# HG changeset patch # User Rohit Joshi # Date 1268395314 0 # Node ID 71139fa09dca0ffbd8c58bbab0375da42ec4bcb3 # Parent 7d7b2a312362f732cf92eb29208ab21460e25c85 improve firewall and iptables_rules (thanks gokhlayeh) diff -r 7d7b2a312362 -r 71139fa09dca rootfs/etc/firewall.conf --- a/rootfs/etc/firewall.conf Tue Feb 23 16:22:49 2010 +0000 +++ b/rootfs/etc/firewall.conf Fri Mar 12 12:01:54 2010 +0000 @@ -21,15 +21,27 @@ # Drop all input connections. iptables -P INPUT DROP -# Accept all output connections. -iptables -P OUTPUT ACCEPT +# Drop all output connections. +iptables -P OUTPUT DROP + +# Drop all forward connections. +iptables -P FORWARD DROP # Accept input on localhost (127.0.0.1). iptables -A INPUT -i lo -j ACCEPT -# Accept all on the local network (192.168.0.0/24). +# Accept input on the local network (192.168.0.0/24). iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT +# Accept near all output trafic. +iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# Accept input trafic only for connections initialized by user. +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports. +# else you can disable the lines below for more secured setup + # Accept input on port 80 for the HTTP server. iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT diff -r 7d7b2a312362 -r 71139fa09dca rootfs/etc/init.d/firewall --- a/rootfs/etc/init.d/firewall Tue Feb 23 16:22:49 2010 +0000 +++ b/rootfs/etc/init.d/firewall Fri Mar 12 12:01:54 2010 +0000 @@ -51,6 +51,7 @@ echo -n "Stopping iptables firewall rules... " iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT iptables -F iptables -X status