Simple and flexible firewall for Linux server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

104 lines
3.2 KiB

  1. # Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall
  2. # For fun, we keep last change from first CVS repository:
  3. # version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
  4. # Main interface
  5. INT='eth0'
  6. # IPv6
  7. IPV6=on
  8. # Docker Mode
  9. # Changes the behaviour of minifirewall to not break the containers' network
  10. # For instance, turning it on will disable nat table purge
  11. # Also, we'll add the DOCKER-USER chain, in iptable
  12. DOCKER='off'
  13. # Trusted IPv4 local network
  14. # ...will be often IP/32 if you don't trust anything
  15. INTLAN='192.168.0.2/32'
  16. # Trusted IPv4 addresses for private and semi-public services
  17. TRUSTEDIPS=''
  18. # Privilegied IPv4 addresses for semi-public services
  19. # (no need to add again TRUSTEDIPS)
  20. PRIVILEGIEDIPS=''
  21. # Local services IPv4/IPv6 restrictions
  22. #######################################
  23. # Protected services
  24. # (add also in Public services if needed)
  25. SERVICESTCP1p='22222'
  26. SERVICESUDP1p=''
  27. # Public services (IPv4/IPv6)
  28. SERVICESTCP1='22222'
  29. SERVICESUDP1=''
  30. # Semi-public services (IPv4)
  31. SERVICESTCP2='22'
  32. SERVICESUDP2=''
  33. # Private services (IPv4)
  34. SERVICESTCP3='5666'
  35. SERVICESUDP3=''
  36. # Standard output IPv4 access restrictions
  37. ##########################################
  38. # DNS authorizations
  39. # (if you have local DNS server, set 0.0.0.0/0)
  40. DNSSERVEURS='0.0.0.0/0'
  41. # HTTP authorizations
  42. # (you can use DNS names but set cron to reload minifirewall regularly)
  43. # (if you have HTTP proxy, set 0.0.0.0/0)
  44. HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
  45. # HTTPS authorizations
  46. HTTPSSITES='0.0.0.0/0'
  47. # FTP authorizations
  48. FTPSITES=''
  49. # SSH authorizations
  50. SSHOK='0.0.0.0/0'
  51. # SMTP authorizations
  52. SMTPOK='0.0.0.0/0'
  53. # SMTP secure authorizations (ports TCP/465 and TCP/587)
  54. SMTPSECUREOK=''
  55. # NTP authorizations
  56. NTPOK='0.0.0.0/0'
  57. # IPv6 Specific rules
  58. #####################
  59. # Example: allow input HTTP/HTTPS/SMTP/DNS traffic
  60. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
  61. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
  62. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
  63. /sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  64. /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
  65. # Example: allow output DNS, NTP and traceroute traffic
  66. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
  67. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
  68. #/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
  69. # Example: allow DHCPv6
  70. /sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
  71. /sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
  72. # IPv4 Specific rules
  73. #####################
  74. # /sbin/iptables ...