Remove ftps from firewall.
This commit is contained in:
parent
396cd7a2eb
commit
7c660f3135
2 changed files with 13 additions and 21 deletions
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/bash
|
||||
# Version: 0.2.0
|
||||
# Version: 0.2.1
|
||||
# Copyright (c) 2022:
|
||||
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
|
||||
# Licensed under the terms of the GNU General Public License version 3.
|
||||
|
|
@ -110,17 +110,13 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: FTP{,S}.
|
||||
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
|
||||
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
|
||||
# Service: FTP.
|
||||
modprobe nf_conntrack_ftp
|
||||
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Service: rsync.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/bash
|
||||
# Version: 0.2.0
|
||||
# Version: 0.2.1
|
||||
# Copyright (c) 2022:
|
||||
# Darren 'Tadgy' Austin <darren (at) afterdark.org.uk>
|
||||
# Licensed under the terms of the GNU General Public License version 3.
|
||||
|
|
@ -110,17 +110,13 @@ start_firewall() {
|
|||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Service: FTP{,S}.
|
||||
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
|
||||
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
|
||||
# modprobe nf_conntrack_ftp
|
||||
# Service: FTP.
|
||||
modprobe nf_conntrack_ftp
|
||||
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Service: rsync.
|
||||
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue