Mercurial > mbse-firewall / file comparison
comparison: etc/eth0-input.conf.example
etc/eth0-input.conf.example
- changeset 0
- d4d23e51be4f
equal
deleted
inserted
replaced
| -1:000000000000 | 0:d4d23e51be4f |
|---|---|
| 1 # /etc/mbse-firewall/conf.d/eth0-input.conf | |
| 2 # | |
| 3 # This table is ; separated. From the data in the fields ip(6)tables commands | |
| 4 # are created by the main program. The filename of this file is | |
| 5 # <iface>-[forward|input|output|postrouting|prerouting].conf and from this name | |
| 6 # the initial part of the command is created. | |
| 7 # | |
| 8 # The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule. | |
| 9 # | |
| 10 # The second field is tha -t table type. Values are nat, mangle ... or empty | |
| 11 # for the default filter type. | |
| 12 # | |
| 13 # The 3rd field is the protocol, tcp, udp, igmp, raw etc. | |
| 14 # | |
| 15 # The 4th field is the source address or source network. Valid notations | |
| 16 # are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2 | |
| 17 # 2001:1af8:feb8:7e96::2/64 or 0/0 for any. | |
| 18 # | |
| 19 # The 5th field is the source port or ports. Ports may be command separated | |
| 20 # or ranges or a combination of that. See man iptables for the syntax. | |
| 21 # | |
| 22 # The 6th field is the destination address. | |
| 23 # | |
| 24 # The 7th field is the destination port or ports | |
| 25 # | |
| 26 # The 8th field is the action, can be any valid action like: | |
| 27 # DROP | |
| 28 # ACCEPT | |
| 29 # REJECT --reject-with tcp-reset | |
| 30 # | |
| 31 # The 9th field is special tests, for example: | |
| 32 # -m state --state NEW | |
| 33 # -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent | |
| 34 # -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn | |
| 35 # -m connlimit --connlimit-above 35 | |
| 36 # If you want, write several conditions in the same field. | |
| 37 | |
| 38 # Maximum connections per source IP | |
| 39 4;;;;;;;DROP;-m connlimit --connlimit-above 35 | |
| 40 | |
| 41 # Allow SSH | |
| 42 4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW | |
| 43 6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW | |
| 44 | |
| 45 # Allow CUPS | |
| 46 4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; | |
| 47 4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; | |
| 48 | |
| 49 # Allow Samba | |
| 50 4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT; | |
| 51 4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT; | |
| 52 | |
| 53 # Rate limited web | |
| 54 4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server | |
| 55 6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server | |
| 56 | |
| 57 # DHCP | |
| 58 4;;udp;;67;255.255.255.255;68;ACCEPT; | |
| 59 4;;udp;;68;255.255.255.255;67;ACCEPT; |
