slitaz-tools annotate etc/slitaz/firewall.sh @ rev 898
Added tag 5.8.9 for changeset cffac58f072b
| author | Aleksej Bobylev <al.bobylev@gmail.com> |
|---|---|
| date | Sat Jul 05 18:24:31 2014 +0300 (2014-07-05) |
| parents | 72c2ef5c57e7 |
| children |
| rev | line source |
|---|---|
| pankso@769 | 1 #!/bin/sh |
| pankso@769 | 2 # |
| pankso@769 | 3 # SliTaz IPtables firewall rules |
| pankso@769 | 4 # |
| pankso@769 | 5 . /etc/slitaz/firewall.conf |
| pankso@769 | 6 |
| pankso@769 | 7 # Drop all input connections |
| pankso@769 | 8 iptables -P INPUT DROP |
| pankso@769 | 9 |
| pankso@769 | 10 # Drop all output connections |
| pankso@769 | 11 iptables -P OUTPUT DROP |
| pankso@769 | 12 |
| pankso@769 | 13 # Drop all forward connections |
| pankso@769 | 14 iptables -P FORWARD DROP |
| pankso@769 | 15 |
| pankso@769 | 16 # Accept input on localhost (127.0.0.1) |
| pankso@769 | 17 iptables -A INPUT -i lo -j ACCEPT |
| pankso@769 | 18 |
| pankso@769 | 19 # Accept input on the local network |
| pankso@769 | 20 iptables -A INPUT -s $LOCAL_NETWORK -j ACCEPT |
| pankso@769 | 21 |
| paul@835 | 22 # Accept (nearly) all output traffic |
| mojo@804 | 23 iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT |
| pankso@769 | 24 |
| paul@835 | 25 # Accept input traffic only for connections initialized by user |
| mojo@804 | 26 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
| pankso@769 | 27 |
| pankso@769 | 28 # If you manage a HTTP/SSH/FTP/IRC server you can accept input for |
| paul@811 | 29 # non-established connections on some ports. Else you can disable the |
| paul@811 | 30 # lines below for a more secure setup |
| pankso@769 | 31 for iface in $INTERFACES |
| pankso@769 | 32 do |
| paul@811 | 33 # Accept input on port 80 for the HTTP server |
| pankso@769 | 34 iptables -A INPUT -i $iface -p tcp --source-port 80 -j ACCEPT |
| pankso@769 | 35 |
| paul@811 | 36 # Accept input on port 22 for SSH |
| pankso@769 | 37 iptables -A INPUT -i $iface -p tcp --destination-port 22 -j ACCEPT |
| pankso@769 | 38 |
| paul@811 | 39 # Accept port 21 and 1024 to 60310 for FTP |
| pankso@769 | 40 iptables -A INPUT -i $iface -p tcp --destination-port 21 -j ACCEPT |
| pankso@769 | 41 iptables -A INPUT -i $iface -p tcp --destination-port 1024:60310 -j ACCEPT |
| pankso@769 | 42 |
| paul@811 | 43 # Accept port 6667 for IRC chat |
| pankso@769 | 44 iptables -A INPUT -i $iface -p tcp --source-port 6667 -j ACCEPT |
| pankso@769 | 45 |
| paul@811 | 46 # Accept unprivileged ports |
| pankso@769 | 47 iptables -A INPUT -i $iface -p udp --destination-port 1024:65535 -j ACCEPT |
| pankso@769 | 48 |
| paul@811 | 49 # Accept ping |
| pankso@769 | 50 iptables -A INPUT -i $iface -p icmp -j ACCEPT |
| pankso@769 | 51 done |