slitaz-tools rev 435

improve firewall and iptables_rules (thanks gokhlayeh)
author Rohit Joshi <jozee@slitaz.org>
date Fri Mar 12 12:01:54 2010 +0000 (2010-03-12)
parents 7d7b2a312362
children 62ce01191f4b
files rootfs/etc/firewall.conf rootfs/etc/init.d/firewall
line diff
     1.1 --- a/rootfs/etc/firewall.conf	Tue Feb 23 16:22:49 2010 +0000
     1.2 +++ b/rootfs/etc/firewall.conf	Fri Mar 12 12:01:54 2010 +0000
     1.3 @@ -21,15 +21,27 @@
     1.4  # Drop all input connections.
     1.5  iptables -P INPUT DROP
     1.6  
     1.7 -# Accept all output connections.
     1.8 -iptables -P OUTPUT ACCEPT
     1.9 +# Drop all output connections.
    1.10 +iptables -P OUTPUT DROP
    1.11 +
    1.12 +# Drop all forward connections.
    1.13 +iptables -P FORWARD DROP
    1.14  
    1.15  # Accept input on localhost (127.0.0.1).
    1.16  iptables -A INPUT -i lo -j ACCEPT
    1.17  
    1.18 -# Accept all on the local network (192.168.0.0/24).
    1.19 +# Accept input on the local network (192.168.0.0/24).
    1.20  iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
    1.21  
    1.22 +# Accept near all output trafic.
    1.23 +iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    1.24 +
    1.25 +# Accept input trafic only for connections initialized by user.
    1.26 +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    1.27 +
    1.28 +# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports.
    1.29 +# else you can disable the lines below for more secured setup
    1.30 +
    1.31  # Accept input on port 80 for the HTTP server.
    1.32  iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT
    1.33  
     2.1 --- a/rootfs/etc/init.d/firewall	Tue Feb 23 16:22:49 2010 +0000
     2.2 +++ b/rootfs/etc/init.d/firewall	Fri Mar 12 12:01:54 2010 +0000
     2.3 @@ -51,6 +51,7 @@
     2.4        echo -n "Stopping iptables firewall rules... "
     2.5        iptables -P INPUT ACCEPT
     2.6        iptables -P OUTPUT ACCEPT
     2.7 +      iptables -P FORWARD ACCEPT
     2.8        iptables -F
     2.9        iptables -X
    2.10        status