Platon Technologies
neprihlásený Prihlásiť Registrácia
SlovakEnglish
open source software development oslavujeme 10 rokov vývoja otvoreného softvéru! Piatok, 28. január 2022

Súbor: [Platon] / scripts / shell / firewall / default-firewall.conf (stiahnutie)

Revízia 2.37, Thu May 5 21:07:54 2016 UTC (5 years, 8 months ago) by rajo


Zmeny od 2.36: +4 -1 [lines]

map_subnet replaced by load_subnet

#!/bin/sh

#
# /etc/default/firewall
#
# Example configuration file for Linux kernel firewall
#
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk>
# Copyright (c) 2004 Platon SDG, http://platon.sk/
# Licensed under terms of GNU General Public License.
# All rights reserved.
#
# Changelog:
# 2004-11-14 - created
#

# $Platon: scripts/shell/firewall/default-firewall.conf,v 2.36 2011-11-18 23:26:18 rajo Exp $

# uncomment next line for debugging
#DEBUG="echo "

# DEFAULT_FIREWALL_CONFIG_DIR="/etc/default/firewall.d"
DEFAULT_POLICY="DROP"

# which modules to load
#
# https://dev.openwrt.org/ticket/3527
# For the kernel part, since 2.6.25 tos/TOS kernel modules have been merged with dscp/DSCP modules in xt_dscp.ko and xt_DSCP.ko. There is no more ipt_(tos|TOS).ko.
#
# Concerning the iptables modules, libipt_(tos|TOS).so installation depends (in
# include/netfilter.mk) on CONFIG_IP_NF_(TARGET|MATCH)_TOS symbols which no
# longer exist. tos/TOS modules are not included for installation.
#
# I don't know if there is a quick fix around the CONFIG_IP_NF_(TARGET|MATCH)_TOS symbols...
#
# The best solution would be to upgrade netfilter to 1.4.1.1 when using a kernel version >= 2.6.25. 
MODULES="ipt_LOG ipt_REJECT ip_conntrack_ftp ip_nat_ftp ipt_TOS xt_DSCP"

# Turn on and turn off logging via syslog
# Default: on
LOGGING="on"
LOG_LIMIT="-m limit --limit 12/s --limit-burst 24 -j LOG --log-level notice --log-prefix"

# Paths:
IPTABLES="$DEBUG/sbin/iptables"
#IPTABLES=":" # for testing only - does nothing
IFCONFIG="/sbin/ifconfig"
DEPMOD="/sbin/depmod"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
AWK="/usr/bin/awk"
PERL="/usr/bin/perl"

# loopback interface
LO_IFACE="${LO_IFACE:=lo}"

# Antispoof filter
ANTISPOOF_IFACE="eth0"

# banned IP addresses
# packets from this hosts are DROPPED
# 146.48.97.0/24 - UbiCrawler which doesn't accept HTTP META tags
#                  "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)"
#                  http://www.robotstxt.org/wc/faq.html#extension
BANNED_IP="146.48.97.0/24"

# Allow traceroute from interfaces
#TRACEROUTE_IFACE="eth1"

# accept all packetes on these interfaces
# DO NOT ADD eth0 device here !!!
IFACE_ACCEPT_ALL="lo tun+ tap+"

# Packets to these ports are ALWAYS dropped (they doesn't appear in log)
#ALL_DROP_INPUT_TCP="135 137 139 445" # Microsoft Windows packets
#ALL_DROP_INPUT_UDP="135 137 139 445" # Microsoft Windows packets
#REAL_DROP_INPUT_TCP="" # the same as above but for this works
#REAL_DROP_INPUT_UDP="" # non-existent interfaces as well

# Which ports will be closed on INPUT (TCP and/or UDP connections)
# REJECT_WITH="icmp-port-unreachable" # default in Linux, but doesn't work well with all firewalls
REJECT_WITH="tcp-reset"
ALL_REJECT_INPUT_TCP="113 23"
ALL_REJECT_INPUT_UDP=""
REAL_REJECT_INPUT_TCP="113 23"
REAL_REJECT_INPUT_UDP=""
eth1_REJECT_INPUT_TCP=""
eth1_REJECT_INPUT_UDP=""

# Which ports will be allowed on INPUT (TCP and/or UDP connections)
ALL_ACCEPT_INPUT_TCP="22"
ALL_ACCEPT_INPUT_UDP="68" # dhcpclient
# The same as above but works for *really* all interfaces
# (this includes also yet non-existent interfaces, what is useful for IP failover)
REAL_ACCEPT_INPUT_TCP="22"
REAL_ACCEPT_INPUT_TCP=""
# interface eth0
# (use "port", or "ip:port", or "ip:ALL" for all ports from certain IP)
# When ports are separated by spaces, multiple firewall rules with "--dport $port" are generated
# When ports are separated by comma, single firewall rule with "-m multiport --dports 22,80,443" is generated
eth0_ACCEPT_INPUT_TCP="123 137,138,139 631 80,443 3128 2220"
#eth0_0_ACCEPT_INPUT_TCP="80" # permit only 80 on eth0:0

# interface eth1
eth1_ACCEPT_INPUT_TCP="80 192.168.0.1/32:6000" # connecto to port 6000 on interface eth1 is allowed only from IP 192.168.0.1
# interface ppp0
ppp0_ACCEPT_INPUT_TCP=""

# Which ports will be allowed on INPUT (UDP connections)
# interface eth0
# (use "port", or "ip:port", or "ip:ALL" for all ports from certain IP)
eth0_ACCEPT_INPUT_UDP="123 137,138,139 513 631"
# interface ppp0
ppp0_ACCEPT_INPUT_UDP=""

