2011-03-07 18:12:12 +01:00
|
|
|
IPTABLES=/sbin/iptables
|
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## WAN configuration
|
|
|
|
WAN_INT='' # WAN interface
|
|
|
|
IP='' # WAN IP
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
PING=1 # Allow ping
|
|
|
|
FTP=0 # Allow FTP server (passive and active)
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## LAN configuration
|
|
|
|
NAT=0 # Activate nat (need a LAN_NETWORK)
|
|
|
|
LAN_NETWORK='' # LAN network (ex: 192.168.1.0/24)
|
|
|
|
LAN=0 # Allow traffic between the WAN and LAN
|
|
|
|
LAN_INT='' # LAN interface
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2013-11-09 10:46:09 +01:00
|
|
|
## Allow OUTPUT for everything
|
|
|
|
ALLOW_OUTOUT_EVERYWHERE=0
|
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## Allow all traffic for interface(s)
|
2011-03-07 18:12:12 +01:00
|
|
|
# example ALLOW_INTS='br0 xenbr42'
|
|
|
|
ALLOW_INTS=''
|
|
|
|
|
2013-11-09 10:46:09 +01:00
|
|
|
## Output allow
|
|
|
|
# destination [source] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" .
|
|
|
|
# by default we allow http, https, ssh and DNS connections
|
|
|
|
OUPUT_DESTINATIONS=(
|
|
|
|
"0.0.0.0/0 tcp http,https,ssh,domain"
|
|
|
|
"0.0.0.0/0 udp domain"
|
|
|
|
)
|
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## Open ports
|
|
|
|
# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
|
2011-03-16 20:43:22 +01:00
|
|
|
# The default destination is the IP !
|
2011-06-21 14:21:52 +02:00
|
|
|
# example : OPEN_PORTS=("0.0.0.0/0 tcp 22"
|
|
|
|
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
2011-03-16 20:43:22 +01:00
|
|
|
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2011-06-21 15:26:05 +02:00
|
|
|
## Port knocking (tcp only)
|
2013-07-23 10:27:01 +02:00
|
|
|
# "port[,port] knock_ports_combinaison"
|
|
|
|
# example : PORT_KNOCK("22,4242 121,4353,4242,111")
|
2011-06-21 14:21:52 +02:00
|
|
|
PORT_KNOCK=()
|
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## Port forwarding
|
|
|
|
# "source port destination:port protocol" "source port destination:port protocol" ...
|
|
|
|
# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
|
2011-05-09 23:03:08 +02:00
|
|
|
TRAFFICS=()
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2011-05-09 22:44:46 +02:00
|
|
|
## Port redirection
|
|
|
|
# "interface protocol sourceport destport" ...
|
|
|
|
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
2011-05-09 23:03:08 +02:00
|
|
|
REDIRECTIONS=()
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2013-07-23 10:27:01 +02:00
|
|
|
## Whitelist
|
2011-06-21 19:34:59 +02:00
|
|
|
# example with an external file
|
|
|
|
# source /etc/firewall/whitelist_ssh
|
2013-07-23 10:27:01 +02:00
|
|
|
# WHITELIST=(${WHITELIST[@])
|
|
|
|
# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
|
|
|
|
#WHITELIST=()
|
|
|
|
|
|
|
|
## Whitelist port and protocol
|
|
|
|
# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
|
2011-06-21 17:54:06 +02:00
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
# Hook point to write your own iptables rules
|
|
|
|
ipt_hook()
|
|
|
|
{
|
2011-05-09 22:44:46 +02:00
|
|
|
echo "+ Load your own iptables rules"
|
|
|
|
# Write your own iptables rules here
|
2011-03-07 18:12:12 +01:00
|
|
|
}
|
|
|
|
|