1.9 KiB

Brut Lien permanent Annotations Historique

Minifirewall

Minifirewall is shellscripts for easy firewalling on a standalone server we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel See https://gitea.evolix.org/evolix/minifirewall

Install

install --mode 0700 minifirewall /etc/init.d/minifirewall
install --mode 0600 minifirewall.conf /etc/default/minifirewall
mkdir --mode 0700 /etc/minifirewall.d

Config

Edit /etc/default/minifirewall file:

If your interface is not eth0, change INT variable
If you don't use IPv6, set IPv6='off'
Modify INTLAN variable, probably with your <IP>/32 or your local network if you trust it
Set your trusted and privilegied IP addresses in TRUSTEDIPS and PRIVILEGIEDIPS variables
Authorize your public services with SERVICESTCP1 and SERVICESUDP1 variables
Authorize your semi-public services (only for TRUSTEDIPS and PRIVILEGIEDIPS ) with SERVICESTCP2 and SERVICESUDP2 variables
Authorize your private services (only for TRUSTEDIPS ) with SERVICESTCP3 and SERVICESUDP3 variables
Configure your authorizations for external services : DNS, HTTP, HTTPS, SMTP, SSH, NTP
Add your specific rules

Docker

To use minifirewall with Docker you need to change the variable DOCKER='on' Then, authorisation for public/semi-public/private ports will also work for dockerized services

WARNING : When the port mapping on the host is different than in the container (ie: listen on :8090 on the host, but the service in the container listen on :8080) you need to use the port used by the container (ie: 8080) in the public/semi-public/private port list

Usage

/etc/init.d/minifirewall start/stop/restart

If you want to add minifirewall in boot sequence, add the start command to /usr/share/scripts/alert5.

License

This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.

1.9 KiB Brut Lien permanent Annotations Historique