summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2016-02-07 04:43:18 (GMT)
committerChristian Pointner <equinox@spreadspace.org>2016-02-07 04:43:18 (GMT)
commit1e6bd0c94837b261566aec296fc2865ff592eb0c (patch)
tree0e0122b693e24a2f03157a5ff3c1d55300684fe1
parentc8c04456a9e0bcdbef66c6fcab1c584352386943 (diff)
small improvements for example rules.sh
-rwxr-xr-xrules.sh6
1 files changed, 5 insertions, 1 deletions
diff --git a/rules.sh b/rules.sh
index 24aa3b8..95d2e35 100755
--- a/rules.sh
+++ b/rules.sh
@@ -97,6 +97,7 @@ ipv4_up() {
# allow icmp and active connections
$FILTER -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT
$FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $FILTER -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP
# install port forwardings and allow traffic through it
for fw in $PORTFW; do
@@ -130,6 +131,7 @@ ipv4_up() {
# allow icmp and active connections from external
$FILTER -A INPUT -i $EXT_IF -p icmp -j ACCEPT
$FILTER -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $FILTER -A INPUT -i $EXT_IF -m state --state INVALID -j DROP
# allow
for port in $TCP_IN_PORTS; do
@@ -176,8 +178,9 @@ ipv6_up() {
# inbound traffic
# allow icmp and active connections
- $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmp -j ACCEPT
+ $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -p icmpv6 -j ACCEPT
$FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $FILTER6 -A FORWARD -i $EXT_IF -o $INT_IF -m state --state INVALID -j DROP
# allow traffic to internal hosts
for fw in $PORTFW6; do
@@ -210,6 +213,7 @@ ipv6_up() {
# allow icmp and active connections
$FILTER6 -A INPUT -i $EXT_IF -p icmpv6 -j ACCEPT
$FILTER6 -A INPUT -i $EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $FILTER6 -A INPUT -i $EXT_IF -m state --state INVALID -j DROP
# allow
for port in $TCP_IN_PORTS; do