diff options
author | Christian Pointner <equinox@spreadspace.org> | 2016-02-07 05:43:18 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2016-02-07 05:43:18 +0100 |
commit | 1e6bd0c94837b261566aec296fc2865ff592eb0c (patch) | |
tree | 0e0122b693e24a2f03157a5ff3c1d55300684fe1 | |
parent | updated debian changelog (diff) |
small improvements for example rules.sh
-rwxr-xr-x | rules.sh | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -97,6 +97,7 @@ ipv4_up() { # allow icmp and active connections $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # install port forwardings and allow traffic through it for fw in $PORTFW; do @@ -130,6 +131,7 @@ ipv4_up() { # allow icmp and active connections from external $FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do @@ -176,8 +178,9 @@ ipv6_up() { # inbound traffic # allow icmp and active connections - $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmpv6 -j ACCEPT $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # allow traffic to internal hosts for fw in $PORTFW6; do @@ -210,6 +213,7 @@ ipv6_up() { # allow icmp and active connections $FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do |