# You can redirect some ports from original port to new port
# With this feature you can effectively block access to some services for specified clients 
#
# Example:
#
#    eth0_REDIRECT_TCP="1.2.3.4:80:81 8080:80"
#        - client with IP address 1.2.3.4 will not see web page served by apache (port 80).
#          He is redirected to port 81 (lighthttpd for example), where he can see "Our homepage is down." ;-)
#        - content from apache (port 80) is served also on port 8080 (you don't need to modify httpd.conf and restart apache)
#
# eth0_REDIRECT_TCP="1.2.3.4:80:81"
# eth0_REDIRECT_UDP=""

# Package dropping
#eth0_DROP_OUTPUT_TCP="123 137 138 139 445 631"
#eth0_DROP_OUTPUT_UDP="123 137 138 139 445 631"
#eth1_DROP_OUTPUT_TCP=""
#eth1_DROP_OUTPUT_UDP=""

#
# NAT configuration
#

# eth0 connected to internet
#NAT_LAN_IFACE="eth0"
# eth1 connected to local subnet
#NAT_SUBNET_IFACE="eth1"

# logging must be turned on, see LOGGING="on"
NAT_LOG_NEW_CONNECTIONS="no"

# Hide NAT clients behind firewall
# XXX: this breaks traceroute, if you enable this!
# http://www.root.cz/clanky/sbirame-otisky-maskovani/
# NAT_SET_TTL="128" - Linux 2.4.7 / Windows XP SP1, 2000 SP4 (3)
# NAT_SET_TTL="60"  - Windows 98 (4)
NAT_SET_TTL="no"

#
# Forward configuration
#
# don't forward Miscrosoft protocols - NOT RFC compliant packets (packets in NEW state withouth SYN flag)
NAT_FORWARD_MICROSOFT="no"
# redirect all outgoing connections to SMTP port 25 to local server (simple virus/antispam protection)
# redirect all outgoing HTTP connection to transparent proxy server (squid)
NAT_TCP_PORT_REDIRECT="25:25 80:3128 8080:3128 1080:3128 3128:3128"

# forward port 2220 from your firewall/router to local machine port 22 (ssh)
# you must accept port 2220 in $eth0_ACCEPT_INPUT_TCP
NAT_TCP_PORT_FORWARD="2220:192.168.0.100:22" # IP of lan interface is detected automatically
NAT_TCP_PORT_FORWARD="$NAT_TCP_PORT_FORWARD 192.168.116.109:80:10.168.2.110:80" # 192.168.116.109 is alias of $NAT_LAN_IFACE interface (e.g. eth0:0)

# NAT only "secure" ports
NAT_FORWARD_TCP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"
NAT_FORWARD_UDP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"

#
# Deny NAT for clients with this IP
#
#NAT_CLIENT_DROP="192.168.0.120" # ugly bad boys in your LAN

#
# IP accounting for clients in local network
#
#DO_LOCAL_IP_ACCOUNTING="yes"
#IP_ACCT_CLIENTS="192.168.0.120 192.168.0.121 192.168.0.122"
#IP_ACCT_COUNT_REDIRECTED_PORTS="yes" # port redirects to local squid are taken as outgoing traffic (counted for this client)

#
# ICMP configuration
#
# (4) Source Quench            - Incoming & outgoing requests to slow down (flow control)
# (12) Parameter Problem    - Incoming & outgoing error messages
# (3) Destination Unreachable, Service Unavailable
#                             - Incoming & outgoing size negotiation, service or
#                              destination unavailability, final traceroute response
# (11) Time Exceeded        - Incoming & outgoing timeout conditions, also intermediate TTL response to traceroutes
# (0 | 8) Allow OUTPUT pings to anywhere

# default: echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed
ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed"

#
# Shaping support
#
SHAPING_IFACE="eth1"

eth1_SHAPING_CLASSES="local internet"

eth1_SHAPING_NETMASK_local="192.168.0.0/16"
eth1_SHAPING_RATE_local=""
eth1_SHAPING_LATENCY_local=""
eth1_SHAPING_BURST_local=""

eth1_SHAPING_NETMASK_internet=""
eth1_SHAPING_RATE_internet="256kbit"
eth1_SHAPING_LATENCY_internet="50ms"
eth1_SHAPING_BURST_internet="1540"

#
# Custom rules
#
# Notes:
# - rules count starts with 0 (or 00, or 000)
# - you can use only numbers with the same width, so if you start with rule number 0,
#   you can go up to rule number 9; if you need more rules, start with 00 or 000
#

# Practical example (block all outgoing VPN traffic, except MySQL):
#
# CUSTOM_RULE_0="-I OUTPUT -o tap0 -m state --state NEW -j REJECT";
# CUSTOM_RULE_1="-I OUTPUT -o tap0 -d 10.138.10.1 -p TCP --dport 3307 -j ACCEPT";
# CUSTOM_RULE_2="-I OUTPUT -o tap0 -d 10.138.10.13 -p TCP --dport 3306 -j ACCEPT";
# CUSTOM_RULE_3="-I OUTPUT -o tap0 -d 10.138.10.14 -p TCP --dport 3306 -j ACCEPT";

# allow connect to TCP port 22 from all Slovakia subnets
load_subnets ALL_ACCEPT_INPUT_TCP Slovakia 22


Platon Group <platon@platon.sk> http://platon.sk/
Copyright © 2002-2006 Platon Group
Stránka používa redakčný systém Metafox
Na začiatok