slitaz-tools rev 435
improve firewall and iptables_rules (thanks gokhlayeh)
author | Rohit Joshi <jozee@slitaz.org> |
---|---|
date | Fri Mar 12 12:01:54 2010 +0000 (2010-03-12) |
parents | 7d7b2a312362 |
children | 62ce01191f4b |
files | rootfs/etc/firewall.conf rootfs/etc/init.d/firewall |
line diff
1.1 --- a/rootfs/etc/firewall.conf Tue Feb 23 16:22:49 2010 +0000 1.2 +++ b/rootfs/etc/firewall.conf Fri Mar 12 12:01:54 2010 +0000 1.3 @@ -21,15 +21,27 @@ 1.4 # Drop all input connections. 1.5 iptables -P INPUT DROP 1.6 1.7 -# Accept all output connections. 1.8 -iptables -P OUTPUT ACCEPT 1.9 +# Drop all output connections. 1.10 +iptables -P OUTPUT DROP 1.11 + 1.12 +# Drop all forward connections. 1.13 +iptables -P FORWARD DROP 1.14 1.15 # Accept input on localhost (127.0.0.1). 1.16 iptables -A INPUT -i lo -j ACCEPT 1.17 1.18 -# Accept all on the local network (192.168.0.0/24). 1.19 +# Accept input on the local network (192.168.0.0/24). 1.20 iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT 1.21 1.22 +# Accept near all output trafic. 1.23 +iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 1.24 + 1.25 +# Accept input trafic only for connections initialized by user. 1.26 +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 1.27 + 1.28 +# If you manage a HTTP/SSH/FTP/IRC server you can accept input for non-established connections an some ports. 1.29 +# else you can disable the lines below for more secured setup 1.30 + 1.31 # Accept input on port 80 for the HTTP server. 1.32 iptables -A INPUT -i $INTERFACE -p tcp --source-port 80 -j ACCEPT 1.33
2.1 --- a/rootfs/etc/init.d/firewall Tue Feb 23 16:22:49 2010 +0000 2.2 +++ b/rootfs/etc/init.d/firewall Fri Mar 12 12:01:54 2010 +0000 2.3 @@ -51,6 +51,7 @@ 2.4 echo -n "Stopping iptables firewall rules... " 2.5 iptables -P INPUT ACCEPT 2.6 iptables -P OUTPUT ACCEPT 2.7 + iptables -P FORWARD ACCEPT 2.8 iptables -F 2.9 iptables -X 2.10 status