Sun, 26 Feb 2023 15:23:19 +0100
Make sure ipset tables exist.
0 | 1 | # /etc/mbse-firewall/conf.d/eth0-input.conf |
2 | # | |
3 | # This table is ; separated. From the data in the fields ip(6)tables commands | |
4 | # are created by the main program. The filename of this file is | |
5 | # <iface>-[forward|input|output|postrouting|prerouting].conf and from this name | |
6 | # the initial part of the command is created. | |
7 | # | |
8 | # The first field is a 4 or 6 and defines if this is a IPv4 or IPv6 rule. | |
9 | # | |
10 | # The second field is tha -t table type. Values are nat, mangle ... or empty | |
11 | # for the default filter type. | |
12 | # | |
13 | # The 3rd field is the protocol, tcp, udp, igmp, raw etc. | |
14 | # | |
15 | # The 4th field is the source address or source network. Valid notations | |
16 | # are 10.126.150.2 10.1.1.0/24 2001:1af8:feb8:7e96::2 | |
17 | # 2001:1af8:feb8:7e96::2/64 or 0/0 for any. | |
18 | # | |
19 | # The 5th field is the source port or ports. Ports may be command separated | |
20 | # or ranges or a combination of that. See man iptables for the syntax. | |
21 | # | |
22 | # The 6th field is the destination address. | |
23 | # | |
24 | # The 7th field is the destination port or ports | |
25 | # | |
26 | # The 8th field is the action, can be any valid action like: | |
27 | # DROP | |
28 | # ACCEPT | |
29 | # REJECT --reject-with tcp-reset | |
30 | # | |
31 | # The 9th field is special tests, for example: | |
32 | # -m state --state NEW | |
33 | # -m hashlimit --hashlimit 5/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name torrent | |
34 | # -m connlimit \! --connlimit-above 3 -m hashlimit --hashlimit 1/second --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name openvpn | |
35 | # -m connlimit --connlimit-above 35 | |
36 | # If you want, write several conditions in the same field. | |
37 | ||
38 | # Maximum connections per source IP | |
39 | 4;;;;;;;DROP;-m connlimit --connlimit-above 35 | |
40 | ||
41 | # Allow SSH | |
42 | 4;;tcp;;;10.1.1.5;ssh;ACCEPT;-m state --state NEW | |
43 | 6;;tcp;;;2001:1af8:dead:beef::5;ssh;ACCEPT;-m state --state NEW | |
44 | ||
45 | # Allow CUPS | |
46 | 4;;tcp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; | |
47 | 4;;udp;10.1.1.0/24;631;10.1.1.255;631;ACCEPT; | |
48 | ||
49 | # Allow Samba | |
50 | 4;;udp;10.1.1.0/24;138;10.1.1.255;138;ACCEPT; | |
51 | 4;;udp;10.1.1.0/24;137;10.1.1.255;137;ACCEPT; | |
52 | ||
53 | # Rate limited web | |
54 | 4;;tcp;;;10.1.1.5;80,443;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server | |
55 | 6;;tcp;;;2001:1af8:dead:beef::5;http,https;ACCEPT;-m state --state NEW -m hashlimit --hashlimit 15/second --hashlimit-burst 25 --hashlimit-name http-server | |
56 | ||
57 | # DHCP | |
58 | 4;;udp;;67;255.255.255.255;68;ACCEPT; | |
59 | 4;;udp;;68;255.255.255.255;67;ACCEPT; |