1
------------------------- EXAMPLE(!) Configuration file -----------------------
2
# -= Arno's iptables firewall =-
3
# Single- & multi-homed firewall script with DSL/ADSL support
5
# (C) Copyright 2001-2006 by Arno van Amersfoort
6
# Homepage : http://rocky.eld.leidenuniv.nl/
7
# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
8
# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
9
# (note: you must remove all spaces and substitute the @ and the .
10
# at the proper locations!)
11
# -----------------------------------------------------------------------------
12
# This program is free software; you can redistribute it and/or modify it under
13
# the terms of the GNU General Public License as published by the Free Software
14
# Foundation; either version 2 of the License, or (at your option) any later
17
# This program is distributed in the hope that it will be useful, but WITHOUT
18
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
22
# You should have received a copy of the GNU General Public License along with
23
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
24
# Place - Suite 330, Boston, MA 02111-1307, USA.
25
# -----------------------------------------------------------------------------
28
# Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
29
# to manually locate it).
30
# -----------------------------------------------------------------------------
31
IPTABLES="/sbin/iptables"
33
###############################################################################
34
# External (internet) interface settings #
35
###############################################################################
37
# The external interface(s) that will be protected (and used as internet
38
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
39
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
41
# -----------------------------------------------------------------------------
44
# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
46
# -----------------------------------------------------------------------------
49
# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should
50
# only use this if you for example have a corporate network and/or running a
51
# DHCP server on your external(!) interface. Home users should normally NOT
52
# touch this setting. Multiple subnets should be space separated.
53
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
54
# -----------------------------------------------------------------------------
57
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
58
# on your external subnet. You only need to set this option if you want to use
59
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
60
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
61
# this empty should work fine. Multiple addresses (if you have more than one
62
# external interface) should be space separated.
63
# -----------------------------------------------------------------------------
64
EXT_NET_BCAST_ADDRESS=""
66
# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on
67
# the external(!) interface. Note that you don't need this for internal
68
# subnets, as for these nets everything is accepted by default. Don't forget to
69
# configure the EXTERNAL_NET variable, to make this work.
70
# -----------------------------------------------------------------------------
71
EXTERNAL_DHCP_SERVER=0
74
###############################################################################
75
# (ADSL) Modem settings #
77
# The MODEM_xxx options should (only) be used when you have an ((A)DSL) #
78
# modem which works with a ppp-connection between the modem and the #
79
# host the modem is connected to. #
81
# You can check whether this applies for your (hardware) setup with #
82
# 'ifconfig' (a 'ppp' device is shown). #
83
# This means that if your modem is bridging or an NAT router) or the #
84
# network interface the modem is connected to doesn't have an IP, you #
85
# should leave the MODEM_xxx options disabled (=default)! #
86
###############################################################################
88
# The physical(!) network interface your ADSL modem is connected to (this is
90
# -----------------------------------------------------------------------------
93
# (optional) The IP of the network interface (MODEM_IF) your ADSL modem is
94
# connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig').
95
# -----------------------------------------------------------------------------
96
#MODEM_IF_IP="10.0.0.150"
98
# (optional) The IP of your (A)DSL modem itself.
99
# -----------------------------------------------------------------------------
100
#MODEM_IP="10.0.0.138"
102
# (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should
103
# have access to the (A)DSL modem itself (manage modem settings, if supported
104
# by your modem!). The default setting ("$INTERNAL_NET") allows access from
105
# everybody on your LAN.
106
# -----------------------------------------------------------------------------
107
MODEM_INTERNAL_NET="$INTERNAL_NET"
110
###############################################################################
111
# Internal (LAN) interface settings #
112
###############################################################################
114
# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
115
# should be space separated. Remark this if you don't have any internal network
116
# interfaces. Note that by default ALL traffic is accepted from these
118
# -----------------------------------------------------------------------------
121
# Specify here the internal subnet which is connected to the internal interface
122
# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets
123
# here or specify one big subnet for all internal interfaces. Note that this
124
# variable is mainly used for antispoofing.
125
# -----------------------------------------------------------------------------
126
INTERNAL_NET="192.168.0.0/24"
