Skip to content

I
iptables
Commit 631fb445 authored by jcsh's avatar jcsh
Browse files
Options

Update ipt-nat_core.v4: cleaning up commented out relics

parent b5735ad8
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 20 deletions
ipt-nat_core.v4
View file @ 631fb445
......@@ -6,6 +6,10 @@
# Purpose: To bring up a robust firewall at bootup.
int_if="enp0s9"
ext_if="enp0s8"
# 'Cleanup and reset'
/sbin/iptables -F
/sbin/iptables -X
......@@ -34,10 +38,6 @@
/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
#/sbin/iptables -I INPUT -m set --match-set block src -j DROP
#/sbin/iptables -I INPUT -m set --match-set ipdeny src -j DROP
#/sbin/iptables -I INPUT -m set --match-set fullbogons-ipv4 src -j DROP
# -- NEW --
/sbin/iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j DROP
......@@ -59,10 +59,9 @@
# -- ! NEW --
/sbin/iptables -A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -i enp0s9 -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --dport 22 -j ACCEPT
#/sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED --sport 443 -j ACCEPT
......@@ -72,26 +71,16 @@
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp -o enp0s9 --sport 67 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --sport 22 -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m conntrack --ctstate NEW,ESTABLISHED --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED --dport 443 -j ACCEPT
# 'FORWARD'
#/sbin/iptables -A FORWARD -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A FORWARD -j fw-interfaces
#/sbin/iptables -A FORWARD -j fw-open
#/sbin/iptables -A FORWARD -j DROP
#/sbin/iptables -A fw-interfaces -i enp0s9 -j ACCEPT
#/sbin/iptables -t nat -A POSTROUTING -s 192.168.232.0/24 -o enp0s8 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o $ext_if -j MASQUERADE
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
/sbin/iptables -A FORWARD -i $int_if -o $ext_if -j ACCEPT
# 'PREROUTING'
/sbin/iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
......@@ -106,4 +95,4 @@
# 'Terminate'
/sbin/iptables -A INPUT -p tcp -m recent --set --rsource --name TCP-PSCAN -j DROP
/sbin/iptables -A INPUT -p udp -m recent --set --rsource --name UDP-PSCAN -j DROP
/sbin/iptables -A INPUT -p udp -m recent --set --rsource --name UDP-PSCAN -j DROP
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment