diff options
| author | Silvino Silva <silvino@bk.ru> | 2016-09-25 01:03:53 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2016-09-28 06:41:08 +0100 |
| commit | 2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e (patch) | |
| tree | 2f454fdd29b725cb0b1c7912e3be962afa2de6fc /core/conf | |
| parent | c0251af1c2c9a35fc395a8e911aa345519f6b878 (diff) | |
| download | doc-2f30196609c9ef1c7e0b03fc0f6a7a60c0c5526e.tar.gz | |
network revision
Diffstat (limited to 'core/conf')
| -rw-r--r-- | core/conf/rc.d/iptables | 50 | ||||
| -rwxr-xr-x | core/conf/rc.d/net | 2 |
2 files changed, 47 insertions, 5 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 2d77722..3f29928 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,12 +1,12 @@ #!/bin/sh # -# /etc/rc.d/iptables: load/unload iptable rules +# /etc/rc.d/iptables: load/unload iptable rules # case $1 in start) echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 + /usr/sbin/iptables-restore < /etc/iptables/rules.v4 ;; stop) echo "Stopping firewall and deny everyone..." @@ -21,16 +21,60 @@ stop) iptables -t security -F iptables -t security -X - /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + + ;; +open) + echo "Outgoing Open firewall and deny everyone..." + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X + + /usr/sbin/iptables -P INPUT DROP + /usr/sbin/iptables -P FORWARD DROP + /usr/sbin/iptables -P OUTPUT ACCEPT + + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + ;; + restart) $0 stop $0 start ;; *) + echo "usage: $0 [start|stop|restart]" ;; esac diff --git a/core/conf/rc.d/net b/core/conf/rc.d/net index 2b94af0..d46583b 100755 --- a/core/conf/rc.d/net +++ b/core/conf/rc.d/net @@ -31,8 +31,6 @@ case $1 in /usr/bin/pkill -F /var/run/dhcpcd-${DEV}.pid else - # /sbin/ip route del default - /sbin/ip route flush dev ${DEV} /sbin/ip link set ${DEV} down /sbin/ip addr flush dev ${DEV} fi |