Author: baggins Date: Tue Dec 29 21:33:20 2009 GMT
Module: firewall-init Tag: HEAD
---- Log message:
- simplifications and readability fixes
---- Files affected:
firewall-init/firewall.d/ipv4:
filter (1.14 -> 1.15)
---- Diffs:
================================================================
Index: firewall-init/firewall.d/ipv4/filter
diff -u firewall-init/firewall.d/ipv4/filter:1.14
firewall-init/firewall.d/ipv4/filter:1.15
--- firewall-init/firewall.d/ipv4/filter:1.14 Tue Dec 29 22:19:36 2009
+++ firewall-init/firewall.d/ipv4/filter Tue Dec 29 22:33:15 2009
@@ -4,54 +4,85 @@
OUTSIDE_IF=eth0
-# TCP
-ipv4_in_allow_tcp()
+ipv4_filter_FORWARD_rules()
{
- $iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
- $iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ # Block trojan ports:
+# ipv4_trojan_killer FORWARD
+ # Block adverts if need be
+# ipv4_ads_killer FORWARD
+ return
+}
+
+ipv4_filter_INPUT_rules()
+{
+ # INPUT
+ # Selective LOG/DROP/ACCEPT for ICMP
+# $iptables -A INPUT -p icmp -j ICMP
+ # Check if someone is not scanning us first:
+# $iptables -A INPUT -m psd -j SCAN
+
+# $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 23 -j ACCEPT
- $iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 37 -j ACCEPT
+# $iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
+# $iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
+# $iptables -A INPUT -p udp -m state --state NEW --dport 67:69 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 79 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 109 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
- $iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 113 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 119 -j ACCEPT
# $iptables -A INPUT -p tcp -m state --state NEW --dport 123 -j ACCEPT
-# $iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
-# $iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
-# $iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
-# $iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
- $iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport
515 -j ACCEPT
- $iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
- $iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
-}
-
-# UDP
-ipv4_in_allow_udp()
-{
-# $iptables -A INPUT -p udp -m state --state NEW --dport 37 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 67 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 68 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 69 -j ACCEPT
# $iptables -A INPUT -p udp -m state --state NEW --dport 123 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 137:139 -j ACCEPT
# $iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 143 -j ACCEPT
# $iptables -A INPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 177 -j ACCEPT
# $iptables -A INPUT -p udp -m state --state NEW --dport 177 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 513 -j ACCEPT
-# $iptables -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 220 -j ACCEPT
+# $iptables -A INPUT -p udp -m state --state NEW --dport 513:514 -j ACCEPT
+# $iptables -A INPUT -i ! $OUTSIDE_IF -p tcp -m state --state NEW --dport
515 -j ACCEPT
# $iptables -A INPUT -p udp -m state --state NEW --dport 517:518 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 873 -j ACCEPT
+# $iptables -A INPUT -p tcp -m state --state NEW --dport 2121 -j ACCEPT
+
+# $iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
+# $iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
+# $iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
+
+# ipv4_in_allow_rpc
+
+ # Block adverts if need be
+# ipv4_ads_killer INPUT
+ # Block trojan ports:
+# ipv4_trojan_killer INPUT
+
+ # DROP SSH brute force scans
+# $iptables -N SSH_BRUTE_FORCE
+# $iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
SSH_BRUTE_FORCE
+# $iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
+# $iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
+# $iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
+# $iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60
--hitcount 6 --name SSH -j RETURN
+# $iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
+# $iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force
Attempt: "
+# $iptables -A SSH_BRUTE_FORCE -p tcp -j DROP
+
+ # Block and log everything else
+# $iptables -A INPUT -m state --state NEW -j LDROP
return
}
-ipv4_in_drop_udp()
+ipv4_filter_OUTPUT_rules()
{
- $iptables -A INPUT -p udp -m state --state NEW --dport 67:68 -j DROP
- $iptables -A INPUT -p udp -m state --state NEW --dport 137:139 -j DROP
- $iptables -A INPUT -p udp -m state --state NEW --dport 513 -j DROP
+ return
}
# Allow RPC for internal net only
@@ -87,56 +118,4 @@
cat $FIREWALL_DIR/trojan.ports | while read LINIA; do
$iptables -A $CLASS -p tcp -m state --state NEW -m multiport
--port $LINIA -j REJECT --reject-with icmp-port-unreachable
done
-}
-
-ipv4_ssh_brute_force_killer()
-{
- $iptables -N SSH_BRUTE_FORCE
- $iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j
SSH_BRUTE_FORCE
-# $iptables -A SSH_BRUTE_FORCE -s $MY_IP_ADDRESSES -j RETURN
-# $iptables -A SSH_BRUTE_FORCE -s $MY_FRIENDS_IP_ADDRESSES -j RETURN
- $iptables -A SSH_BRUTE_FORCE -m recent --set --name SSH
- $iptables -A SSH_BRUTE_FORCE -m recent ! --rcheck --seconds 60
--hitcount 6 --name SSH -j RETURN
- $iptables -A SSH_BRUTE_FORCE -m recent --update --name SSH
- $iptables -A SSH_BRUTE_FORCE -j LOG --log-prefix "SSH Brute Force
Attempt: "
- $iptables -A SSH_BRUTE_FORCE -p tcp -j TARPIT
-}
-
-ipv4_filter_FORWARD_rules()
-{
-# # Block trojan ports:
-# ipv4_trojan_killer FORWARD
-# # Block adverts if need be
-# ipv4_ads_killer FORWARD
- return
-}
-
-ipv4_filter_INPUT_rules()
-{
-# # INPUT
-# # Selective LOG/DROP/ACCEPT for ICMP
-# $iptables -A INPUT -p icmp -j ICMP
-# # Check if someone is not scanning us first:
-# $iptables -A INPUT -m psd -j SCAN
-#
-# ipv4_in_allow_tcp
-# ipv4_in_allow_udp
-# ipv4_in_drop_udp
-# ipv4_in_allow_rpc
-#
-# $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-# # Block adverts if need be
-# ipv4_ads_killer INPUT
-# # Block trojan ports:
-# ipv4_trojan_killer INPUT
-# TARPIT SSH brute force scans
-# ipv4_ssh_brute_force_killer()
-# # Block everything else
-# $iptables -A INPUT -m state --state NEW -j LDROP
- return
-}
-
-ipv4_filter_OUTPUT_rules()
-{
- return
}
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/firewall-init/firewall.d/ipv4/filter?r1=1.14&r2=1.15&f=u
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
