|
|
||
|---|---|---|
| .gitignore | ||
| blacklist-countries.sh | ||
| cron_minifirewall | ||
| LICENSE | ||
| minifirewall | ||
| minifirewall.conf | ||
| README.md | ||
| ripe.sh | ||
| Vagrantfile | ||
Minifirewall
Minifirewall is shellscripts for easy firewalling on a standalone server we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel See https://gitea.evolix.org/evolix/minifirewall
Install
install -m 0700 minifirewall /etc/init.d/minifirewall
install -m 0600 minifirewall.conf /etc/default/minifirewall
Config
Edit /etc/default/minifirewall file:
- If your interface is not eth0, change INT variable
- If you don't IPv6 : IPv6=off
- Modify INTLAN variable, probably with your IP/32 or your local network if you trust it
- Set your trusted and privilegied IP addresses in TRUSTEDIPS and PRIVILEGIEDIPS variables
- Authorize your +public+ services with SERVICESTCP1 and SERVICESUDP1 variables
- Authorize your +semi-public+ services (only for TRUSTEDIPS and PRIVILEGIEDIPS ) with SERVICESTCP2 and SERVICESUDP2 variables
- Authorize your +private+ services (only for TRUSTEDIPS ) with SERVICESTCP3 and SERVICESUDP3 variables
- Configure your authorizations for external services : DNS, HTTP, HTTPS, SMTP, SSH, NTP
- Add your specific rules
Docker
To use minifirewall with docker you need to change the variable DOCKER from off to on Then, authorisation for public/semi-public/private ports will also work for dockerized services
WARNING : When the port mapping on the host is different than in the container (ie: listen on :8090 on the host, but the service in the container listen on :8080) you need to use the port used by the container (ie: 8080) in the public/semi-public/private port list
Usage
/etc/init.d/minifirewall start/stop/restart
If you want to add minifirewall in boot sequence:
systemctl enable minifirewall
License
This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.