diff options
| author | andreas@tuxedo-six | 2018-07-28 11:55:46 +0200 |
|---|---|---|
| committer | andreas@tuxedo-six | 2018-07-28 12:00:50 +0200 |
| commit | e62946f03075757ee74d6b4554d922986d3f57ae (patch) | |
| tree | f1083cf2bbad3bb5ad271c466fbd20170c774bf5 | |
| parent | ee70b18cb80f51cad17969d3ea46c3a48c99ec94 (diff) | |
| download | dotfiles-e62946f03075757ee74d6b4554d922986d3f57ae.zip dotfiles-e62946f03075757ee74d6b4554d922986d3f57ae.tar.gz | |
(iptables) Rewrite doc, Pretty indent, better file names
| -rw-r--r-- | src/firewall/rules.v4.source (renamed from src/firewall/rules.v4) | 28 | ||||
| -rw-r--r-- | src/firewall/rules.v6 | 29 | ||||
| -rw-r--r-- | src/firewall/rules.v6.source | 29 |
3 files changed, 43 insertions, 43 deletions
diff --git a/src/firewall/rules.v4 b/src/firewall/rules.v4.source index afffdbd..b2fb378 100644 --- a/src/firewall/rules.v4 +++ b/src/firewall/rules.v4.source @@ -1,32 +1,32 @@ ############################################################################### +# Setup env: +# cp rules.v4.source /etc/iptables/rules.v4.source +# aptitude install iptables-persistent # Load rules: -# | iptables-restore < rules.v4 -# If 'iptables-persistent' is not installed install it: -# | aptitude install iptables-persistent -# If 'iptables-persistent' is already installed simply write changes to config -# file: -# | iptables-save > /etc/iptables/rules.v4 +# cat /etc/iptables/rules.v4.source | sudo iptables-restore +# Persist currently loaded config: +# sudo iptables-save | sudo tee /etc/iptables/rules.v4 ############################################################################### *filter # Loopback --A INPUT -i lo -j ACCEPT +-A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # DNS client -A OUTPUT -p udp --dport 53 -m udp -j ACCEPT --A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # DHCP client -A OUTPUT -p udp --dport 67:68 -j ACCEPT --A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT +-A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT # Ping client -A OUTPUT -p icmp -j ACCEPT #-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT --A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # NTP client # May the part "-m state --state ESTABLISHED,RELATED" has to be dropped (not tested yet). @@ -108,14 +108,14 @@ #-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT # Log blocked connection attemps --A INPUT -j LOG --log-prefix "iptable-bad-in: " --log-level 6 +-A INPUT -j LOG --log-prefix "iptable-bad-in: " --log-level 6 -A FORWARD -j LOG --log-prefix "iptable-bad-fwd: " --log-level 6 --A OUTPUT -j LOG --log-prefix "iptable-bad-out: " --log-level 6 +-A OUTPUT -j LOG --log-prefix "iptable-bad-out: " --log-level 6 # Disallow any non-whitelisted packets (Use either DROP or REJECT. Your choise) --A INPUT -j DROP +-A INPUT -j DROP -A FORWARD -j DROP --A OUTPUT -j REJECT +-A OUTPUT -j REJECT COMMIT diff --git a/src/firewall/rules.v6 b/src/firewall/rules.v6 deleted file mode 100644 index a818edd..0000000 --- a/src/firewall/rules.v6 +++ /dev/null @@ -1,29 +0,0 @@ - -############################################################################### -# Load rules: -# | ip6tables-restore < rules.v6 -# If 'iptables-persistent' is not installed install it: -# | aptitude install iptables-persistent -# If 'iptables-persistent' is already installed simply write changes to config -# file: -# | ip6tables-save > /etc/iptables/rules.v6 -############################################################################### - -*filter - -# Loopback --A INPUT -i lo -j ACCEPT --A OUTPUT -o lo -j ACCEPT - -# Log blocked connection attemps --A INPUT -j LOG --log-prefix "ip6table-bad-input: " --log-level 6 --A FORWARD -j LOG --log-prefix "ip6table-bad-forward: " --log-level 6 --A OUTPUT -j LOG --log-prefix "ip6table-bad-output: " --log-level 6 - -# Disallow any non-whitelisted packets --A INPUT -j REJECT --A FORWARD -j REJECT --A OUTPUT -j REJECT - -COMMIT - diff --git a/src/firewall/rules.v6.source b/src/firewall/rules.v6.source new file mode 100644 index 0000000..4a0dbf0 --- /dev/null +++ b/src/firewall/rules.v6.source @@ -0,0 +1,29 @@ + +############################################################################### +# Setup env: +# cp rules.v6.source /etc/iptables/rules.v6.source +# aptitude install iptables-persistent +# Load rules: +# cat /etc/iptables/rules.v6.source | sudo ip6tables-restore +# Persist currently loaded config: +# sudo ip6tables-save | sudo tee /etc/iptables/rules.v6 +############################################################################### + +*filter + +# Loopback +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + +# Log blocked connection attemps +-A INPUT -j LOG --log-prefix "ip6tableBadIn: " --log-level 6 +-A FORWARD -j LOG --log-prefix "ip6tableBadFwd: " --log-level 6 +-A OUTPUT -j LOG --log-prefix "ip6tableBadOut: " --log-level 6 + +# Disallow any non-whitelisted packets +-A INPUT -j DROP +-A FORWARD -j DROP +-A OUTPUT -j REJECT + +COMMIT + |