• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

etc/eth0-input.conf.example@92045b0e8e17 (annotated)

etc/eth0-input.conf.example

Thu, 18 Dec 2014 16:56:55 +0100

author

Michiel Broek <mbroek@mbse.eu>

date

Thu, 18 Dec 2014 16:56:55 +0100

changeset 4

92045b0e8e17

parent 0

d4d23e51be4f

permissions

-rw-r--r--

ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16

0 d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	1	# /etc/mbse-firewall/conf.d/eth0-input.conf
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	2	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	3	# This table is ; separated. From the data in the fields ip(6)tables commands
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	4	# are created by the main program. The filename of this file is
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	5	# <iface>-[forward|input|output|postrouting|prerouting].conf and from this name
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	6	# the initial part of the command is created.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	7	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	8	# The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	9	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	10	# The second field is tha -t table type. Values are nat, mangle ... or empty
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	11	# for the default filter type.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	12	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	13	# The 3rd field is the protocol, tcp, udp, igmp, raw etc.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	14	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	15	# The 4th field is the source address or source network. Valid notations
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	16	# are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	17	# 2001:1af8:feb8:7e96::2/64 or 0/0 for any.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	18	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	19	# The 5th field is the source port or ports. Ports may be command separated
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	20	# or ranges or a combination of that. See man iptables for the syntax.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	21	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	22	# The 6th field is the destination address.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	23	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	24	# The 7th field is the destination port or ports
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	25	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	26	# The 8th field is the action, can be any valid action like:
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	27	# DROP
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	28	# ACCEPT
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	29	# REJECT --reject-with tcp-reset
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	30	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	31	# The 9th field is special tests, for example:
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	32	# -m state --state NEW
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	33	# -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	34	# -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	35	# -m connlimit --connlimit-above 35
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	36	# If you want, write several conditions in the same field.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	37
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	38	# Maximum connections per source IP
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	39	4;;;;;;;DROP;-m connlimit --connlimit-above 35
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	40
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	41	# Allow SSH
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	42	4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	43	6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	44
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	45	# Allow CUPS
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	46	4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	47	4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	48
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	49	# Allow Samba
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	50	4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	51	4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	52
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	53	# Rate limited web
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	54	4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	55	6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	56
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	57	# DHCP
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	58	4;;udp;;67;255.255.255.255;68;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	59	4;;udp;;68;255.255.255.255;67;ACCEPT;