slitaz-tools annotate etc/slitaz/firewall.sh @ rev 898
Added tag 5.8.9 for changeset cffac58f072b
author | Aleksej Bobylev <al.bobylev@gmail.com> |
---|---|
date | Sat Jul 05 18:24:31 2014 +0300 (2014-07-05) |
parents | 72c2ef5c57e7 |
children |
rev | line source |
---|---|
pankso@769 | 1 #!/bin/sh |
pankso@769 | 2 # |
pankso@769 | 3 # SliTaz IPtables firewall rules |
pankso@769 | 4 # |
pankso@769 | 5 . /etc/slitaz/firewall.conf |
pankso@769 | 6 |
pankso@769 | 7 # Drop all input connections |
pankso@769 | 8 iptables -P INPUT DROP |
pankso@769 | 9 |
pankso@769 | 10 # Drop all output connections |
pankso@769 | 11 iptables -P OUTPUT DROP |
pankso@769 | 12 |
pankso@769 | 13 # Drop all forward connections |
pankso@769 | 14 iptables -P FORWARD DROP |
pankso@769 | 15 |
pankso@769 | 16 # Accept input on localhost (127.0.0.1) |
pankso@769 | 17 iptables -A INPUT -i lo -j ACCEPT |
pankso@769 | 18 |
pankso@769 | 19 # Accept input on the local network |
pankso@769 | 20 iptables -A INPUT -s $LOCAL_NETWORK -j ACCEPT |
pankso@769 | 21 |
paul@835 | 22 # Accept (nearly) all output traffic |
mojo@804 | 23 iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT |
pankso@769 | 24 |
paul@835 | 25 # Accept input traffic only for connections initialized by user |
mojo@804 | 26 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
pankso@769 | 27 |
pankso@769 | 28 # If you manage a HTTP/SSH/FTP/IRC server you can accept input for |
paul@811 | 29 # non-established connections on some ports. Else you can disable the |
paul@811 | 30 # lines below for a more secure setup |
pankso@769 | 31 for iface in $INTERFACES |
pankso@769 | 32 do |
paul@811 | 33 # Accept input on port 80 for the HTTP server |
pankso@769 | 34 iptables -A INPUT -i $iface -p tcp --source-port 80 -j ACCEPT |
pankso@769 | 35 |
paul@811 | 36 # Accept input on port 22 for SSH |
pankso@769 | 37 iptables -A INPUT -i $iface -p tcp --destination-port 22 -j ACCEPT |
pankso@769 | 38 |
paul@811 | 39 # Accept port 21 and 1024 to 60310 for FTP |
pankso@769 | 40 iptables -A INPUT -i $iface -p tcp --destination-port 21 -j ACCEPT |
pankso@769 | 41 iptables -A INPUT -i $iface -p tcp --destination-port 1024:60310 -j ACCEPT |
pankso@769 | 42 |
paul@811 | 43 # Accept port 6667 for IRC chat |
pankso@769 | 44 iptables -A INPUT -i $iface -p tcp --source-port 6667 -j ACCEPT |
pankso@769 | 45 |
paul@811 | 46 # Accept unprivileged ports |
pankso@769 | 47 iptables -A INPUT -i $iface -p udp --destination-port 1024:65535 -j ACCEPT |
pankso@769 | 48 |
paul@811 | 49 # Accept ping |
pankso@769 | 50 iptables -A INPUT -i $iface -p icmp -j ACCEPT |
pankso@769 | 51 done |