128
# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts
129
# on your internal subnet. You only need to set this option if you want to use
130
# the MAC filter AND you use a non-standard broadcast address
131
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
132
# this empty should work fine. Multiple addresses (if you have multiple
133
# internal nets) should be space separated.
134
# -----------------------------------------------------------------------------
135
INT_NET_BCAST_ADDRESS=""
137
# Uncomment & specify here the location of the file that contains the MAC
138
# addresses of INTERNAL hosts that are allowed. The MAC addresses should be
139
# written like 00:11:22:33:44:55
140
# Note that the last line of this
141
# file should always contain a carriage-return (enter)!
142
# -----------------------------------------------------------------------------
143
#MAC_ADDRESS_FILE=/etc/arno-iptables-firewall/mac-addresses
146
###############################################################################
147
# DMZ (aka DeMilitarized Zone) settings #
148
###############################################################################
150
# Put in the following variable the network interfaces that are DMZ-classified.
151
# You can also use this interface if you want to shield your Wireless network
153
# -----------------------------------------------------------------------------
156
# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
157
# For multiple interfaces(!) you can either specify multiple subnets here or
158
# specify one big subnet for all DMZ interfaces.
159
# -----------------------------------------------------------------------------
163
###############################################################################
164
# NAT (Masquerade, SNAT, DNAT) settings #
165
###############################################################################
167
# Enable this if you want to perform NAT (masquerading) for your internal
168
# network (LAN) (eg. share your internet connection with your internal
169
# net(s) connected to eg. INT_IF).
170
# -----------------------------------------------------------------------------
173
# (EXPERT SETTING!). In case you would like to use SNAT instead of
174
# MASQUERADING then uncomment and set the IP or IP's here of your static
175
# external address(es). Note that when multiple IP's are specified, SNAT
176
# multiroute is enabled (load balancing over multiple external (internet)
177
# interfaces, check the README file for more info). Note that the order of IP's
178
# should match the order of interfaces (they belond to) in $EXT_IF!
179
# -----------------------------------------------------------------------------
180
#NAT_STATIC_IP="193.2.1.1"
182
# (EXPERT SETTING!). Use this variable only if you want specific subnets or
183
# hosts to be able to access the internet. When no value is specified, your
184
# whole internal net will have access. In both cases it's obviously only
185
# meaningful when NAT is enabled. Note that you can also use this variable if
186
# you want to use NAT for your DMZ.
187
# -----------------------------------------------------------------------------
188
NAT_INTERNAL_NET="$INTERNAL_NET"
190
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
191
# an internal client through (D)NAT. Note that you can also use these
192
# variables to forward ports to DMZ hosts.
195
# "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} \
196
# {SRCIP3,...:}PORT3,...>DESTIP2:port}"
199
# "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \
200
# {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"
202
# TCP/UDP port forward examples:
203
# Simple (forward port 80 to internal host 192.168.0.10):
204
# NAT_xxx_FORWARD="80>192.168.0.10"
205
# Advanced (forward port 20 & 21 to 192.168.0.10 and
206
# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
207
# NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
209
# IP protocol forward example:
210
# (forward protocols 47 & 48 to 192.168.0.10)
211
# NAT_IP_FORWARD="47,48>192.168.0.10"
213
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a
214
# different port on the internal client.
215
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
216
# (inet) IP addresses.
217
# -----------------------------------------------------------------------------
218
NAT_TCP_FORWARD="81>192.168.0.10 1.2.3.4:80>192.168.0.11:9999"
