Update firewall scripts.
This commit is contained in:
parent
cc7b1b0b2d
commit
592a06bc02
5 changed files with 189 additions and 61 deletions
|
|
@ -3,12 +3,9 @@
|
|||
# The name of the main external interface.
|
||||
EX_IF="br0"
|
||||
|
||||
# The name of the Private network interface.
|
||||
PRI_IF="br1"
|
||||
|
||||
# The IP ranges from where to accept unfiltered connections.
|
||||
UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
|
||||
UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
|
||||
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
|
||||
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
|
||||
|
||||
|
||||
start_firewall() {
|
||||
|
|
@ -35,14 +32,6 @@ start_firewall() {
|
|||
iptables -t mangle -X
|
||||
ip6tables -t mangle -X
|
||||
|
||||
# Allow all loopback traffic.
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Allow all Private network traffic.
|
||||
iptables -A INPUT -i "$PRI_IF" -j ACCEPT
|
||||
ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
|
||||
|
||||
# Drop invalid packets on all interfaces.
|
||||
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
|
@ -54,6 +43,10 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
|
||||
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
|
||||
|
||||
# Allow all loopback traffic.
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Allow unrestricted access from our IPs.
|
||||
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
|
||||
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
|
||||
|
|
@ -83,9 +76,7 @@ start_firewall() {
|
|||
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
||||
|
||||
# Always allow SSH.
|
||||
# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
|
||||
# set back to defaults. Any connections to the standard port will just get a 'connection refused' message, unless this happens.
|
||||
# Allow SSH.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue