Changeset f7415c4d for postlfs/security/iptables.xml
- Timestamp:
- 02/26/2020 04:20:10 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 44621c7
- Parents:
- 8a9f48c
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
r8a9f48c rf7415c4d 75 75 <bridgehead renderas="sect4">Optional</bridgehead> 76 76 <para role="optional"> 77 <xref linkend="nftables"/>,77 <!-- <xref linkend="nftables"/>, --> 78 78 <xref linkend="libpcap"/> (required for nfsypproxy support), 79 79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink> … … 114 114 Include any connection tracking protocols that will be used, as well as 115 115 any protocols that you wish to use for match support under the 116 "Core Netfilter Configuration" section. The above options are enough117 for running <xref linkend="fw-persFw-ipt"/> below. 116 "Core Netfilter Configuration" section. <!--The above options are enough 117 for running <xref linkend="fw-persFw-ipt"/> below.--> 118 118 </para> 119 119 … … 183 183 <para> 184 184 <parameter>--disable-nftables</parameter>: This switch disables building 185 nftables compat. Omit this switch if you have installed186 <xref linkend="nftables"/>. 185 nftables compat. <!--Omit this switch if you have installed 186 <xref linkend="nftables"/>.--> 187 187 </para> 188 188 … … 210 210 211 211 </sect2> 212 212 <!-- 213 213 <sect2 role="configuration"> 214 214 <title>Configuring iptables</title> … … 319 319 # and permit new connections related to established ones 320 320 # (e.g. port mode ftp) 321 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 321 322 iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 322 323 323 324 # Log everything else. What's Windows' latest exploitable vulnerability? 324 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "325 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT " 325 326 326 327 # End $rc_base/rc.iptables</literal> … … 397 398 # and permit new connections related to established ones 398 399 # (e.g. port mode ftp) 399 iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT400 iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 400 401 401 402 # Log everything else. What's Windows' latest exploitable vulnerability? 402 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "403 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT " 403 404 404 405 # End /etc/systemd/scripts/iptables</literal> … … 518 519 519 520 # Allow forwarding if the initiated on the intranet 520 iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT521 iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW -j ACCEPT521 iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 522 iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW -j ACCEPT 522 523 523 524 # Do masquerading … … 527 528 # Log everything for debugging 528 529 # (last of all rules, but before policy rules) 529 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "530 iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "531 iptables -A OUTPUT -j LOG - -log-prefix "FIREWALL:OUTPUT "530 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT " 531 iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD " 532 iptables -A OUTPUT -j LOG - -log-prefix "FIREWALL:OUTPUT " 532 533 533 534 # Enable IP Forwarding … … 612 613 613 614 # Allow forwarding if the initiated on the intranet 614 iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT615 iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW -j ACCEPT615 iptables -A FORWARD -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 616 iptables -A FORWARD ! -i WAN1 -m conntrack - -ctstate NEW -j ACCEPT 616 617 617 618 # Do masquerading … … 621 622 # Log everything for debugging 622 623 # (last of all rules, but before policy rules) 623 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT "624 iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD "625 iptables -A OUTPUT -j LOG - -log-prefix "FIREWALL:OUTPUT "624 iptables -A INPUT -j LOG - -log-prefix "FIREWALL:INPUT " 625 iptables -A FORWARD -j LOG - -log-prefix "FIREWALL:FORWARD " 626 iptables -A OUTPUT -j LOG - -log-prefix "FIREWALL:OUTPUT " 626 627 627 628 # Enable IP Forwarding … … 632 633 633 634 # Allow ping on the external interface 634 #iptables -A INPUT -p icmp -m icmp - -icmp-type echo-request -j ACCEPT635 #iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply -j ACCEPT635 #iptables -A INPUT -p icmp -m icmp - -icmp-type echo-request -j ACCEPT 636 #iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply -j ACCEPT 636 637 637 638 # Reject ident packets with TCP reset to avoid delays with FTP or IRC 638 #iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset639 #iptables -A INPUT -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset 639 640 640 641 # Allow HTTP and HTTPS to 192.168.0.2 641 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT --to 192.168.0.2642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT --to 192.168.0.2643 #iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 80 -j ACCEPT644 #iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 443 -j ACCEPT642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT - -to 192.168.0.2 643 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT - -to 192.168.0.2 644 #iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 80 -j ACCEPT 645 #iptables -A FORWARD -p tcp -d 192.168.0.2 - -dport 443 -j ACCEPT 645 646 646 647 # End /etc/systemd/scripts/iptables</literal> … … 705 706 </para> 706 707 707 <screen><literal>iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT708 <screen><literal>iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 708 709 iptables -A OUTPUT -j ACCEPT</literal></screen> 709 710 … … 731 732 </para> 732 733 733 <screen><literal>iptables -A OUTPUT -p tcp - -dport 80 -j ACCEPT734 iptables -A INPUT -p tcp - -sport 80 -m conntrack --ctstate ESTABLISHED \734 <screen><literal>iptables -A OUTPUT -p tcp - -dport 80 -j ACCEPT 735 iptables -A INPUT -p tcp - -sport 80 -m conntrack - -ctstate ESTABLISHED \ 735 736 -j ACCEPT</literal></screen> 736 737 … … 741 742 </para> 742 743 743 <screen><literal>iptables -A OUTPUT -p udp - -dport 53 -j ACCEPT</literal></screen>744 <screen><literal>iptables -A OUTPUT -p udp - -dport 53 -j ACCEPT</literal></screen> 744 745 745 746 </listitem> … … 750 751 </para> 751 752 752 <screen><literal>iptables -A INPUT -p icmp -m icmp - -icmp-type echo-request -j ACCEPT753 iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply -j ACCEPT</literal></screen>753 <screen><literal>iptables -A INPUT -p icmp -m icmp - -icmp-type echo-request -j ACCEPT 754 iptables -A OUTPUT -p icmp -m icmp - -icmp-type echo-reply -j ACCEPT</literal></screen> 754 755 755 756 </listitem> … … 769 770 </para> 770 771 771 <screen><literal>iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset</literal></screen>772 <screen><literal>iptables -A INPUT -p tcp - -dport 113 -j REJECT - -reject-with tcp-reset</literal></screen> 772 773 773 774 </listitem> … … 779 780 </para> 780 781 781 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - -ctstate INVALID \782 -j LOG - -log-prefix "FIREWALL:INVALID "783 iptables -I INPUT 1 -p tcp -m conntrack - -ctstate INVALID -j DROP</literal></screen>782 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - -ctstate INVALID \ 783 -j LOG - -log-prefix "FIREWALL:INVALID " 784 iptables -I INPUT 1 -p tcp -m conntrack - -ctstate INVALID -j DROP</literal></screen> 784 785 785 786 </listitem> … … 806 807 </para> 807 808 808 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 - -sport 67 \809 -d 255.255.255.255 - -dport 68 -j ACCEPT</literal></screen>809 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 - -sport 67 \ 810 -d 255.255.255.255 - -dport 68 -j ACCEPT</literal></screen> 810 811 811 812 </listitem> … … 862 863 863 864 </sect2> 864 865 --> 865 866 <sect2 role="content"> 866 867 <title>Contents</title>
Note:
See TracChangeset
for help on using the changeset viewer.