Demande #908 » openvpn_firewall.patch
| init.d/firewall.sh | ||
|---|---|---|
|
IF_EXT_INTER=bond0
|
||
|
IF_EXT_BCAST="192.168.25.255"
|
||
|
IF_VPN=10.0.1.1
|
||
|
IF_VPN=10.0.1.1.1
|
||
|
IF_VPN_INTER=bond0:1
|
||
|
NET_VPN=10.0.0.0/24
|
||
|
|
||
|
IF_INT=192.168.1.254
|
||
|
IF_INT_INTER=dummy0
|
||
| ... | ... | |
|
# Monitoring munin
|
||
|
${IPT} -A ext-if -p tcp --dport 4949 -j ACCEPT
|
||
|
# OpenVPN
|
||
|
${IPT} -A if-ext -p udp --dport 1194 -j ACCEPT
|
||
|
#
|
||
|
# localhost -> EXT
|
||
|
#
|
||
|
|
||
|
# Le firewall peut faire des traceroute UDP vers Internet
|
||
|
${IPT} -A if-ext -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
|
||
|
|
||
| ... | ... | |
|
|
||
|
# Le firewall peut tout faire vers l'exterieur
|
||
|
${IPT} -A if-ext -j ACCEPT # @@ pour l'instant
|
||
|
|
||
|
${IPT} -A if-ext -j LOG --log-level info --log-prefix "FW-pavot IFBAD DFLT DROP "
|
||
|
${IPT} -A if-ext -j DROP
|
||
|
|
||
| ... | ... | |
|
$IPT -D INPUT 2
|
||
|
$IPT -D OUTPUT 2
|
||
|
$IPT -D FORWARD 1
|
||
|
# OpenVPN
|
||
|
${IPT} -I INPUT -p udp --dport 1194 -j ACCEPT
|
||
|
${IPT} -I OUTPUT -s $NET_VPN -d $NET_VPN -p icmp -j ACCEPT
|
||
|
${IPT} -I INPUT -s $NET_VPN -d $NET_VPN -p icmp -j ACCEPT
|
||
|
${IPT} -I INPUT -s $NET_VPN -d $NET_VPN -p tcp --dport 22 -j ACCEPT
|
||
|
${IPT} -I OUTPUT -s $NET_VPN -d $NET_VPN -p tcp --dport 22 -j ACCEPT
|
||
|
}
|
||
|
|
||
|
#
|
||