From 1e6bd0c94837b261566aec296fc2865ff592eb0c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 7 Feb 2016 05:43:18 +0100 Subject: small improvements for example rules.sh --- rules.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules.sh b/rules.sh index 24aa3b8..95d2e35 100755 --- a/rules.sh +++ b/rules.sh @@ -97,6 +97,7 @@ ipv4_up() { # allow icmp and active connections $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # install port forwardings and allow traffic through it for fw in $PORTFW; do @@ -130,6 +131,7 @@ ipv4_up() { # allow icmp and active connections from external $FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT $FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do @@ -176,8 +178,9 @@ ipv6_up() { # inbound traffic # allow icmp and active connections - $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmpv6 -j ACCEPT $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP # allow traffic to internal hosts for fw in $PORTFW6; do @@ -210,6 +213,7 @@ ipv6_up() { # allow icmp and active connections $FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT $FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT + $FILTER6 -A INPUT -i $EXT_IF -m state --state INVALID -j DROP # allow for port in $TCP_IN_PORTS; do -- cgit v1.2.3