- Timestamp:
- Jul 5, 2009 7:20:56 AM (15 years ago)
- Branches:
- master, trunk
- Children:
- 71b798c
- Parents:
- ab902ad
- Location:
- iptables/ufw
- Files:
-
- 2 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
iptables/ufw/after.rules
rab902ad r4999639 25 25 26 26 # catchall for logging 27 -A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " 28 -A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " 27 -A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err 28 -A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err 29 29 30 30 # don't delete the 'COMMIT' line or these rules won't be processed -
iptables/ufw/before.rules
rab902ad r4999639 24 24 # connection tracking rules 25 25 -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 26 -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 26 27 27 28 # drop INVALID packets 28 29 # uncomment to log INVALID packets 29 #-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " 30 -A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10 30 31 -A ufw-before-input -m conntrack --ctstate INVALID -j DROP 32 33 ## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>) 34 -A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10 35 -A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP 36 37 ## DROP CIFS(Samba) access from/to WAN(eth1) 38 -A ufw-before-input -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 39 -A ufw-before-input -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 40 -A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 41 -A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 42 -A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 43 -A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 44 -A ufw-before-output -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 45 -A ufw-before-output -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 46 47 ## Access from LAN 48 -A ufw-before-input -i eth0 -j ACCEPT 49 -A ufw-before-forward -i eth0 -j ACCEPT 31 50 32 51 # connection tracking for outbound … … 58 77 -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN 59 78 60 -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " 79 -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err 61 80 62 81 # all other non-local packets are dropped
Note: See TracChangeset
for help on using the changeset viewer.