iptables.conf 1.75 KB
Newer Older
1
{% if proto == "ipv4" %}
Bach Dániel committed
2 3 4 5 6 7
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% for chain in nat %}
8
{{ chain.compile|safe }}
Bach Dániel committed
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
{% endfor %}
COMMIT
{% endif %}

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# initialize logging
-N LOG_DROP
# windows port scan are silently dropped
-A LOG_DROP -p tcp --dport 445 -j DROP
-A LOG_DROP -p udp --dport 137 -j DROP
-A LOG_DROP -j LOG --log-level 7 --log-prefix "[ipt][drop]"
-A LOG_DROP -j DROP
-N LOG_ACC
-A LOG_ACC -j LOG --log-level 7 --log-prefix "[ipt][isok]"
-A LOG_ACC -j ACCEPT

# initialize FORWARD chain
30
{% if proto == "ipv4" %}
Bach Dániel committed
31
-A FORWARD -m set --match-set blacklist src,dst -j DROP
32
{% endif %}
Bach Dániel committed
33 34
-A FORWARD -m state --state INVALID -g LOG_DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
35
{% if proto == "ipv4" %}
Bach Dániel committed
36
-A FORWARD -p icmp --icmp-type echo-request -g LOG_ACC
37
{% else %}
Bach Dániel committed
38
-A FORWARD -p icmpv6 -g LOG_ACC
39
{% endif %}
Bach Dániel committed
40 41

# initialize INPUT chain
42
{% if proto == "ipv4" %}
Bach Dániel committed
43
-A INPUT -m set --match-set blacklist src -j DROP
44
{% endif %}
Bach Dániel committed
45 46 47
-A INPUT -m state --state INVALID -g LOG_DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Bach Dániel committed
48 49 50 51 52
{% if proto == "ipv4" %}
-A INPUT -p icmp --icmp-type echo-request -g LOG_ACC
{% else %}
-A INPUT -p icmpv6 -g LOG_ACC
{% endif %}
Bach Dániel committed
53 54 55 56 57 58 59 60

# initialize OUTPUT chain
-A OUTPUT -m state --state INVALID -g LOG_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

{% for chain in filter %}
{% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %}
61
{% if proto == "ipv4" %}
62
{{ chain.compile|safe }}
63
{% else %}
64
{{ chain.compile_v6|safe }}
65
{% endif %}
Bach Dániel committed
66 67 68 69 70 71 72
{% endfor %}

# close all chains
-A FORWARD -g LOG_DROP
-A INPUT -g LOG_DROP
-A OUTPUT -g LOG_DROP
COMMIT