slitaz-tools diff etc/firewall.conf @ rev 746

Add: decode (new cmdline tool to decode audio/video files)
author Christophe Lincoln <pankso@slitaz.org>
date Mon Apr 30 10:35:44 2012 +0200 (2012-04-30)
parents 71139fa09dca
children
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/etc/firewall.conf	Mon Apr 30 10:35:44 2012 +0200
     1.3 @@ -0,0 +1,65 @@
     1.4 +# /etc/firewall.conf: SliTaz firewall configuration.
     1.5 +# Config file used by: /etc/init.d/firewall.sh
     1.6 +#
     1.7 +
     1.8 +# Network interface.
     1.9 +INTERFACE="eth0"
    1.10 +
    1.11 +# Enable/disable kernel security.
    1.12 +KERNEL_SECURITY="yes"
    1.13 +
    1.14 +# Enable/disable iptables rules (iptables package must be installed). 
    1.15 +IPTABLES_RULES="no"
    1.16 +
    1.17 +# Netfilter/iptables rules.
    1.18 +# This shell function is included in /etc/init.d/firewall.sh
    1.19 +# to start iptables rules.
    1.20 +#
    1.21 +iptables_rules()
    1.22 +{
    1.23 +
    1.24 +# Drop all input connections.
    1.25 +iptables -P INPUT DROP
    1.26 +
    1.27 +# Drop all output connections.
    1.28 +iptables -P OUTPUT DROP
    1.29 +
    1.30 +# Drop all forward connections.
    1.31 +iptables -P FORWARD DROP
    1.32 +
    1.33 +# Accept input on localhost (127.0.0.1).
    1.34 +iptables -A INPUT -i lo -j ACCEPT
    1.35 +
    1.36 +# Accept input on the local network (192.168.0.0/24).
    1.37 +iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
    1.38 +
    1.39 +# Accept near all output trafic.
    1.40 +iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    1.41 +
    1.42 +# Accept input trafic only for connections initialized by user.
    1.43 +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    1.44 +
    1.45 +# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports.
    1.46 +# else you can disable the lines below for more secured setup
    1.47 +
    1.48 +# Accept input on port 80 for the HTTP server.
    1.49 +iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT
    1.50 +
    1.51 +# Accept input on port 22 for SSH.
    1.52 +iptables -A INPUT -i $INTERFACE -p tcp --destination-port 22 -j ACCEPT
    1.53 +
    1.54 +# Accept port 21 and, 1024 to 60310 for FTP.
    1.55 +iptables -A INPUT -i $INTERFACE -p tcp --destination-port 21 -j ACCEPT
    1.56 +iptables -A INPUT -i $INTERFACE -p tcp --destination-port 1024:60310 -j ACCEPT
    1.57 +
    1.58 +# Accept port 6667 for IRC chat.
    1.59 +iptables -A INPUT -i $INTERFACE -p tcp --source-port 6667 -j ACCEPT
    1.60 +
    1.61 +# Accept unprivileged ports.
    1.62 +iptables -A INPUT -i $INTERFACE -p udp --destination-port 1024:65535 -j ACCEPT
    1.63 +
    1.64 +# Accept ping.
    1.65 +iptables -A INPUT -i $INTERFACE -p icmp -j ACCEPT
    1.66 +
    1.67 +}
    1.68 +