• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

etc/eth0-output.conf.example@92045b0e8e17 (annotated)

etc/eth0-output.conf.example

Thu, 18 Dec 2014 16:56:55 +0100

author

Michiel Broek <mbroek@mbse.eu>

date

Thu, 18 Dec 2014 16:56:55 +0100

changeset 4

92045b0e8e17

parent 0

d4d23e51be4f

permissions

-rw-r--r--

ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16

0 d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	1	# /etc/mbse-firewall/conf.d/eth0-output.conf
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	2	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	3	# This table is ; separated. From the data in the fields ip(6)tables commands
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	4	# are created by the main program. The filename of this file is
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	5	# <iface>-[forward|input|output|postrouting|prerouting].conf and from this name
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	6	# the initial part of the command is created.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	7	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	8	# The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	9	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	10	# The second field is tha -t table type. Values are nat, mangle ... or empty
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	11	# for the default filter type.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	12	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	13	# The 3rd field is the protocol, tcp, udp, igmp, raw etc.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	14	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	15	# The 4th field is the source address or source network. Valid notations
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	16	# are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	17	# 2001:1af8:feb8:7e96::2/64 or 0/0 for any.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	18	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	19	# The 5th field is the source port or ports. Ports may be command separated
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	20	# or ranges or a combination of that. See man iptables for the syntax.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	21	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	22	# The 6th field is the destination address.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	23	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	24	# The 7th field is the destination port or ports
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	25	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	26	# The 8th field is the action, can be any valid action like:
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	27	# DROP
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	28	# ACCEPT
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	29	# REJECT --reject-with tcp-reset
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	30	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	31	# The 9th field is special tests, for example:
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	32	# -m state --state NEW
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	33	# -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	34	# -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	35	# -m connlimit --connlimit-above 35
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	36	# If you want, write several conditions in the same field.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	37
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	38	# Log all traffic
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	39	4;;;;;;;NFLOG --nflog-group 1
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	40	6;;;;;;;NFLOG --nflog-group 1
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	41
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	42	# Allow all traffic out
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	43	4;;tcp;;;;;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	44	4;;udp;;;;;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	45	6;;tcp;;;;;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	46	6;;udp;;;;;ACCEPT;
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	47