat -L -n -v --line-numbers
|
|
||||||
$IPT6 -t mangle -L -n -v --line-numbers
|
$IPT6 -t mangle -L -n -v --line-numbers
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -358,7 +359,6 @@ trap - INT TERM EXIT
|
||||||
$IPT -t nat -Z
|
$IPT -t nat -Z
|
||||||
$IPT -t mangle -Z
|
$IPT -t mangle -Z
|
||||||
$IPT6 -Z
|
$IPT6 -Z
|
||||||
$IPT6 -t nat -Z
|
|
||||||
$IPT6 -t mangle -Z
|
$IPT6 -t mangle -Z
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue