about summary refs log tree commit diff stats
path: root/core/conf/rc.d/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/rc.d/iptables')
-rw-r--r--core/conf/rc.d/iptables50
1 files changed, 47 insertions, 3 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables
index 2d77722..3f29928 100644
--- a/core/conf/rc.d/iptables
+++ b/core/conf/rc.d/iptables
@@ -1,12 +1,12 @@
 #!/bin/sh
 #
-# /etc/rc.d/iptables: load/unload iptable rules  
+# /etc/rc.d/iptables: load/unload iptable rules
 #
 
 case $1 in
 start)
   	echo "Starting IPv4 firewall filter table..."
-	/usr/sbin/iptables-restore < /etc/iptables/rules.v4	
+	/usr/sbin/iptables-restore < /etc/iptables/rules.v4
 	;;
 stop)
 	echo "Stopping firewall and deny everyone..."
@@ -21,16 +21,60 @@ stop)
         iptables -t security -F
         iptables -t security -X
 
-
         /usr/sbin/iptables -P INPUT DROP
         /usr/sbin/iptables -P FORWARD DROP
         /usr/sbin/iptables -P OUTPUT DROP
+
+	# Unlimited on local
+	/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+	/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+	# log everything else and drop
+	/usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+	/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+	/usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
+	;;
+open)
+	echo "Outgoing Open firewall and deny everyone..."
+        iptables -F
+        iptables -X
+        iptables -t nat -F
+        iptables -t nat -X
+        iptables -t mangle -F
+        iptables -t mangle -X
+        iptables -t raw -F
+        iptables -t raw -X
+        iptables -t security -F
+        iptables -t security -X
+
+        /usr/sbin/iptables -P INPUT DROP
+        /usr/sbin/iptables -P FORWARD DROP
+        /usr/sbin/iptables -P OUTPUT ACCEPT
+
+	# Unlimited on local
+	/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+	/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+	# Accept passive
+	/usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+	/usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+	# log everything else and drop
+	/usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+	#/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+	/usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
 	;;
+
 restart)
 	$0 stop
 	$0 start
 	;;
 *)
+
 	echo "usage: $0 [start|stop|restart]"
 	;;
 esac
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-01-19 03:43:44 +0000