X-Git-Url: http://lab.mitty.jp/git/?a=blobdiff_plain;f=iptables%2Fufw%2Fbefore.rules;h=a26e52410bb37f5e5c4f36b74dbe95f5b04c8118;hb=49996391c0a72e72d2f07c9959e94f6036d621bb;hp=8177fb1f9fe47589e226e9aedf1f0984a074f398;hpb=ab902ad3696baaa38816efef2c2b60610daae511;p=lab.git

diff --git a/iptables/ufw/before.rules b/iptables/ufw/before.rules
index 8177fb1..a26e524 100644
--- a/iptables/ufw/before.rules
+++ b/iptables/ufw/before.rules
@@ -23,12 +23,31 @@
 
 # connection tracking rules
 -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # drop INVALID packets
 # uncomment to log INVALID packets
-#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: "
+-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10
 -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
 
+## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>)
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP
+
+## DROP CIFS(Samba) access from/to WAN(eth1)
+-A ufw-before-input   -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-input   -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP
+-A ufw-before-output  -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP
+
+## Access from LAN
+-A ufw-before-input -i eth0 -j ACCEPT
+-A ufw-before-forward -i eth0 -j ACCEPT
+
 # connection tracking for outbound
 -A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
@@ -57,7 +76,7 @@
 # if BROADCAST, RETURN
 -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
 
--A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
+-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err
 
 # all other non-local packets are dropped
 -A ufw-not-local -j DROP