Platon Technologies
not logged in Login Registration
EnglishSlovak
open source software development celebrating 10 years of open source development! Thursday, March 28, 2024

File: [Platon] / scripts / shell / firewall / default-firewall.conf (download)

Revision 2.14, Wed Mar 16 13:53:34 2005 UTC (19 years ago) by rajo

Changes since 2.13: +8 -1 lines

* New Feature: bann IP address
  This feature has been developed for following reason:
  UbiCrawler spam our website with many requests (they are duplicit requests of the same page!)
  And this web robot doesn't accept HTTP META tags (http://www.robotstxt.org/wc/faq.html#extension)
  User Agent: "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)"

#!/bin/sh

#
# /etc/default/firewall
#
# Example configuration file for Linux kernel firewall
#
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk>
# Copyright (c) 2004 Platon SDG, http://platon.sk/
# Licensed under terms of GNU General Public License.
# All rights reserved.
#
# Changelog:
# 2004-11-14 - created
#

# $Platon: scripts/shell/firewall/default-firewall.conf,v 2.13 2005/03/01 23:17:11 rajo Exp $

# uncomment next line for debugging
#DEBUG="echo "

DEFAULT_POLICY="DROP"

# which modules to load
MODULES="ipt_LOG ipt_REJECT ip_conntrack_ftp ip_nat_ftp"

LOG_LIMIT="-m limit --limit 12/s --limit-burst 24 -j LOG --log-level notice --log-prefix"

# Paths:
IPTABLES="$DEBUG/sbin/iptables"
#IPTABLES=":" # for testing only - does nothing
IFCONFIG="/sbin/ifconfig"
DEPMOD="/sbin/depmod"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
AWK="/usr/bin/awk"

# loopback interface
LO_IFACE="${LO_IFACE:=lo}"
LO_IP="IP_$LO_IFACE"

# Antispoof filter
ANTISPOOF_IFACE="eth0"

# banned IP addresses
# packets from this hosts are DROPPED
# 146.48.97.0/24 - UbiCrawler which doesn't accept HTTP META tags
#                  "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)"
#                  http://www.robotstxt.org/wc/faq.html#extension
BANNED_IP="146.48.97.0/24"

# Allow traceroute from interfaces
#TRACEROUTE_IFACE="eth1"

# accept all packetes on these interfaces
# DO NOT ADD eth0 device here !!!
IFACE_ACCEPT_ALL="lo tun+ tap+"

# Which ports will be allowed on INPUT (TCP connections)
ALL_ACCEPT_INPUT_TCP="22"
ALL_ACCEPT_INPUT_UDP="68" # dhcpclient
# interface eth0
eth0_ACCEPT_INPUT_TCP="123 137 138 139 631 80 443 3128 2220"
# interface eth1
eth1_ACCEPT_INPUT_TCP="80 6000"
# interface ppp0
ppp0_ACCEPT_INPUT_TCP=""

# Which ports will be allowed on INPUT (UDP connections)
# interface eth0
eth0_ACCEPT_INPUT_UDP="123 137 138 139 513 631"
# interface ppp0
ppp0_ACCEPT_INPUT_UDP=""

# Package dropping
#eth0_DROP_OUTPUT_TCP="123 137 138 139 445 631"
#eth0_DROP_OUTPUT_UDP="123 137 138 139 445 631"
#eth1_DROP_OUTPUT_TCP=""
#eth1_DROP_OUTPUT_UDP=""

#
# NAT configuration
#

# eth0 connected to internet
#NAT_LAN_IFACE="eth0"
# eth1 connected to local subnet
#NAT_SUBNET_IFACE="eth1"

NAT_LOG_NEW_CONNECTIONS="no"

#
# Forward configuration
#
# don't forward Miscrosoft protocols - NOT RFC compliant packets (packets in NEW state withouth SYN flag)
NAT_FORWARD_MICROSOFT="no"
# redirect all outgoing connections to SMTP port 25 to local server (simple virus/antispam protection)
# redirect all outgoing HTTP connection to transparent proxy server (squid)
NAT_TCP_PORT_REDIRECT="25:25 80:3128 8080:3128 1080:3128 3128:3128"

# forward port 2220 from your firewall/router to local machine port 22 (ssh)
# you must accept port 2220 in $eth0_ACCEPT_INPUT_TCP
NAT_TCP_PORT_FORWARD="2220:192.168.0.100:22"

# NAT only "secure" ports
NAT_FORWARD_TCP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"
NAT_FORWARD_UDP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"

#
# Deny NAT for clients with this IP
#
#NAT_CLIENT_DROP="192.168.0.120" # ugly bad boys in your LAN

#
# ICMP configuration
#
# (4) Source Quench            - Incoming & outgoing requests to slow down (flow control)
# (12) Parameter Problem    - Incoming & outgoing error messages
# (3) Destination Unreachable, Service Unavailable
#                             - Incoming & outgoing size negotiation, service or
#                              destination unavailability, final traceroute response
# (11) Time Exceeded        - Incoming & outgoing timeout conditions, also intermediate TTL response to traceroutes
# (0 | 8) Allow OUTPUT pings to anywhere

# default: echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed
ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed"


Platon Group <platon@platon.org> http://platon.org/
Copyright © 2002-2006 Platon Group
Site powered by Metafox CMS
Go to Top