--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/etc/eth0-input.conf.example Thu Jan 30 14:46:10 2014 +0100 @@ -0,0 +1,59 @@ +# /etc/mbse-firewall/conf.d/eth0-input.conf +# +# This table is ; separated. From the data in the fields ip(6)tables commands +# are created by the main program. The filename of this file is +# <iface>-[forward|input|output|postrouting|prerouting].conf and from this name +# the initial part of the command is created. +# +# The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule. +# +# The second field is tha -t table type. Values are nat, mangle ... or empty +# for the default filter type. +# +# The 3rd field is the protocol, tcp, udp, igmp, raw etc. +# +# The 4th field is the source address or source network. Valid notations +# are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2 +# 2001:1af8:feb8:7e96::2/64 or 0/0 for any. +# +# The 5th field is the source port or ports. Ports may be command separated +# or ranges or a combination of that. See man iptables for the syntax. +# +# The 6th field is the destination address. +# +# The 7th field is the destination port or ports +# +# The 8th field is the action, can be any valid action like: +# DROP +# ACCEPT +# REJECT --reject-with tcp-reset +# +# The 9th field is special tests, for example: +# -m state --state NEW +# -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent +# -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn +# -m connlimit --connlimit-above 35 +# If you want, write several conditions in the same field. + +# Maximum connections per source IP +4;;;;;;;DROP;-m connlimit --connlimit-above 35 + +# Allow SSH +4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW +6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW + +# Allow CUPS +4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; +4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; + +# Allow Samba +4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT; +4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT; + +# Rate limited web +4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server +6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server + +# DHCP +4;;udp;;67;255.255.255.255;68;ACCEPT; +4;;udp;;68;255.255.255.255;67;ACCEPT;