summaryrefslogtreecommitdiffstats
path: root/firewall.conf
blob: 35a262f5c28f0831977f8c2ebb2a38e957c3baae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
IPTABLES=/sbin/iptables

## WAN configuration
WAN_INT='eth0'                 # WAN interface
IP='42.42.42.42'               # WAN IP

PING=1                         # Allow ping
FTP=0                          # Allow FTP server (passive and active)

## LAN configuration
NAT=0                          # Activate nat (need a LAN_NETWORK)
LAN_NETWORK=''                 # LAN network (ex: 192.168.1.0/24) 
LAN=0                          # Allow traffic between the WAN and LAN
LAN_INT=''                     # LAN interface

## Allow OUTPUT for everything
ALLOW_WAN_OUTPUT_EVERYWHERE=1

## Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42'
ALLOW_INTS=''

## Output allow
# destination [source] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" .
# by default we allow http, https, ssh and DNS connections
OUPUT_DESTINATIONS=(
"0.0.0.0/0 tcp http,https,ssh,domain"
"0.0.0.0/0 udp domain"
)

## Open ports
# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
# The default destination is the IP !
# example : OPEN_PORTS=("0.0.0.0/0 tcp 22"
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=("0.0.0.0/0 tcp ssh")

## Port knocking (tcp only)
# "port[,port] knock_ports_combinaison"
# example : PORT_KNOCK("22,4242 121,4353,4242,111")
PORT_KNOCK=()

## Port forwarding
# "source port destination:port protocol" "source port destination:port protocol" ...
# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
TRAFFICS=()

## Port redirection
# "interface protocol sourceport destport" ...
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS=()

## Whitelist
# example with an external file
# source /etc/firewall/whitelist_ssh
# WHITELIST=(${WHITELIST[@])
# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
#WHITELIST=()

## Whitelist port and protocol
# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")

# Hook point to write your own iptables rules
ipt_hook()
{
    echo "+ Load your own iptables rules"
    # Write your own iptables rules here
}