225
###############################################################################
227
###############################################################################
229
# Most people don't want to get any firewall logs being spit to the console.
230
# This option makes the kernel ring buffer only log messages with level
232
# -----------------------------------------------------------------------------
235
# Enable this if you want TOS mangling (RFC) (recommended).
236
# -----------------------------------------------------------------------------
239
# Enable this if you want to set the maximum packet size via the
240
# Maximum Segment Size(through MSS field) (recommended).
241
# -----------------------------------------------------------------------------
244
# Enable this if you want to increase the TTL value by one in the prerouting
245
# chain. This hides the firewall when performing eg. traceroutes to internal
247
# -----------------------------------------------------------------------------
250
# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
251
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
252
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
253
# support. Don't mess with this unless you really know what you are doing!
254
# -----------------------------------------------------------------------------
257
# Enable this to resolve names of DNS IP's etc.
258
# -----------------------------------------------------------------------------
261
# Enable this to support the IRC-protocol.
262
# -----------------------------------------------------------------------------
265
# (EXPERT SETTING!). Loosen the forward chain for the external interface(s).
266
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
268
# -----------------------------------------------------------------------------
271
# (EXPERT SETTING!). Enable this if you want to drop packets originating from a
273
# -----------------------------------------------------------------------------
274
DROP_PRIVATE_ADDRESSES=0
276
# (EXPERT SETTING!). Protect this machine from being abused for a DRDOS-attack
277
# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
278
# -----------------------------------------------------------------------------
281
# Enable this if you want to allow/enable IPv6 traffic. Note that my firewall
282
# does NOT filter IPv6 traffic (yet), and thus NO checking is performed on it!
283
# -----------------------------------------------------------------------------
286
# This option fixes problems with SMB broadcasts when using nmblookup
287
# -----------------------------------------------------------------------------
290
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP
291
# traffic should be ACCEPTED. (multiple(!) interfaces should be space
292
# separated). Be warned that anything TO and FROM these interfaces is allowed
293
# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
295
# -----------------------------------------------------------------------------
298
# (EXPERT SETTING!). Put here the (internal) interfaces that should trust
299
# (accept forward traffic) each other.
300
# -----------------------------------------------------------------------------
303
# Location of the custom iptables rules file (if any).
304
# -----------------------------------------------------------------------------
305
CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
308
###############################################################################
309
# Logging options - All logging is rate limited to prevent log flooding #
310
###############################################################################
312
# Enable logging for explicitly blocked hosts.
313
# -----------------------------------------------------------------------------
316
# Enable logging for various stealth scans (reliable).
317
# -----------------------------------------------------------------------------
320
# Enable logging for possible stealth scans (less reliable).
321
# -----------------------------------------------------------------------------
324
# Enable logging for TCP-packets with bad flags.
325
# -----------------------------------------------------------------------------
328
# Enable logging of invalid packets. Keep disabled (0) by default to reduce
329
# INVALID packets being logged because of lost (legimate) connections. When
330
# debugging any problems, you should enable it (temporarily)!
331
# -----------------------------------------------------------------------------
334
# Enable logging of source IP's with reserved addresses.
335
# -----------------------------------------------------------------------------
338
# Enable logging of fragmented packets.
339
# -----------------------------------------------------------------------------
342
# Enable logging of denied local (OUTPUT) connections.
343
# -----------------------------------------------------------------------------
346
# Enable logging of denied LAN output (FORWARD) connections.
347
# -----------------------------------------------------------------------------
348
LAN_OUTPUT_DENY_LOG=1
350
# Enable logging of denied LAN INPUT connections.
351
# -----------------------------------------------------------------------------
354
# Enable logging of denied DMZ output (FORWARD) connections.
355
# -----------------------------------------------------------------------------
356
DMZ_OUTPUT_DENY_LOG=1
358
# Enable logging of denied DMZ input (FORWARD) connections.
359
# -----------------------------------------------------------------------------
362
# Enable logging of dropped ICMP-request packets (ping).
363
# -----------------------------------------------------------------------------
366
# Enable logging of dropped "other" ICMP packets.
367
# -----------------------------------------------------------------------------
370
# Enable logging of normal connection attempts to privileged TCP ports.
371
# -----------------------------------------------------------------------------
374
# Enable logging of normal connection attempts to privileged UDP ports.
375
# -----------------------------------------------------------------------------
378
# Enable logging of normal connection attempts to unprivileged TCP ports.
379
# -----------------------------------------------------------------------------
382
# Enable logging of normal connection attempts to unprivileged UDP ports.
383
# -----------------------------------------------------------------------------
386
# Enable logging of normal connection attempts to "other-IP"-protocols (non
388
# -----------------------------------------------------------------------------
391
# Enable logging for ICMP flooding.
392
# -----------------------------------------------------------------------------
395
# Enable logging for not-allowed MAC addresses (if used).
396
# -----------------------------------------------------------------------------
399
