Changeset 018c0cc3 for postlfs/security/iptables.xml
- Timestamp:
- 03/05/2020 08:54:16 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- f11d372a
- Parents:
- bbe17e2
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
rbbe17e2 r018c0cc3 75 75 <bridgehead renderas="sect4">Optional</bridgehead> 76 76 <para role="optional"> 77 <!--<xref linkend="nftables"/>, -->77 <!-- <xref linkend="nftables"/>, --> 78 78 <xref linkend="libpcap"/> (required for nfsypproxy support), 79 79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink> 80 80 (required for Berkely Packet Filter support), 81 81 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink> 82 (required for connlabel support), and83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink> 82 (required for connlabel support), 83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and 84 84 (required for connlabel support) 85 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink> 85 86 </para> 86 87 … … 114 115 Include any connection tracking protocols that will be used, as well as 115 116 any protocols that you wish to use for match support under the 116 "Core Netfilter Configuration" section. <!--The above options are enough117 for running <xref linkend="fw-persFw-ipt"/> below. -->117 "Core Netfilter Configuration" section. The above options are enough 118 for running <xref linkend="fw-persFw-ipt"/> below. 118 119 </para> 119 120 … … 210 211 211 212 </sect2> 212 <!-- 213 213 214 <sect2 role="configuration"> 214 215 <title>Configuring iptables</title> 215 216 <!-- 216 217 <note> 217 218 <para> … … 223 224 </para> 224 225 </note> 225 226 --> 226 227 <note> 227 228 <para> … … 319 320 # and permit new connections related to established ones 320 321 # (e.g. port mode ftp) 321 322 iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 322 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 323 323 324 324 # Log everything else. What's Windows' latest exploitable vulnerability? 325 iptables -A INPUT -j LOG - 325 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 326 326 327 327 # End $rc_base/rc.iptables</literal> … … 398 398 # and permit new connections related to established ones 399 399 # (e.g. port mode ftp) 400 iptables -A INPUT -m conntrack - 400 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 401 401 402 402 # Log everything else. What's Windows' latest exploitable vulnerability? 403 iptables -A INPUT -j LOG - 403 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 404 404 405 405 # End /etc/systemd/scripts/iptables</literal> … … 519 519 520 520 # Allow forwarding if the initiated on the intranet 521 iptables -A FORWARD -m conntrack - 522 iptables -A FORWARD ! -i WAN1 -m conntrack - 521 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 522 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 523 523 524 524 # Do masquerading … … 528 528 # Log everything for debugging 529 529 # (last of all rules, but before policy rules) 530 iptables -A INPUT -j LOG - 531 iptables -A FORWARD -j LOG - 532 iptables -A OUTPUT -j LOG - 530 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 531 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 532 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 533 533 534 534 # Enable IP Forwarding … … 613 613 614 614 # Allow forwarding if the initiated on the intranet 615 iptables -A FORWARD -m conntrack - 616 iptables -A FORWARD ! -i WAN1 -m conntrack - 615 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 616 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 617 617 618 618 # Do masquerading … … 622 622 # Log everything for debugging 623 623 # (last of all rules, but before policy rules) 624 iptables -A INPUT -j LOG - 625 iptables -A FORWARD -j LOG - 626 iptables -A OUTPUT -j LOG - 624 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 625 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 626 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 627 627 628 628 # Enable IP Forwarding … … 633 633 634 634 # Allow ping on the external interface 635 #iptables -A INPUT -p icmp -m icmp - 636 #iptables -A OUTPUT -p icmp -m icmp - 635 #iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 636 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT 637 637 638 638 # Reject ident packets with TCP reset to avoid delays with FTP or IRC 639 #iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset639 #iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 640 640 641 641 # Allow HTTP and HTTPS to 192.168.0.2 642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT --to 192.168.0.2643 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT --to 192.168.0.2644 #iptables -A FORWARD -p tcp -d 192.168.0.2 - 645 #iptables -A FORWARD -p tcp -d 192.168.0.2 - 642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2 643 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2 644 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT 645 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT 646 646 647 647 # End /etc/systemd/scripts/iptables</literal> … … 706 706 </para> 707 707 708 <screen><literal>iptables -A INPUT -m conntrack - 708 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 709 709 iptables -A OUTPUT -j ACCEPT</literal></screen> 710 710 … … 732 732 </para> 733 733 734 <screen><literal>iptables -A OUTPUT -p tcp - 735 iptables -A INPUT -p tcp - -sport 80 -m conntrack --ctstate ESTABLISHED \734 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 735 iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ 736 736 -j ACCEPT</literal></screen> 737 737 … … 742 742 </para> 743 743 744 <screen><literal>iptables -A OUTPUT -p udp - 744 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> 745 745 746 746 </listitem> … … 751 751 </para> 752 752 753 <screen><literal>iptables -A INPUT -p icmp -m icmp - 754 iptables -A OUTPUT -p icmp -m icmp - 753 <screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 754 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen> 755 755 756 756 </listitem> … … 770 770 </para> 771 771 772 <screen><literal>iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset</literal></screen>772 <screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen> 773 773 774 774 </listitem> … … 780 780 </para> 781 781 782 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - 783 -j LOG - 784 iptables -I INPUT 1 -p tcp -m conntrack - 782 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ 783 -j LOG --log-prefix "FIREWALL:INVALID " 784 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen> 785 785 786 786 </listitem> … … 807 807 </para> 808 808 809 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 - 810 -d 255.255.255.255 - 809 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \ 810 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen> 811 811 812 812 </listitem> … … 863 863 864 864 </sect2> 865 --> 865 866 866 <sect2 role="content"> 867 867 <title>Contents</title>
Note:
See TracChangeset
for help on using the changeset viewer.