#!/bin/sh # # /etc/default/firewall # # Example configuration file for Linux kernel firewall # # Developed by Lubomir Host 'rajo' # Copyright (c) 2004 Platon SDG, http://platon.sk/ # Licensed under terms of GNU General Public License. # All rights reserved. # # Changelog: # 2004-11-14 - created # # $Platon: scripts/shell/firewall/default-firewall.conf,v 2.3 2005/01/02 13:31:46 rajo Exp $ DEFAULT_POLICY="DROP" # which modules to load MODULES="ipt_LOG ipt_REJECT ip_conntrack_ftp ip_nat_ftp" LOG_LIMIT="-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix" # Paths: IPTABLES="/sbin/iptables" #IPTABLES=":" # for testing only - does nothing IFCONFIG="/sbin/ifconfig" DEPMOD="/sbin/depmod" MODPROBE="/sbin/modprobe" RMMOD="/sbin/rmmod" AWK="/usr/bin/awk" # loopback interface LO_IFACE="${LO_IFACE:=lo}" LO_IP="IP_$LO_IFACE" # Antispoof filter ANTISPOOF_IFACE="eth0" # accept all packetes on these interfaces IFACE_ACCEPT_ALL="tun+ tap+" # Which ports will be allowed on INPUT (TCP connections) ALL_ACCEPT_INPUT_TCP="22" # interface eth0 eth0_ACCEPT_INPUT_TCP="123 137 138 139 631 80 443 3128" # interface eth1 eth1_ACCEPT_INPUT_TCP="80 6000" # interface ppp0 ppp0_ACCEPT_INPUT_TCP="" # Which ports will be allowed on INPUT (UDP connections) # interface eth0 eth0_ACCEPT_INPUT_UDP="123 137 138 139 513 631" # interface ppp0 ppp0_ACCEPT_INPUT_UDP="" # Package dropping #eth0_DROP_OUTPUT_TCP="123 137 138 139 445 631" #eth0_DROP_OUTPUT_UDP="123 137 138 139 445 631" #eth1_DROP_OUTPUT_TCP="" #eth1_DROP_OUTPUT_UDP="" # # NAT configuration # # eth0 connected to internet #NAT_LAN_IFACE="eth0" # eth1 connected to local subnet #NAT_SUBNET_IFACE="eth1" NAT_LOG_NEW_CONNECTIONS="no" # # Forward configuration # # don't forward Miscrosoft protocols - NOT RFC compliant packets (packets in NEW state withouth SYN flag) NAT_FORWARD_MICROSOFT="no" # redirect all outgoing connections to SMTP port 25 to local server (simple virus/antispam protection) # redirect all outgoing HTTP connection to transparent proxy server (squid) NAT_TCP_PORT_REDIRECT="25:25 80:3128 8080:3128 1080:3128 3128:3128" # NAT only "secure" ports NAT_FORWARD_TCP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000" NAT_FORWARD_UDP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000" # # ICMP configuration # # default: echo-reply destination-unreachable echo-request time-exceeded ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded"