From: mitty Date: Sat, 4 Jul 2009 22:12:46 +0000 (+0000) Subject: * original rules from /etc/ufw/*.rules X-Git-Tag: r89-trunk~67 X-Git-Url: http://lab.mitty.jp/git/?a=commitdiff_plain;h=ab902ad3696baaa38816efef2c2b60610daae511;p=lab.git * original rules from /etc/ufw/*.rules git-svn-id: https://lab.mitty.jp/svn/lab/trunk@11 7d2118f6-f56c-43e7-95a2-4bb3031d96e7 --- diff --git a/iptables/ufw/after.rules b/iptables/ufw/after.rules new file mode 100644 index 0000000..70b5624 --- /dev/null +++ b/iptables/ufw/after.rules @@ -0,0 +1,31 @@ +# +# rules.input-after +# +# Rules that should be run after the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-after-input +# ufw-after-output +# ufw-after-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-after-input - [0:0] +:ufw-after-output - [0:0] +:ufw-after-forward - [0:0] +# End required lines + +# don't log noisy services by default +-A ufw-after-input -p udp --dport 137 -j RETURN +-A ufw-after-input -p udp --dport 138 -j RETURN +-A ufw-after-input -p tcp --dport 139 -j RETURN +-A ufw-after-input -p tcp --dport 445 -j RETURN +-A ufw-after-input -p udp --dport 67 -j RETURN +-A ufw-after-input -p udp --dport 68 -j RETURN + +# catchall for logging +-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " +-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT diff --git a/iptables/ufw/before.rules b/iptables/ufw/before.rules new file mode 100644 index 0000000..8177fb1 --- /dev/null +++ b/iptables/ufw/before.rules @@ -0,0 +1,71 @@ +# +# rules.before +# +# Rules that should be run before the ufw command line added rules. Custom +# rules should be added to one of these chains: +# ufw-before-input +# ufw-before-output +# ufw-before-forward +# + +# Don't delete these required lines, otherwise there will be errors +*filter +:ufw-before-input - [0:0] +:ufw-before-output - [0:0] +:ufw-before-forward - [0:0] +:ufw-not-local - [0:0] +# End required lines + + +# allow all on loopback +-A ufw-before-input -i lo -j ACCEPT +-A ufw-before-output -i lo -j ACCEPT + +# connection tracking rules +-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# drop INVALID packets +# uncomment to log INVALID packets +#-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " +-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + +# connection tracking for outbound +-A ufw-before-output -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A ufw-before-output -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# ok icmp codes +-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT +-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT +-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT +-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT + +# allow dhcp client to work +-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT + +# +# ufw-not-local +# +-A ufw-before-input -j ufw-not-local + +# if LOCAL, RETURN +-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN + +# if MULTICAST, RETURN +-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN + +# if BROADCAST, RETURN +-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN + +-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " + +# all other non-local packets are dropped +-A ufw-not-local -j DROP + +# allow MULTICAST, be sure the MULTICAST line above is uncommented +-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT +-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT + + +# don't delete the 'COMMIT' line or these rules won't be processed +COMMIT