diff --git a/rc.d/rc.firewall-complete b/rc.d/rc.firewall-complete index 4cfb921..ad511bf 100755 --- a/rc.d/rc.firewall-complete +++ b/rc.d/rc.firewall-complete @@ -1,5 +1,5 @@ #!/bin/bash -# Version: 0.2.0 +# Version: 0.2.1 # Copyright (c) 2022: # Darren 'Tadgy' Austin # Licensed under the terms of the GNU General Public License version 3. @@ -110,17 +110,13 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT - # Service: FTP{,S}. - # Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down, - # change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working. + # Service: FTP. modprobe nf_conntrack_ftp echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT + iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT + ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT + iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Service: rsync. iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT diff --git a/rc.d/rc.firewall-float b/rc.d/rc.firewall-float index ed5cc00..4022065 100755 --- a/rc.d/rc.firewall-float +++ b/rc.d/rc.firewall-float @@ -1,5 +1,5 @@ #!/bin/bash -# Version: 0.2.0 +# Version: 0.2.1 # Copyright (c) 2022: # Darren 'Tadgy' Austin # Licensed under the terms of the GNU General Public License version 3. @@ -110,17 +110,13 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT - # Service: FTP{,S}. - # Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down, - # change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working. - # modprobe nf_conntrack_ftp + # Service: FTP. + modprobe nf_conntrack_ftp echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work. - iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT + iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT + ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 21 -m conntrack --ctstate NEW -j ACCEPT + iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Service: rsync. iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT