Add default rule files for iptable/ip6tables from RHEL 5.8. Signed-off-by: Kai Kang <[email protected]> --- .../iptables/iptables/ip6tables.rules | 31 ++++++++++++++++++++++ .../iptables/iptables/iptables.rules | 30 +++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules create mode 100644 meta/recipes-extended/iptables/iptables/iptables.rules
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules b/meta/recipes-extended/iptables/iptables/ip6tables.rules new file mode 100644 index 0000000..bdd52ed --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/ip6tables.rules @@ -0,0 +1,31 @@ +# Firewall configuration written by system-config-securitylevel +# Manual customization of this file is not recommended. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:RH-Firewall-1-INPUT - [0:0] +-A INPUT -j RH-Firewall-1-INPUT +-A FORWARD -j RH-Firewall-1-INPUT +-A RH-Firewall-1-INPUT -i lo -j ACCEPT +-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT +-A RH-Firewall-1-INPUT -p 50 -j ACCEPT +-A RH-Firewall-1-INPUT -p 51 -j ACCEPT +-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT +-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT +-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT +-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT +-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 23 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT +-A RH-Firewall-1-INPUT -m udp -p udp --dport 137 -j ACCEPT +-A RH-Firewall-1-INPUT -m udp -p udp --dport 138 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 139 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 445 -j ACCEPT +-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT +-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/meta/recipes-extended/iptables/iptables/iptables.rules b/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 0000000..3d92ee0 --- /dev/null +++ b/meta/recipes-extended/iptables/iptables/iptables.rules @@ -0,0 +1,30 @@ +# Firewall configuration written by system-config-securitylevel +# Manual customization of this file is not recommended. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:RH-Firewall-1-INPUT - [0:0] +-A INPUT -j RH-Firewall-1-INPUT +-A FORWARD -j RH-Firewall-1-INPUT +-A RH-Firewall-1-INPUT -i lo -j ACCEPT +-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT +-A RH-Firewall-1-INPUT -p 50 -j ACCEPT +-A RH-Firewall-1-INPUT -p 51 -j ACCEPT +-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT +-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT +-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT +-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT +-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited +COMMIT -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
