summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas NOEL <tnoel@entrouvert.com>2014-02-12 13:28:25 (GMT)
committerThomas NOEL <tnoel@entrouvert.com>2014-02-12 13:28:25 (GMT)
commita387b1a903bd83a24c9007efe03a0e4db348d8a7 (patch)
treedb0f18aab925ed832d40f5e896a7c49a924f2a8c
parent62f1db1a457ec835df013b9c511fd1e37c1ff805 (diff)
downloadeofirewall-a387b1a903bd83a24c9007efe03a0e4db348d8a7.zip
eofirewall-a387b1a903bd83a24c9007efe03a0e4db348d8a7.tar.gz
eofirewall-a387b1a903bd83a24c9007efe03a0e4db348d8a7.tar.bz2
I believe in conntracker.
-rwxr-xr-xeofirewall28
1 files changed, 10 insertions, 18 deletions
diff --git a/eofirewall b/eofirewall
index 053419d..bd46089 100755
--- a/eofirewall
+++ b/eofirewall
@@ -131,7 +131,7 @@ forward_port()
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
else
log_action_msg "Forward $port to $destination for protocol $proto"
- $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi
fi
@@ -230,24 +230,23 @@ start()
$IPTABLES -A EO-INPUT -i lo -j ACCEPT
$IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
- $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
- $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
- else
+ if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -ne 0 ]; then
log_action_msg "Allow WAN outgoing traffic to everywhere"
- $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -m state --state NEW -j ACCEPT
fi
critical_return
if [ $LAN == 1 ]; then
log_action_msg "Allow WAN outgoing traffic from lan"
- $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -s $LAN_NETWORK -m state --state NEW -j ACCEPT
log_action_msg "Allow local network"
- $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
- $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -j ACCEPT
fi
## block spoofing
@@ -269,14 +268,7 @@ start()
if [ $FTP == 1 ]; then
log_action_msg "FTP allowed"
modprobe ip_conntrack_ftp
- $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
- # Data
- $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Passive mod
- $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW -j ACCEPT
fi
## Open input ports