From 5a8b0b54fc366ee365ad160d5dbd26a14c98374f Mon Sep 17 00:00:00 2001 From: Gardouille Date: Wed, 16 Sep 2015 18:33:37 +0200 Subject: [PATCH] firewall: allow OUTPUT: DNS and MAIL. allow OUTPUT: ssh if an ssh client is available. --- firewall | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/firewall b/firewall index c20efc7..32ba4ec 100755 --- a/firewall +++ b/firewall @@ -185,18 +185,21 @@ fw_start() { # # #### ICMP reply (Ping) # #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply" -# -# #### SSH -# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH out" -# -# #### Mail (rapport d'erreur, ...) -# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out" -# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "Imap" -# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "Imaps" -# -# #### DNS (résolution de noms de domaines, ... ...) -# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp" -# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp" + + + if [ $(command -v ssh) ]; then + #### SSH + $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "SSH out" + fi + + #### Mail (rapport d'erreur, ...) + $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out" + $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "IMAP out" + $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "IMAPS out" + + #### DNS (résolution de noms de domaines, ... ...) + $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp" + $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp" if [ $(command -v dhclient) ]; then #### DHCP