summaryrefslogtreecommitdiff
path: root/src/firewall/iptable-desktop-template.fwrules
blob: 45b5397ac90fb22283d7d449d9a4bd5d100e6ded (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


*filter

# Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# DNS client
-A OUTPUT -p udp --dport 53 -m udp -j ACCEPT
-A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# DHCP client
-A OUTPUT -p udp --dport 67:68 -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT

# Ping client
-A OUTPUT -p icmp -j ACCEPT
#-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# NTP client
#-A OUTPUT -p udp --dport 123 -j ACCEPT
#-A INPUT -p udp --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH client
#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# SSH server
#-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
#-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Web client
#-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT

# CUPS server (only required for remote access)
#-A INPUT -p udp --dport 631 -j ACCEPT
#-A INPUT -p tcp --dport 631 -j ACCEPT
#-A OUTPUT -p tcp --sport 631 -j ACCEPT
#-A OUTPUT -p tcp --sport 631 -j ACCEPT

# POP3 client
#-A OUTPUT -p tcp --dport 995 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 995 -j ACCEPT

# SMTP client
#-A OUTPUT -p tcp --dport 465 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 465 -j ACCEPT

# IMAP client
#-A OUTPUT -p tcp --dport 993 -j ACCEPT
#-A INPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT

# Log blocked connection attemps
-A INPUT -j LOG --log-prefix "iptable-bad-input:  " --log-level 6
-A FORWARD -j LOG --log-prefix "iptable-bad-forward: " --log-level 6
-A OUTPUT -j LOG --log-prefix "iptable-bad-output: " --log-level 6

# Disallow any non-whitelisted packets
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT
generated by cgit v1.1 at 2024-10-06 14:26:08 +0000