Commit 5e30be77 authored by Arnaud Fontaine's avatar Arnaud Fontaine Committed by Julien Muchembled

doc: fix fw example: iptables does not have REJECT policy.

/reviewed-on nexedi/re6stnet!4
parent 522ec5a9
#!/bin/sh #!/bin/sh
# #
# Example iptables/ip6tables rules on a desktop computer when re6st is only # Example iptables/ip6tables rules on a desktop computer when re6st is only
# used to build an IPv6 overlay network. REJECT everything by default: # used to build an IPv6 overlay network. REJECT for INPUT and DROP everything
# by default:
# #
# - Incoming traffic (INPUT): only open ports needed for re6st and also allow # - Incoming traffic (INPUT): only open ports needed for re6st and also allow
# packets associated with an existing connection (ESTABLISHED, RELATED). # packets associated with an existing connection (ESTABLISHED, RELATED).
...@@ -19,8 +20,8 @@ ...@@ -19,8 +20,8 @@
GATEWAY_IP=192.168.0.1 GATEWAY_IP=192.168.0.1
## IPv4 ## IPv4
iptables -P INPUT REJECT iptables -P INPUT DROP
iptables -P OUTPUT REJECT iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
...@@ -31,15 +32,18 @@ iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT ...@@ -31,15 +32,18 @@ iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
# UPnP # UPnP
iptables -A INPUT -p udp -m udp --sport 1900 -s $GATEWAY_IP -j ACCEPT iptables -A INPUT -p udp -m udp --sport 1900 -s $GATEWAY_IP -j ACCEPT
# Add custom INPUT rules before
iptables -A INPUT -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# more rules needed if you set up a private IPv4 network # more rules needed if you set up a private IPv4 network
## IPv6 ## IPv6
ip6tables -P INPUT REJECT ip6tables -P INPUT DROP
ip6tables -P FORWARD REJECT ip6tables -P FORWARD DROP
ip6tables -P OUTPUT REJECT ip6tables -P OUTPUT DROP
ip6tables -N RE6ST ip6tables -N RE6ST
ip6tables -A RE6ST -i re6stnet+ -j ACCEPT ip6tables -A RE6ST -i re6stnet+ -j ACCEPT
...@@ -60,6 +64,9 @@ ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min - ...@@ -60,6 +64,9 @@ ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
# Add custom INPUT rules before
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -o re6stnet+ -j RE6ST ip6tables -A FORWARD -o re6stnet+ -j RE6ST
# Same as in RE6ST chain. # Same as in RE6ST chain.
ip6tables -A FORWARD -o eth0 -j RE6ST ip6tables -A FORWARD -o eth0 -j RE6ST
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment