From a387b1a903bd83a24c9007efe03a0e4db348d8a7 Mon Sep 17 00:00:00 2001 From: Thomas NOEL Date: Wed, 12 Feb 2014 14:28:25 +0100 Subject: [PATCH] I believe in conntracker. --- eofirewall | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/eofirewall b/eofirewall index 053419d..bd46089 100755 --- a/eofirewall +++ b/eofirewall @@ -131,7 +131,7 @@ forward_port() log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward" else log_action_msg "Forward $port to $destination for protocol $proto" - $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state NEW -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination fi fi @@ -230,24 +230,23 @@ start() $IPTABLES -A EO-INPUT -i lo -j ACCEPT $IPTABLES -A EO-OUTPUT -o lo -j ACCEPT - $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then - $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT - else + if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -ne 0 ]; then log_action_msg "Allow WAN outgoing traffic to everywhere" - $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $WAN_INT -m state --state NEW -j ACCEPT fi critical_return if [ $LAN == 1 ]; then log_action_msg "Allow WAN outgoing traffic from lan" - $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT + $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -s $LAN_NETWORK -m state --state NEW -j ACCEPT log_action_msg "Allow local network" - $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT - $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT + $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -j ACCEPT + $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -j ACCEPT fi ## block spoofing @@ -269,14 +268,7 @@ start() if [ $FTP == 1 ]; then log_action_msg "FTP allowed" modprobe ip_conntrack_ftp - $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT - $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT - # Data - $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT - $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT - # Passive mod - $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT - $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW -j ACCEPT fi ## Open input ports