evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

Merge branch 'master' of ssh://git.evolix.org/git/evolinux/minifirewall

Browse source 
Conflicts:
	firewall.rc
This commit is contained in:
Gregory Colpart 2012-10-29 12:28:55 +01:00
parent f714700623 7795b715e6
commit f84add886a
2 changed files with 26 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
firewall.rc
View file

@ -6,6 +6,8 @@
# Interface concernee # Interface concernee
INT='eth0' INT='eth0'
IPV6=on
# IP associee (plus utilisee dans les scripts) # IP associee (plus utilisee dans les scripts)
# INTIP='192.168.0.2' # INTIP='192.168.0.2'
# reseau beneficiant d'acces privilegies # reseau beneficiant d'acces privilegies
@ -72,14 +74,19 @@ SMTPSECUREOK=''
# NTP # NTP
NTPOK='0.0.0.0/0' NTPOK='0.0.0.0/0'
################### IPv6 Specific rules
# /sbin/ip6tables ...
################### Specific rules # Allow HTTP/HTTPS/SMTP traffic
# /sbin/iptables .... /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables .... /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables ....
# allow HTTP/HTTPS/SMTP IPv6 traffic
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
################### IPv4 Specific rules
# /sbin/iptables ...
# Allow DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 123 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT

22
minifirewall
View file

@ -75,7 +75,7 @@ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignorer les mauvais messages d'erreurs ICMP # Ignorer les mauvais messages d'erreurs ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# effacer la source des paquets routés # effacer la source des paquets routes
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i echo 0 > $i
done done
@ -152,9 +152,9 @@ $IPT -N NEEDRESTRICT
# On autorise tout sur l'interface loopback # On autorise tout sur l'interface loopback
$IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT
$IPT6 -A INPUT -i lo -j ACCEPT [ $IPV6 != 'off' ] && $IPT6 -A INPUT -i lo -j ACCEPT
# if OUTPUTDROP # if OUTPUTDROP
#$IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT
# on evite pas mal de paquets "martiens" effet de bord de virus # on evite pas mal de paquets "martiens" effet de bord de virus
# notamment W32/Blaster qui attaquait windowsupdate.com # notamment W32/Blaster qui attaquait windowsupdate.com
@ -185,13 +185,13 @@ for x in $SERVICESUDP1p
for x in $SERVICESTCP1 for x in $SERVICESTCP1
do do
$IPT -A INPUT -p tcp --dport $x -j ACCEPT $IPT -A INPUT -p tcp --dport $x -j ACCEPT
$IPT6 -A INPUT -p tcp --dport $x -j ACCEPT [ $IPV6 != 'off' ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
done done
for x in $SERVICESUDP1 for x in $SERVICESUDP1
do do
$IPT -A INPUT -p udp --dport $x -j ACCEPT $IPT -A INPUT -p udp --dport $x -j ACCEPT
$IPT6 -A INPUT -p udp --dport $x -j ACCEPT [ $IPV6 != 'off' ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT
done done
# Services semi-publics # Services semi-publics
@ -282,22 +282,24 @@ for x in $NTPOK
# ICMP # ICMP
$IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT
$IPT6 -A INPUT -p icmpv6 -j ACCEPT [ $IPV6 != 'off' ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
# politique # politique
# par defaut rien ne rentre # par defaut rien ne rentre
$IPT -P INPUT DROP $IPT -P INPUT DROP
$IPT6 -P INPUT DROP [ $IPV6 != 'off' ] && $IPT6 -P INPUT DROP
# par defaut rien ne transite (obsolete, notamment pour les VM) # par defaut rien ne transite (obsolete, notamment pour les VM)
#echo 0 > /proc/sys/net/ipv4/ip_forward #echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPT -P FORWARD DROP #$IPT -P FORWARD DROP
#$IPT6 -P FORWARD DROP #$IPT6 -P FORWARD DROP
# par defaut tout peut sortir (sinon voir OUTPUTDROP) # par defaut tout peut sortir sauf l'UDP (sinon voir OUTPUTDROP)
$IPT -P OUTPUT ACCEPT $IPT -P OUTPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT [ $IPV6 != 'off' ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -p udp -j DROP
[ $IPV6 != 'off' ] && $IPT6 -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT trap - INT TERM EXIT
@ -346,7 +348,6 @@ trap - INT TERM EXIT
$IPT -t nat -L -n -v --line-numbers $IPT -t nat -L -n -v --line-numbers
$IPT -t mangle -L -n -v --line-numbers $IPT -t mangle -L -n -v --line-numbers
$IPT6 -L -n -v --line-numbers $IPT6 -L -n -v --line-numbers
$IPT6 -t nat -L -n -v --line-numbers
$IPT6 -t mangle -L -n -v --line-numbers $IPT6 -t mangle -L -n -v --line-numbers
;; ;;
@ -358,7 +359,6 @@ trap - INT TERM EXIT
$IPT -t nat -Z $IPT -t nat -Z
$IPT -t mangle -Z $IPT -t mangle -Z
$IPT6 -Z $IPT6 -Z
$IPT6 -t nat -Z
$IPT6 -t mangle -Z $IPT6 -t mangle -Z
;; ;;