#!/bin/sh # # /etc/default/firewall # # Example configuration file for Linux kernel firewall # # Developed by Lubomir Host 'rajo' # Copyright (c) 2004 Platon SDG, http://platon.sk/ # Licensed under terms of GNU General Public License. # All rights reserved. # # Changelog: # 2004-11-14 - created # # $Platon: scripts/shell/firewall/default-firewall.conf,v 2.33 2009-03-04 22:51:42 nepto Exp $ # uncomment next line for debugging #DEBUG="echo " # DEFAULT_FIREWALL_CONFIG_DIR="/etc/default/firewall.d" DEFAULT_POLICY="DROP" # which modules to load # # https://dev.openwrt.org/ticket/3527 # For the kernel part, since 2.6.25 tos/TOS kernel modules have been merged with dscp/DSCP modules in xt_dscp.ko and xt_DSCP.ko. There is no more ipt_(tos|TOS).ko. # # Concerning the iptables modules, libipt_(tos|TOS).so installation depends (in # include/netfilter.mk) on CONFIG_IP_NF_(TARGET|MATCH)_TOS symbols which no # longer exist. tos/TOS modules are not included for installation. # # I don't know if there is a quick fix around the CONFIG_IP_NF_(TARGET|MATCH)_TOS symbols... # # The best solution would be to upgrade netfilter to 1.4.1.1 when using a kernel version >= 2.6.25. MODULES="ipt_LOG ipt_REJECT ip_conntrack_ftp ip_nat_ftp ipt_TOS xt_DSCP" # Turn on and turn off logging via syslog # Default: on LOGGING="on" LOG_LIMIT="-m limit --limit 12/s --limit-burst 24 -j LOG --log-level notice --log-prefix" # Paths: IPTABLES="$DEBUG/sbin/iptables" #IPTABLES=":" # for testing only - does nothing IFCONFIG="/sbin/ifconfig" DEPMOD="/sbin/depmod" MODPROBE="/sbin/modprobe" RMMOD="/sbin/rmmod" AWK="/usr/bin/awk" PERL="/usr/bin/perl" # loopback interface LO_IFACE="${LO_IFACE:=lo}" # Antispoof filter ANTISPOOF_IFACE="eth0" # banned IP addresses # packets from this hosts are DROPPED # 146.48.97.0/24 - UbiCrawler which doesn't accept HTTP META tags # "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)" # http://www.robotstxt.org/wc/faq.html#extension BANNED_IP="146.48.97.0/24" # Allow traceroute from interfaces #TRACEROUTE_IFACE="eth1" # accept all packetes on these interfaces # DO NOT ADD eth0 device here !!! IFACE_ACCEPT_ALL="lo tun+ tap+" # Packets to these ports are ALWAYS dropped (they doesn't appear in log) #ALL_DROP_INPUT_TCP="135 137 139 445" # Microsoft Windows packets #ALL_DROP_INPUT_UDP="135 137 139 445" # Microsoft Windows packets #REAL_DROP_INPUT_TCP="" # the same as above but for this works #REAL_DROP_INPUT_UDP="" # non-existent interfaces as well # Which ports will be closed on INPUT (TCP and/or UDP connections) # REJECT_WITH="icmp-port-unreachable" # default in Linux, but doesn't work well with all firewalls REJECT_WITH="tcp-reset" ALL_REJECT_INPUT_TCP="113 23" ALL_REJECT_INPUT_UDP="" REAL_REJECT_INPUT_TCP="113 23" REAL_REJECT_INPUT_UDP="" eth1_REJECT_INPUT_TCP="" eth1_REJECT_INPUT_UDP="" # Which ports will be allowed on INPUT (TCP and/or UDP connections) ALL_ACCEPT_INPUT_TCP="22" ALL_ACCEPT_INPUT_UDP="68" # dhcpclient # The same as above but works for *really* all interfaces # (this includes also yet non-existent interfaces, what is useful for IP failover) REAL_ACCEPT_INPUT_TCP="22" REAL_ACCEPT_INPUT_TCP="" # interface eth0 # (use "port", or "ip:port", or "ip:ALL" for all ports from certain IP) eth0_ACCEPT_INPUT_TCP="123 137 138 139 631 80 443 3128 2220" #eth0_0_ACCEPT_INPUT_TCP="80" # permit only 80 on eth0:0 # interface eth1 eth1_ACCEPT_INPUT_TCP="80 192.168.0.1/32:6000" # connecto to port 6000 on interface eth1 is allowed only from IP 192.168.0.1 # interface ppp0 ppp0_ACCEPT_INPUT_TCP="" # Which ports will be allowed on INPUT (UDP connections) # interface eth0 # (use "port", or "ip:port", or "ip:ALL" for all ports from certain IP) eth0_ACCEPT_INPUT_UDP="123 137 138 139 513 631" # interface ppp0 ppp0_ACCEPT_INPUT_UDP="" # You can redirect some ports from original port to new port # With this feature you can effectively block access to some services for specified clients # # Example: # # eth0_REDIRECT_TCP="1.2.3.4:80:81 8080:80" # - client with IP address 1.2.3.4 will not see web page served by apache (port 80). # He is redirected to port 81 (lighthttpd for example), where he can see "Our homepage is down." ;-) # - content from apache (port 80) is served also on port 8080 (you don't need to modify httpd.conf and restart apache) # # eth0_REDIRECT_TCP="1.2.3.4:80:81" # eth0_REDIRECT_UDP="" # Package dropping #eth0_DROP_OUTPUT_TCP="123 137 138 139 445 631" #eth0_DROP_OUTPUT_UDP="123 137 138 139 445 631" #eth1_DROP_OUTPUT_TCP="" #eth1_DROP_OUTPUT_UDP="" # # NAT configuration # # eth0 connected to internet #NAT_LAN_IFACE="eth0" # eth1 connected to local subnet #NAT_SUBNET_IFACE="eth1" # logging must be turned on, see LOGGING="on" NAT_LOG_NEW_CONNECTIONS="no" # Hide NAT clients behind firewall # XXX: this breaks traceroute, if you enable this! # http://www.root.cz/clanky/sbirame-otisky-maskovani/ # NAT_SET_TTL="128" - Linux 2.4.7 / Windows XP SP1, 2000 SP4 (3) # NAT_SET_TTL="60" - Windows 98 (4) NAT_SET_TTL="no" # # Forward configuration # # don't forward Miscrosoft protocols - NOT RFC compliant packets (packets in NEW state withouth SYN flag) NAT_FORWARD_MICROSOFT="no" # redirect all outgoing connections to SMTP port 25 to local server (simple virus/antispam protection) # redirect all outgoing HTTP connection to transparent proxy server (squid) NAT_TCP_PORT_REDIRECT="25:25 80:3128 8080:3128 1080:3128 3128:3128" # forward port 2220 from your firewall/router to local machine port 22 (ssh) # you must accept port 2220 in $eth0_ACCEPT_INPUT_TCP NAT_TCP_PORT_FORWARD="2220:192.168.0.100:22" # IP of lan interface is detected automatically NAT_TCP_PORT_FORWARD="$NAT_TCP_PORT_FORWARD 192.168.116.109:80:10.168.2.110:80" # 192.168.116.109 is alias of $NAT_LAN_IFACE interface (e.g. eth0:0) # NAT only "secure" ports NAT_FORWARD_TCP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000" NAT_FORWARD_UDP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000" # # Deny NAT for clients with this IP # #NAT_CLIENT_DROP="192.168.0.120" # ugly bad boys in your LAN # # IP accounting for clients in local network # #DO_LOCAL_IP_ACCOUNTING="yes" #IP_ACCT_CLIENTS="192.168.0.120 192.168.0.121 192.168.0.122" #IP_ACCT_COUNT_REDIRECTED_PORTS="yes" # port redirects to local squid are taken as outgoing traffic (counted for this client) # # ICMP configuration # # (4) Source Quench - Incoming & outgoing requests to slow down (flow control) # (12) Parameter Problem - Incoming & outgoing error messages # (3) Destination Unreachable, Service Unavailable # - Incoming & outgoing size negotiation, service or # destination unavailability, final traceroute response # (11) Time Exceeded - Incoming & outgoing timeout conditions, also intermediate TTL response to traceroutes # (0 | 8) Allow OUTPUT pings to anywhere # default: echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed" # # Shaping support # SHAPING_IFACE="eth1" eth1_SHAPING_CLASSES="local internet" eth1_SHAPING_NETMASK_local="192.168.0.0/16" eth1_SHAPING_RATE_local="" eth1_SHAPING_LATENCY_local="" eth1_SHAPING_BURST_local="" eth1_SHAPING_NETMASK_internet="" eth1_SHAPING_RATE_internet="256kbit" eth1_SHAPING_LATENCY_internet="50ms" eth1_SHAPING_BURST_internet="1540"