Changeset 4999639 in lab.git for iptables


Ignore:
Timestamp:
Jul 5, 2009 7:20:56 AM (15 years ago)
Author:
mitty <mitty@…>
Branches:
master, trunk
Children:
71b798c
Parents:
ab902ad
Message:
  • change --log-level to "err"
  • accept FORWARD from LAN (eth0 with 192.168.100.0/24)
  • drop CIFS access from/to WAN (eth1)
  • accept access from LAN
  • add custom rules for 'setfilter' script
    • mangle.rules, raw.rules

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@12 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

Location:
iptables/ufw
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • iptables/ufw/after.rules

    rab902ad r4999639  
    2525 
    2626# catchall for logging 
    27 -A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " 
    28 -A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " 
     27-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: " --log-level err 
     28-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: " --log-level err 
    2929 
    3030# don't delete the 'COMMIT' line or these rules won't be processed 
  • iptables/ufw/before.rules

    rab902ad r4999639  
    2424# connection tracking rules 
    2525-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
     26-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
    2627 
    2728# drop INVALID packets 
    2829# uncomment to log INVALID packets 
    29 #-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " 
     30-A ufw-before-input -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW BLOCK INVALID]: " --log-level err -m limit --limit 3/min --limit-burst 10 
    3031-A ufw-before-input -m conntrack --ctstate INVALID -j DROP 
     32 
     33## Ingress filter (see RFC 2827) (eth0:LAN<192.168.100.0/24>) 
     34-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j LOG --log-tcp-options --log-ip-options --log-prefix "[UFW BLOCK LOG_INGRESS]: " --log-level err -m limit --limit 3/min --limit-burst 10 
     35-A ufw-before-forward -i eth0 -s ! 192.168.100.0/24 -j DROP 
     36 
     37## DROP CIFS(Samba) access from/to WAN(eth1) 
     38-A ufw-before-input   -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 
     39-A ufw-before-input   -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 
     40-A ufw-before-forward -i eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 
     41-A ufw-before-forward -i eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 
     42-A ufw-before-forward -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 
     43-A ufw-before-forward -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 
     44-A ufw-before-output  -o eth1 -p tcp -m multiport --dports 135,137:139,445 -j DROP 
     45-A ufw-before-output  -o eth1 -p udp -m multiport --dports 135,137:139,445 -j DROP 
     46 
     47## Access from LAN 
     48-A ufw-before-input -i eth0 -j ACCEPT 
     49-A ufw-before-forward -i eth0 -j ACCEPT 
    3150 
    3251# connection tracking for outbound 
     
    5877-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN 
    5978 
    60 -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " 
     79-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: " --log-level err 
    6180 
    6281# all other non-local packets are dropped 
Note: See TracChangeset for help on using the changeset viewer.