47 lines
1.2 KiB
Bash
47 lines
1.2 KiB
Bash
*filter
|
|
########### Regles iptables ###########
|
|
# Flush des regles
|
|
-F INPUT
|
|
-F FORWARD
|
|
-F OUTPUT
|
|
|
|
# Policies par defaut
|
|
-P INPUT DROP
|
|
-P FORWARD DROP
|
|
-P OUTPUT DROP
|
|
|
|
# On accepte le loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
|
|
# On accepte le ping entrant et sortant
|
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
|
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
|
|
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
|
|
|
### http
|
|
-A INPUT -i wlan0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
-A OUTPUT -o wlan0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
|
|
|
|
### ssh
|
|
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
|
|
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
|
|
|
|
### bootp client (hostapd)
|
|
-A INPUT -i wlan0 -p udp --sport 68 -j ACCEPT
|
|
-A OUTPUT -o wlan0 -p udp --dport 68 -j ACCEPT
|
|
|
|
# Log des trames droppees
|
|
-N LOGGING
|
|
-A INPUT -i eth0 -j LOGGING
|
|
-A OUTPUT -o eth0 -j LOGGING
|
|
-A INPUT -i wlan0 -j LOGGING
|
|
-A OUTPUT -o wlan0 -j LOGGING
|
|
-A LOGGING -m limit --limit 20/min -j LOG --log-prefix "DROP:" --log-level 4
|
|
-A LOGGING -j DROP
|
|
|
|
COMMIT
|
|
|
|
# vim: filetype=sh
|