slitaz-tools view etc/slitaz/firewall.sh @ rev 930
Finish previous tiny edit
| author | Aleksej Bobylev <al.bobylev@gmail.com> |
|---|---|
| date | Tue Nov 25 00:41:01 2014 +0200 (2014-11-25) |
| parents | 72c2ef5c57e7 |
| children |
line source
1 #!/bin/sh
2 #
3 # SliTaz IPtables firewall rules
4 #
5 . /etc/slitaz/firewall.conf
7 # Drop all input connections
8 iptables -P INPUT DROP
10 # Drop all output connections
11 iptables -P OUTPUT DROP
13 # Drop all forward connections
14 iptables -P FORWARD DROP
16 # Accept input on localhost (127.0.0.1)
17 iptables -A INPUT -i lo -j ACCEPT
19 # Accept input on the local network
20 iptables -A INPUT -s $LOCAL_NETWORK -j ACCEPT
22 # Accept (nearly) all output traffic
23 iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
25 # Accept input traffic only for connections initialized by user
26 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
28 # If you manage a HTTP/SSH/FTP/IRC server you can accept input for
29 # non-established connections on some ports. Else you can disable the
30 # lines below for a more secure setup
31 for iface in $INTERFACES
32 do
33 # Accept input on port 80 for the HTTP server
34 iptables -A INPUT -i $iface -p tcp --source-port 80 -j ACCEPT
36 # Accept input on port 22 for SSH
37 iptables -A INPUT -i $iface -p tcp --destination-port 22 -j ACCEPT
39 # Accept port 21 and 1024 to 60310 for FTP
40 iptables -A INPUT -i $iface -p tcp --destination-port 21 -j ACCEPT
41 iptables -A INPUT -i $iface -p tcp --destination-port 1024:60310 -j ACCEPT
43 # Accept port 6667 for IRC chat
44 iptables -A INPUT -i $iface -p tcp --source-port 6667 -j ACCEPT
46 # Accept unprivileged ports
47 iptables -A INPUT -i $iface -p udp --destination-port 1024:65535 -j ACCEPT
49 # Accept ping
50 iptables -A INPUT -i $iface -p icmp -j ACCEPT
51 done