slitaz-tools view rootfs/etc/firewall.conf @ rev 435
improve firewall and iptables_rules (thanks gokhlayeh)
| author | Rohit Joshi <jozee@slitaz.org> |
|---|---|
| date | Fri Mar 12 12:01:54 2010 +0000 (2010-03-12) |
| parents | af65458ca488 |
| children |
line source
1 # /etc/firewall.conf: SliTaz firewall configuration.
2 # Config file used by: /etc/init.d/firewall.sh
3 #
5 # Network interface.
6 INTERFACE="eth0"
8 # Enable/disable kernel security.
9 KERNEL_SECURITY="yes"
11 # Enable/disable iptables rules (iptables package must be installed).
12 IPTABLES_RULES="no"
14 # Netfilter/iptables rules.
15 # This shell function is included in /etc/init.d/firewall.sh
16 # to start iptables rules.
17 #
18 iptables_rules()
19 {
21 # Drop all input connections.
22 iptables -P INPUT DROP
24 # Drop all output connections.
25 iptables -P OUTPUT DROP
27 # Drop all forward connections.
28 iptables -P FORWARD DROP
30 # Accept input on localhost (127.0.0.1).
31 iptables -A INPUT -i lo -j ACCEPT
33 # Accept input on the local network (192.168.0.0/24).
34 iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
36 # Accept near all output trafic.
37 iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
39 # Accept input trafic only for connections initialized by user.
40 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
42 # If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports.
43 # else you can disable the lines below for more secured setup
45 # Accept input on port 80 for the HTTP server.
46 iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT
48 # Accept input on port 22 for SSH.
49 iptables -A INPUT -i $INTERFACE -p tcp --destination-port 22 -j ACCEPT
51 # Accept port 21 and, 1024 to 60310 for FTP.
52 iptables -A INPUT -i $INTERFACE -p tcp --destination-port 21 -j ACCEPT
53 iptables -A INPUT -i $INTERFACE -p tcp --destination-port 1024:60310 -j ACCEPT
55 # Accept port 6667 for IRC chat.
56 iptables -A INPUT -i $INTERFACE -p tcp --source-port 6667 -j ACCEPT
58 # Accept unprivileged ports.
59 iptables -A INPUT -i $INTERFACE -p udp --destination-port 1024:65535 -j ACCEPT
61 # Accept ping.
62 iptables -A INPUT -i $INTERFACE -p icmp -j ACCEPT
64 }