I believe in conntracker.
This commit is contained in:
parent
62f1db1a45
commit
a387b1a903
28
eofirewall
28
eofirewall
|
@ -131,7 +131,7 @@ forward_port()
|
|||
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
|
||||
else
|
||||
log_action_msg "Forward $port to $destination for protocol $proto"
|
||||
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||
fi
|
||||
fi
|
||||
|
@ -230,24 +230,23 @@ start()
|
|||
$IPTABLES -A EO-INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
|
||||
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
else
|
||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -ne 0 ]; then
|
||||
log_action_msg "Allow WAN outgoing traffic to everywhere"
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
|
||||
critical_return
|
||||
|
||||
if [ $LAN == 1 ]; then
|
||||
log_action_msg "Allow WAN outgoing traffic from lan"
|
||||
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -s $LAN_NETWORK -m state --state NEW -j ACCEPT
|
||||
log_action_msg "Allow local network"
|
||||
$IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -j ACCEPT
|
||||
fi
|
||||
|
||||
## block spoofing
|
||||
|
@ -269,14 +268,7 @@ start()
|
|||
if [ $FTP == 1 ]; then
|
||||
log_action_msg "FTP allowed"
|
||||
modprobe ip_conntrack_ftp
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
|
||||
# Data
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# Passive mod
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
|
||||
## Open input ports
|
||||
|
|
Reference in New Issue