firewall: set OUTPUT Policy to DROP and translate some comments.

firewall

@@ -6,8 +6,9 @@
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Firewall initscript
-# Description:       Script de parefeu avec iptables
+# Description:       Firewall script for iptables
-#   Pour tester ce script avant de l'appliquer, on peut utiliser la commande:
+#   To test the script you can just use 'test' arg:
+# ./firewall test
 # service firewall test
 # Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs
 #      * ...
@@ -17,12 +18,12 @@
 
 # **********************************************************************************************
 #
-# Variables globales
+# Global var
 #
 # -----------------------------------------------------------
-# Emplacement de iptables
+# iptables path
 IPT="/sbin/iptables"
-# Durée en secondes pour le cas de test des règles du pare-feu
+# testing for XX seconds
 TIME=42
 
 #### Colors definition
@@ -37,48 +38,50 @@ fw_init() {
   #############
   ## KERNEL  ##
   #############
-  # active la protection Cookie TCP SYN
+  # Enable Cookie TCP SYN protection
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-  # Active la protection IP Spoofing
+  # Enable IP spoofing protection
-  # Effectue une verification de l'adresse source
+  # Check the ip source
   for SYS in /proc/sys/net/ipv4/conf/*/rp_filter
   do
   echo 1 > ${SYS}
   done
-  # Desactive l'ICMP Redirect
+  # Disable ICMP redirect
   for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects
   do
   echo 0 > ${SYS}
   done
-  # Desactive les paquets Source-Routed
+  # Disable source-route packages
   for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route
   do
   echo 0 > ${SYS}
   done
-  # Active l'ip forwarding
+  # Enable ip forwarding
-  echo 1 > /proc/sys/net/ipv4/ip_forward
+  #echo 1 > /proc/sys/net/ipv4/ip_forward
 
 
   #############
   ## POLICY  ##
   #############
-  ## drop tout le traffic entrant, sortant et forwardé
+
+  # drop all traffic
   $IPT -P INPUT DROP
   $IPT -P FORWARD DROP
-  #$IPT -P OUTPUT DROP
+  $IPT -P OUTPUT DROP
   #$IPT -P INPUT ACCEPT
   #$IPT -P FORWARD ACCEPT
-  $IPT -P OUTPUT ACCEPT
+  #$IPT -P OUTPUT ACCEPT
 
   ############
   ##  BASE  ##
   ############
-  #### Dropper les nouvelles connections qui n'ont pas le flag syn
+
+  # Drop all new connections without a syn flag
   $IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW
 
-  # Interdire les connections locales qui ne viennent pas de locale
+  # Forbid local connections that doesn't come from localhost
   $IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo"
-  # Autoriser loopback
+  # Allow loopback
   $IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in"
   $IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out"
 
@@ -88,8 +91,8 @@ fw_init() {
 
   #### ICMP request (Ping)
   $IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out"
-}
 
+}
 
 fw_start() {
 
@@ -264,7 +267,6 @@ fw_start() {
 
 }
 
-
 # Règles pour de log
 fw_log() {
 
@@ -280,11 +282,11 @@ fw_log() {
   $IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: "
 
   # LOG OUTPUT DROP PAQUET
-  #$IPT -N OUTLOG
+  $IPT -N OUTLOG
-  #$IPT -A OUTPUT -j OUTLOG
+  $IPT -A OUTPUT -j OUTLOG
-  #$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: "
+  $IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: "
-  #$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: "
+  $IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: "
-  #$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: "
+  $IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: "
 
   # LOG FORWARD DROP PAQUET
   $IPT -N FORLOG
@@ -410,4 +412,3 @@ exit 0
 
 # Fin de la boucle principale
 # -----------------------------------------------------------
-