Mercurial > mbse-firewall / file diff

diff: etc/eth0-input.conf.example

etc/eth0-input.conf.example

changeset 0
d4d23e51be4f
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/eth0-input.conf.example	Thu Jan 30 14:46:10 2014 +0100
@@ -0,0 +1,59 @@
+# /etc/mbse-firewall/conf.d/eth0-input.conf
+#
+# This table is ; separated. From the data in the fields ip(6)tables commands
+# are created by the main program. The filename of this file is 
+# <iface>-[forward|input|output|postrouting|prerouting].conf and from this name
+# the initial part of the command is created.
+#
+# The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule.
+#
+# The second field is tha -t table type. Values are nat, mangle ... or empty
+# for the default filter type.
+#
+# The 3rd field is the protocol, tcp, udp, igmp, raw etc.
+#
+# The 4th field is the source address or source network. Valid notations
+# are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2
+# 2001:1af8:feb8:7e96::2/64 or 0/0 for any.
+#
+# The 5th field is the source port or ports. Ports may be command separated
+# or ranges or a combination of that. See man iptables for the syntax.
+#
+# The 6th field is the destination address.
+#
+# The 7th field is the destination port or ports
+#
+# The 8th field is the action, can be any valid action like:
+#    DROP 
+#    ACCEPT
+#    REJECT --reject-with tcp-reset
+#
+# The 9th field is special tests, for example:
+#    -m state --state NEW
+#    -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent
+#    -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn
+#    -m connlimit --connlimit-above 35
+# If you want, write several conditions in the same field.
+
+# Maximum connections per source IP
+4;;;;;;;DROP;-m connlimit --connlimit-above 35
+
+# Allow SSH
+4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW
+6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW
+
+# Allow CUPS
+4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT;
+4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT;
+
+# Allow Samba
+4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT;
+4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT;
+
+# Rate limited web
+4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW  -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server
+6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW  -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server
+
+# DHCP
+4;;udp;;67;255.255.255.255;68;ACCEPT;
+4;;udp;;68;255.255.255.255;67;ACCEPT;

Mercurial Repository: mbse-firewall

mercurial