|
1 # /etc/mbse-firewall/conf.d/eth0-input.conf |
|
2 # |
|
3 # This table is ; separated. From the data in the fields ip(6)tables commands |
|
4 # are created by the main program. The filename of this file is |
|
5 # <iface>-[forward|input|output|postrouting|prerouting].conf and from this name |
|
6 # the initial part of the command is created. |
|
7 # |
|
8 # The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule. |
|
9 # |
|
10 # The second field is tha -t table type. Values are nat, mangle ... or empty |
|
11 # for the default filter type. |
|
12 # |
|
13 # The 3rd field is the protocol, tcp, udp, igmp, raw etc. |
|
14 # |
|
15 # The 4th field is the source address or source network. Valid notations |
|
16 # are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2 |
|
17 # 2001:1af8:feb8:7e96::2/64 or 0/0 for any. |
|
18 # |
|
19 # The 5th field is the source port or ports. Ports may be command separated |
|
20 # or ranges or a combination of that. See man iptables for the syntax. |
|
21 # |
|
22 # The 6th field is the destination address. |
|
23 # |
|
24 # The 7th field is the destination port or ports |
|
25 # |
|
26 # The 8th field is the action, can be any valid action like: |
|
27 # DROP |
|
28 # ACCEPT |
|
29 # REJECT --reject-with tcp-reset |
|
30 # |
|
31 # The 9th field is special tests, for example: |
|
32 # -m state --state NEW |
|
33 # -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent |
|
34 # -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn |
|
35 # -m connlimit --connlimit-above 35 |
|
36 # If you want, write several conditions in the same field. |
|
37 |
|
38 # Maximum connections per source IP |
|
39 4;;;;;;;DROP;-m connlimit --connlimit-above 35 |
|
40 |
|
41 # Allow SSH |
|
42 4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW |
|
43 6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW |
|
44 |
|
45 # Allow CUPS |
|
46 4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; |
|
47 4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; |
|
48 |
|
49 # Allow Samba |
|
50 4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT; |
|
51 4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT; |
|
52 |
|
53 # Rate limited web |
|
54 4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server |
|
55 6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server |
|
56 |
|
57 # DHCP |
|
58 4;;udp;;67;255.255.255.255;68;ACCEPT; |
|
59 4;;udp;;68;255.255.255.255;67;ACCEPT; |