Differences

This shows you the differences between two versions of the page.

--- linux:firewall [2010/12/29 10:03]
greebo
+++ linux:firewall [2010/12/29 10:16]
greebo
@@ Line 10: / Line 10: @@
 echo "* Running $0"
 echo "*************"
+echo "* http://tnt.aufbix.org/ linux firewall script"
 echo
@@ Line 59: / Line 60: @@
 WE_HAVE_INTRANET="0"
+#
 TRUSTED_HOSTS="193.77.1.1/32 \
 .93.224.0/19 \
@@ Line 74: / Line 76: @@
 $IPTB -t nat -F
+# new chain for SSH and HTTP access
 $IPTB -N ssh-access
 $IPTB -N http-access
-  # port redirection (transparent proxy)
+# port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
+# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
@@ Line 89: / Line 93: @@
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# move all SSH and HTTP traffic to apropriate chains
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
-# ssh
+# ssh chain
 for sshhostese in $TRUSTED_HOSTS;
         do
@@ Line 156: / Line 161: @@
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
 $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
@@ Line 177: / Line 181: @@
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# what we allow from Internet - TCP ports
-# what we allow from Internet
 for i in $TCP_PORTS
 	do
 		$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done
+        done
+# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT