RedXen
/
firewall
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

IPv6 Rules

This commit is contained in:
caskd 2020-02-01 12:13:02 +01:00
parent c7d472a684
commit 959463167a
No known key found for this signature in database
GPG Key ID: 79DB21404E300A27
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
iptables-setup.sh
View File

@ -3,29 +3,43 @@
# All packet verification
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP # Drop invalid packets
ip6tables -I INPUT -m conntrack --ctstate INVALID -j DROP # Drop invalid packets
iptables -I INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # No constant icmp packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets
ip6tables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block null packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods
ip6tables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP # Block syn floods
# Cross-server free networking
iptables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p tcp --dports 7946,2377 -i ens10 -j ACCEPT
iptables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT
ip6tables -A INPUT -m multiport -p udp --dports 7946,4789 -i ens10 -j ACCEPT
# Allow forwarding of existing connections
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Services
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565 -j ACCEPT
ip6tables -A INPUT -p tcp -m multiport --dports 22,80,443,2200,2422,2442,25565 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 443,2200,25565,51820 -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --dports 443,2200,25565,51820 -j ACCEPT
# Private services on docker
iptables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,9050,4242,43110 -j DROP
ip6tables -A DOCKER-USER -i eth0 -p tcp -m multiport --dports 5000,9050,4242,43110 -j DROP
# Special Rules
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep existing connections open
ip6tables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Keep existing connections open
iptables -I INPUT 1 -i lo -j ACCEPT # Loopback connections
ip6tables -I INPUT 1 -i lo -j ACCEPT # Loopback connections
# DEFAULT RULES # Apply at end, first set whitelisted connections
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration
ip6tables -P FORWARD ACCEPT # TODO: Should be drop but it needs configuration
iptables -P OUTPUT ACCEPT # Allow all outbound connections
ip6tables -P OUTPUT ACCEPT # Allow all outbound connections