Difference between revisions of "Firewall core (main) protocols"
Line 7: Line 7:
 
==DHCP==
 
==DHCP==
  
DHCP client:
+
See [[Firewall_basics#DHCP]]
 
 
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
  
 
# DHCP client >> Broadcast IP request
 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
 
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
 
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
 
</syntaxhighlight>
 
  
  
 
==DNS==
 
==DNS==
  
This will allow your computer to perform DNS requests:
+
See [[Firewall_basics#DNS]]
 
 
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
IP6TABLES=`which ip6tables`
 
 
 
    # DNS (udp)
 
    $IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
 
    $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
 
    $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
 
    $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
 
 
 
    $IP6TABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
 
    $IP6TABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
 
    $IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT
 
    $IP6TABLES -A INPUT -p udp --sport 53 -j ACCEPT
 
 
 
  
    # DNS sec (tcp)
 
    $IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
 
    $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
 
 
    $IP6TABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
 
    $IP6TABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
 
 
</syntaxhighlight>
 
  
 
==LAN communication==
 
==LAN communication==
  
To allow communication in the local network, without any restrictions:
+
See [[Firewall_basics#LAN_communication]]
  
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
IP_LAN_V4="172.16.50.0/24"
 
IP_LAN_V6="2001:DB8:1::1"
 
 
 
# Allow LAN communication
 
if [ ! -z "$IP_LAN_V4" ]
 
then
 
echo -e " ... Allow LAN communication - IP v4"
 
$IPTABLES -A INPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
 
$IPTABLES -A OUTPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
 
        # Allow forwarding within the LAN
 
        $IPTABLES -A FORWARD -s $IP_LAN_V4 -j ACCEPT
 
fi
 
 
if [ ! -z "$IP_LAN_V6" ]
 
then
 
echo -e " ... Allow LAN communication - IP v6"
 
$IP6TABLES -A INPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
 
$IP6TABLES -A OUTPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
 
        # Allow forwarding within the LAN
 
        $IP6TABLES -A FORWARD -s $IP_LAN_V6 -j ACCEPT
 
fi
 
 
</syntaxhighlight>
 
 
''Note:'' thanks to the '''! -z''' operator if the variable is not set or "" then the rule will be skipped.
 
  
  
 
==NTP (time syncronization) client==
 
==NTP (time syncronization) client==
 
+
See [[Firewall_basics#NTP_.28time_syncronization.29_client]]
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
 
 
 
 
# NTP client
 
echo -e " ... Allow NTP time sync"
 
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
 
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
 
 
 
$IP6TABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
 
$IP6TABLES -A INPUT -p udp --sport 123 -j ACCEPT
 
</syntaxhighlight>
 
  
  
Line 104: Line 30:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
IPTABLES=`which iptables`
 
  
 
# SAMBA share
 
# SAMBA share
 
# Access filtering is done in /etc/samba/smb.conf
 
# Access filtering is done in /etc/samba/smb.conf
$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT                 # NetBios Name Service
+
$IPTABLES -A INPUT -p tcp --dport 135 -m comment --comment "DCE endpoint resolution" -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT                # NetBios Data Exchange
+
$IPTABLES -A INPUT -p udp --dport 137 -m comment --comment "NetBIOS Name Service" -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT                # NetBios Session + Samba
+
$IPTABLES -A INPUT -p udp --dport 138 -m comment --comment "NetBIOS Datagram" -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT                # CIFS - Partage Win2K and more
+
$IPTABLES -A INPUT -p tcp --dport 139 -m comment --comment "NetBIOS Session" -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 548 -j ACCEPT                 # Apple File Sharing Protocol
+
$IPTABLES -A INPUT -p tcp --dport 445 -m comment --comment "SMB over TCP" -j ACCEPT
 +
 
 +
$IPTABLES -A OUTPUT -p tcp --sport 135 -m state --state ESTABLISHED -m comment --comment "DCE endpoint resolution" -j ACCEPT
 +
$IPTABLES -A OUTPUT -p udp --dport 137 -m comment --comment "NetBios Name Service" -j ACCEPT
 +
$IPTABLES -A OUTPUT -p udp --dport 138 -m comment --comment "NetBios Data Exchange" -j ACCEPT
 +
$IPTABLES -A OUTPUT -p tcp --dport 139 -m comment --comment "NetBios Session + Samba" -j ACCEPT
 +
$IPTABLES -A OUTPUT -p tcp --dport 445 -m comment --comment "CIFS - Partage Win2K and more" -j ACCEPT
 +
$IPTABLES -A OUTPUT -p tcp --dport 548 -m comment --comment "Apple file sharing" -j ACCEPT
 +
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  

Revision as of 10:15, 23 June 2015


Allow services and network protocols

DHCP

See Firewall_basics#DHCP


DNS

See Firewall_basics#DNS


LAN communication

See Firewall_basics#LAN_communication


NTP (time syncronization) client

See Firewall_basics#NTP_.28time_syncronization.29_client


Samba file-share

IPTABLES=`which iptables`

# SAMBA share
# Access filtering is done in /etc/samba/smb.conf
$IPTABLES -A INPUT -p tcp --dport 135 -m comment --comment "DCE endpoint resolution" -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 137 -m comment --comment "NetBIOS Name Service" -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 138 -m comment --comment "NetBIOS Datagram" -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -m comment --comment "NetBIOS Session" -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 445 -m comment --comment "SMB over TCP" -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --sport 135 -m state --state ESTABLISHED -m comment --comment "DCE endpoint resolution" -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 137 -m comment --comment "NetBios Name Service" -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 138 -m comment --comment "NetBios Data Exchange" -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 139 -m comment --comment "NetBios Session + Samba" -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 445 -m comment --comment "CIFS - Partage Win2K and more" -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 548 -m comment --comment "Apple file sharing" -j ACCEPT


FTP client

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

#### Requirement
# Keep ESTABLISHED, RELATED connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

#### FTP client
# FTP data transfer
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IP6TABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT  
# FTP control (command)
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IP6TABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Firewall_core_(main)_protocols&oldid=2384"