diff options
Diffstat (limited to 'rules.sh')
| -rwxr-xr-x | rules.sh | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -97,6 +97,7 @@ ipv4_up() { # allow icmp and active connections $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # install port forwardings and allow traffic through it for fw in $PORTFW; do @@ -130,6 +131,7 @@ ipv4_up() { # allow icmp and active connections from external $FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do @@ -176,8 +178,9 @@ ipv6_up() { # inbound traffic # allow icmp and active connections - $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmpv6 -j ACCEPT $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # allow traffic to internal hosts for fw in $PORTFW6; do @@ -210,6 +213,7 @@ ipv6_up() { # allow icmp and active connections $FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do |