mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-26 19:00:34 +02:00
Firewall: better loopback badtcp skipping.
This commit is contained in:
Arne Fitzenreiter
0
src/initscripts/init.d/fireinfo
Executable file → Normal file
0
src/initscripts/init.d/fireinfo
Executable file → Normal file
@@ -53,6 +53,9 @@ iptables_init() {
|
||||
# Chain to contain all the rules relating to bad TCP flags
|
||||
/sbin/iptables -N BADTCP
|
||||
|
||||
#Don't check loopback
|
||||
/sbin/iptables -A INPUT -i lo -j RETURN
|
||||
|
||||
# Disallow packets frequently used by port-scanners
|
||||
# nmap xmas
|
||||
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
|
||||
@@ -188,7 +191,7 @@ case "$1" in
|
||||
/sbin/iptables -A FORWARD -j OUTGOINGFW
|
||||
|
||||
# localhost and ethernet.
|
||||
/sbin/iptables -I INPUT 1 -i lo -m state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
|
||||
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
|
||||
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
|
||||
/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
|
||||
|
||||
Reference in New Issue
Block a user