Benoît S.
c7c5e9814a
This is a work in progress to ban ASNs and IP addresses in an efficient way with `ipset`. More things in minifirewall could be replaced with `ipset`, like the HTTPSITE part, but for now I'm only focused on banning networks. Please review the code (I followed the current coding style), test it, and make comments!
116 lines
3.6 KiB
Plaintext
116 lines
3.6 KiB
Plaintext
# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall
|
|
# For fun, we keep last change from first CVS repository:
|
|
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
|
|
|
# Main interface
|
|
INT='eth0'
|
|
|
|
# IPv6
|
|
IPV6=on
|
|
|
|
# Trusted IPv4 local network
|
|
# ...will be often IP/32 if you don't trust anything
|
|
INTLAN='192.168.0.2/32'
|
|
|
|
# Trusted IPv4 addresses for private and semi-public services
|
|
TRUSTEDIPS=''
|
|
|
|
# Privilegied IPv4 addresses for semi-public services
|
|
# (no need to add again TRUSTEDIPS)
|
|
PRIVILEGIEDIPS=''
|
|
|
|
|
|
# Local services IPv4/IPv6 restrictions
|
|
#######################################
|
|
|
|
# Protected services
|
|
# (add also in Public services if needed)
|
|
SERVICESTCP1p='22'
|
|
SERVICESUDP1p=''
|
|
|
|
# Public services (IPv4/IPv6)
|
|
SERVICESTCP1='25 53 443 993 995 2222'
|
|
SERVICESUDP1='53'
|
|
|
|
# Semi-public services (IPv4)
|
|
SERVICESTCP2='20 21 22 80 110 143'
|
|
SERVICESUDP2=''
|
|
|
|
# Private services (IPv4)
|
|
SERVICESTCP3='5666'
|
|
SERVICESUDP3=''
|
|
|
|
# Standard output IPv4 access restrictions
|
|
##########################################
|
|
|
|
# DNS authorizations
|
|
# (if you have local DNS server, set 0.0.0.0/0)
|
|
DNSSERVEURS='0.0.0.0/0'
|
|
|
|
# HTTP authorizations
|
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
|
HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
|
|
|
|
# HTTPS authorizations
|
|
HTTPSSITES='0.0.0.0/0'
|
|
|
|
# FTP authorizations
|
|
FTPSITES=''
|
|
|
|
# SSH authorizations
|
|
SSHOK='0.0.0.0/0'
|
|
|
|
# SMTP authorizations
|
|
SMTPOK='0.0.0.0/0'
|
|
|
|
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
|
SMTPSECUREOK=''
|
|
|
|
# NTP authorizations
|
|
NTPOK='0.0.0.0/0'
|
|
|
|
# WHOIS authorizations
|
|
WHOISOK='0.0.0.0/0'
|
|
|
|
# IP addresses ban
|
|
# you can add an IP address on the BANNED set without restarting
|
|
# minifirewall, example: ipset -A BANNED-IP4 192.0.2.0
|
|
BANNEDIPS='192.0.2.0'
|
|
|
|
# IPv6 addresses ban
|
|
# you can add an IPv6 address on the BANNED set without restarting
|
|
# minifirewall, example: ipset -A BANNED-IP6 2001:db8::0
|
|
BANNEDIPS6='2001:db8::0'
|
|
|
|
# AS Numbers ban
|
|
# Be aware that minifirewall will get the route information at every
|
|
# restart and if you ban many ASNs it may take time
|
|
# Use with parsimony
|
|
# Read the README.md for an explanation
|
|
BANNEDASNS=''
|
|
|
|
# IPv6 Specific rules
|
|
#####################
|
|
|
|
# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Example: allow output DNS, NTP and traceroute traffic
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
|
|
|
# Example: allow DHCPv6
|
|
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
|
|
|
# IPv4 Specific rules
|
|
#####################
|
|
|
|
# /sbin/iptables ...
|