I believe in conntracker.

2014-02-12 14:28:25 +01:00 · 2014-02-12 14:28:25 +01:00 · a387b1a903
parent 62f1db1a45
commit a387b1a903
1 changed files with 10 additions and 18 deletions
--- a/28
+++ b/28
@ -131,7 +131,7 @@ forward_port()
            log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
        else
            log_action_msg "Forward $port to $destination for protocol $proto"
-            $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+            $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state NEW -j ACCEPT
            $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
        fi
    fi
@ -230,24 +230,23 @@ start()
    $IPTABLES -A EO-INPUT -i lo -j ACCEPT
    $IPTABLES -A EO-OUTPUT -o lo -j ACCEPT

-    $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPTABLES -A EO-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPTABLES -A EO-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPTABLES -A EO-FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-    if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
-        $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
-    else
+    if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -ne 0 ]; then
        log_action_msg "Allow WAN outgoing traffic to everywhere"
-        $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+        $IPTABLES -A EO-OUTPUT -o $WAN_INT -m state --state NEW -j ACCEPT
    fi

    critical_return

    if [ $LAN == 1 ]; then
        log_action_msg "Allow WAN outgoing traffic from lan"
-        $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
-        $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+        $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -s $LAN_NETWORK -m state --state NEW -j ACCEPT
        log_action_msg "Allow local network"
-        $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
-        $IPTABLES -A EO-INPUT  -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
+        $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -j ACCEPT
+        $IPTABLES -A EO-INPUT  -i $LAN_INT -d $LAN_NETWORK -j ACCEPT
   fi

    ## block spoofing
@ -269,14 +268,7 @@ start()
    if [ $FTP == 1 ]; then
        log_action_msg "FTP allowed"
        modprobe ip_conntrack_ftp
-        $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
-        $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
-        # Data
-        $IPTABLES -A EO-INPUT  -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
-        $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
-        # Passive mod
-        $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
-        $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
+        $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW -j ACCEPT
    fi

    ## Open input ports