From d7a819df4bd2b820283926acec2dfd7a09212220 Mon Sep 17 00:00:00 2001 From: Gardouille Date: Wed, 16 Sep 2015 23:02:23 +0200 Subject: [PATCH] =?UTF-8?q?firewall:=20i've=20forgot=20to=20allow=20ESTABL?= =?UTF-8?q?ISHED,=E2=80=A6=20OUTPUT=20connections=20firewall:=20increase?= =?UTF-8?q?=20LOG=20limit-burst=20to=2010?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 3 ++- firewall | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index ac6e5ef..e719de4 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ Some useful scripts (for me) that can be added to $PATH :) ## List: * bash_quote: Get a random quote from http://danstonchat.com -* dynmotd/: scripts to update the motd (via the /etc/update-motd.d directory). +* firewall: A script shell to set some iptables rules. +* update-dynmotd.d/: scripts to update the motd (via the /etc/update-motd.d directory). * flac_to_mp3: convert all flac files of a directory into mp3. * snapsend.sh: Send a ZFS snapshot to a remote host. * test_ssl3: Test if a website supportes the SSLV3 protocol. diff --git a/firewall b/firewall index 047205e..1fc1150 100755 --- a/firewall +++ b/firewall @@ -189,7 +189,7 @@ fw_start() { ## OUTPUT ## ############## #### Ne pas casser les connexions etablies -# $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED + $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED # # #### ICMP reply (Ping) # #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply" @@ -277,23 +277,23 @@ fw_log() { # LOG INPUT DROP PAQUET $IPT -N INPLOG $IPT -A INPUT -j INPLOG - $IPT -A INPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [tcp]: " - $IPT -A INPLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [udp]: " - $IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: " + $IPT -A INPLOG -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-IN [tcp]: " + $IPT -A INPLOG -p udp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-IN [udp]: " + $IPT -A INPLOG -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-IN [icmp]: " # LOG OUTPUT DROP PAQUET $IPT -N OUTLOG $IPT -A OUTPUT -j OUTLOG - $IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: " - $IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: " - $IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: " + $IPT -A OUTLOG -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-OUT [tcp]: " + $IPT -A OUTLOG -p udp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-OUT [udp]: " + $IPT -A OUTLOG -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-OUT [icmp]: " # LOG FORWARD DROP PAQUET $IPT -N FORLOG $IPT -A FORWARD -j FORLOG - $IPT -A FORLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [tcp]: " - $IPT -A FORLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [udp]: " - $IPT -A FORLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [icmp]: " + $IPT -A FORLOG -p tcp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-FOR [tcp]: " + $IPT -A FORLOG -p udp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-FOR [udp]: " + $IPT -A FORLOG -p icmp -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "Drop-FOR [icmp]: " }