|
|
| (3 intermediate revisions by the same user not shown) |
| Line 7: |
Line 7: |
| | ==DHCP== | | ==DHCP== |
| | | | |
| − | DHCP client: | + | See [[Firewall_basics#DHCP|DHCP]] |
| | | | |
| − | <syntaxhighlight lang="bash">
| |
| − | IPTABLES=`which iptables`
| |
| − |
| |
| − |
| |
| − | # DHCP client >> Broadcast IP request
| |
| − | $IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
| |
| − | $IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
| |
| − | </syntaxhighlight>
| |
| | | | |
| | | | |
| | ==DNS== | | ==DNS== |
| | | | |
| − | This will allow your computer to perform DNS requests:
| + | See [[Firewall_basics#DNS|DNS]] |
| − | | |
| − | <syntaxhighlight lang="bash">
| |
| − | IPTABLES=`which iptables`
| |
| − | IP6TABLES=`which ip6tables`
| |
| − | | |
| − | | |
| − | $IPTABLES -A OUTPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IPTABLES -A INPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IPTABLES -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | | |
| − | | |
| − | $IP6TABLES -A OUTPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IP6TABLES -A OUTPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IP6TABLES -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | $IP6TABLES -A INPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
| |
| − | </syntaxhighlight>
| |
| | | | |
| | | | |
| | ==LAN communication== | | ==LAN communication== |
| | | | |
| − | To allow communication in the local network, without any restrictions:
| + | See [[Firewall_basics#LAN_communication| Firewall LAN]] |
| − | | |
| − | <syntaxhighlight lang="bash">
| |
| − | IPTABLES=`which iptables`
| |
| − | IP_LAN_V4="172.16.50.0/24"
| |
| − | IP_LAN_V6="2001:DB8:1::1"
| |
| − | | |
| − | | |
| − | # Allow LAN communication | |
| − | if [ ! -z "$IP_LAN_V4" ]
| |
| − | then
| |
| − | echo -e " ... Allow LAN communication - IP v4"
| |
| − | $IPTABLES -A INPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
| |
| − | # Allow forwarding within the LAN
| |
| − | $IPTABLES -A FORWARD -s $IP_LAN_V4 -j ACCEPT
| |
| − | fi
| |
| − | | |
| − | if [ ! -z "$IP_LAN_V6" ]
| |
| − | then
| |
| − | echo -e " ... Allow LAN communication - IP v6"
| |
| − | $IP6TABLES -A INPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
| |
| − | $IP6TABLES -A OUTPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
| |
| − | # Allow forwarding within the LAN
| |
| − | $IP6TABLES -A FORWARD -s $IP_LAN_V6 -j ACCEPT
| |
| − | fi
| |
| − | | |
| − | </syntaxhighlight>
| |
| | | | |
| − | ''Note:'' thanks to the '''! -z''' operator if the variable is not set or "" then the rule will be skipped.
| |
| | | | |
| | | | |
| | ==NTP (time syncronization) client== | | ==NTP (time syncronization) client== |
| − | | + | See [[Firewall_basics#NTP_.28time_syncronization.29_client|NTP (time sync)]] |
| − | <syntaxhighlight lang="bash">
| |
| − | IPTABLES=`which iptables`
| |
| − | | |
| − | | |
| − | # NTP client | |
| − | echo -e " ... Allow NTP time sync"
| |
| − | $IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
| |
| − | $IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
| |
| − | | |
| − | $IP6TABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
| |
| − | $IP6TABLES -A INPUT -p udp --sport 123 -j ACCEPT
| |
| − | </syntaxhighlight>
| |
| | | | |
| | | | |
| | ==Samba file-share== | | ==Samba file-share== |
| − | | + | See [[Firewall_basics#Samba_file-share|Samba file-share]] |
| − | <syntaxhighlight lang="bash">
| |
| − | IPTABLES=`which iptables`
| |
| − | | |
| − | | |
| − | # SAMBA share | |
| − | # Access filtering is done in /etc/samba/smb.conf
| |
| − | $IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT # NetBios Name Service
| |
| − | $IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT # NetBios Data Exchange
| |
| − | $IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT # NetBios Session + Samba
| |
| − | $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT # CIFS - Partage Win2K and more
| |
| − | $IPTABLES -A INPUT -p tcp --dport 548 -j ACCEPT # Apple File Sharing Protocol
| |
| − | </syntaxhighlight>
| |
| − | | |
| | | | |
| | ==FTP client== | | ==FTP client== |
| | | | |
| − | <syntaxhighlight lang="bash">
| + | See [[Firewall_basics#FTP|FTP]] |
| − | IPTABLES=`which iptables`
| |
| − | | |
| − | | |
| − | # FTP client - base rules | |
| − | $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
| |
| − | | |
| − | # Active FTP
| |
| − | $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
| |
| − | | |
| − | # Passive FTP
| |
| − | $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
| |
| − | $IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
| |
| − | </syntaxhighlight>
| |
