source: lab/trunk/iptables/ufw/after.rules @ 13

Last change on this file since 13 was 13, checked in by mitty, 15 years ago
  • NEW setfilter now sets nat table
    • this feature clashes with setnapt.sh because both of them reset nat table
    • do not use them (setfilter and setnapt.sh) at the same same time
  • accept connections to local services from WAN
    • ACCEPT and REDIRECT examples
File size: 1.2 KB
Line 
1#
2# rules.input-after
3#
4# Rules that should be run after the ufw command line added rules. Custom
5# rules should be added to one of these chains:
6#   ufw-after-input
7#   ufw-after-output
8#   ufw-after-forward
9#
10
11# Don't delete these required lines, otherwise there will be errors
12*filter
13:ufw-after-input - [0:0]
14:ufw-after-output - [0:0]
15:ufw-after-forward - [0:0]
16# End required lines
17
18## allow connections to the local services from WAN
19# ssh 22/tcp
20-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
21# https 443/tcp
22-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT
23
24# don't log noisy services by default
25-A ufw-after-input -p udp --dport 137 -j RETURN
26-A ufw-after-input -p udp --dport 138 -j RETURN
27-A ufw-after-input -p tcp --dport 139 -j RETURN
28-A ufw-after-input -p tcp --dport 445 -j RETURN
29-A ufw-after-input -p udp --dport 67 -j RETURN
30-A ufw-after-input -p udp --dport 68 -j RETURN
31
32# catchall for logging
33-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err
34-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err
35
36# don't delete the 'COMMIT' line or these rules won't be processed
37COMMIT
Note: See TracBrowser for help on using the repository browser.