# (EXPERT SETTING!). The location of the dedicated firewall log file. When
400
# enabled the firewall script will also log start/stop etc. info to this file
401
# as well. Note that in order to make this work, you should also configure
402
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
404
# -----------------------------------------------------------------------------
405
#FIREWALL_LOG=/var/log/firewall
407
# (EXPERT SETTING!). Current log-level ("info": default kernel syslog level)
408
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
409
# syslogd accordingly (see included syslogd.conf examples).
410
# -----------------------------------------------------------------------------
413
# Put in the following variables which hosts you want to log certain incoming
414
# connection attempts for.
415
# TCP/UDP port format (LOG_HOST_xxx_INPUT):
416
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
418
# IP protocol format (LOG_HOST_IP_INPUT):
419
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
420
# -----------------------------------------------------------------------------
421
LOG_HOST_TCP_INPUT=""
422
LOG_HOST_UDP_INPUT=""
425
# Put in the following variables which hosts you want to log certain outgoing
426
# connection attempts for.
427
# TCP/UDP port format (LOG_HOST_xxx_OUTPUT):
428
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
430
# IP protocol format (LOG_HOST_IP_OUTPUT):
431
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
432
# -----------------------------------------------------------------------------
433
LOG_HOST_TCP_OUTPUT=""
434
LOG_HOST_UDP_OUTPUT=""
435
LOG_HOST_IP_OUTPUT=""
437
# Put in the following variables which services you want to log incoming
438
# connection attempts for.
439
# -----------------------------------------------------------------------------
444
# Put in the following variables which services you want to log outgoing
445
# connection attempts for.
446
# -----------------------------------------------------------------------------
451
# Put in the following variable which hosts you want to log incoming connection
453
# -----------------------------------------------------------------------------
456
# Put in the following variable which hosts you want to log outgoing connection
458
# -----------------------------------------------------------------------------
462
###############################################################################
463
# /proc based settings (EXPERT SETTINGS!) #
464
###############################################################################
466
# Enable for synflood protection (through /proc/.../tcp_syncookies).
467
# -----------------------------------------------------------------------------
470
# Enable this to reduce the ability of others DOS'ing your machine.
471
# -----------------------------------------------------------------------------
474
# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
475
# -----------------------------------------------------------------------------
478
# Enable to log packets with impossible addresses to the kernel log.
479
# -----------------------------------------------------------------------------
482
# Only disable this if you're NOT using forwarding (required for NAT etc.) for
483
# increased security.
484
# -----------------------------------------------------------------------------
487
# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
489
# -----------------------------------------------------------------------------
492
# Enable/modify this if you want to be a able to handle a larger (or smaller)
493
# number of simultaneous connections. For high traffic machines I recommend to
494
# use a value of at least 16384 (note that a higher value (obviously) also uses
496
# -----------------------------------------------------------------------------
499
# You may need to enable this to get some internet games to work, but note that
500
# it's *less* secure.
501
# -----------------------------------------------------------------------------
504
# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
505
# as some routers are still not compatible with this.
506
# -----------------------------------------------------------------------------
509
# Enable to drop connections from non-routable IP's, eg. prevent source
510
# routing. By default the firewall itself also provides rules against source
511
# routing. Note than when you use eg. VPN (Freeswan), you should probably
512
# disable this setting.
513
# -----------------------------------------------------------------------------
516
# Protect against source routed packets. Attackers can use source routing to
517
# generate traffic pretending to be from inside your network, but which is
518
# routed back along the path from which it came, namely outside, so attackers
519
# can compromise your network. Source routing is rarely used for legitimate
520
# purposes, so normally you should always leave this enabled(1)!
521
# -----------------------------------------------------------------------------
522
SOURCE_ROUTE_PROTECTION=1
524
# Here we set the local port range (ports from which connections are
525
# initiated from our site). Don't mess with this unless you really know what
527
# -----------------------------------------------------------------------------
528
LOCAL_PORT_RANGE="32768 61000"
530
# Here you can change the default TTL used for sending packets. The value
531
# should be between 10 and 255. Don't mess with this unless you really know
532
# what you are doing!
533
# -----------------------------------------------------------------------------
536
# In most cases pmtu discovery is ok, but in some rare cases (when having
537
# problems) you might want to disable it.
538
# -----------------------------------------------------------------------------
542
###############################################################################
543
# (Transparent) proxy settings (EXPERT SETTINGS!) #
544
###############################################################################
545
#HTTP_PROXY_PORT="3128"
552
###############################################################################
553
# Firewall policies for the LAN (EXPERT SETTINGS!) #
554
###############################################################################
556
###############################################################################
557
# LAN_xxx = LAN->localhost(this machine) input access rules #
559
# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
560
# default policy for this chain is accept (unless denied through #
561
# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
562
###############################################################################
564
# Enable this to allow for ICMP-requests(ping) from your LAN
565
# -----------------------------------------------------------------------------
568
# Put in the following variables the TCP/UDP ports or IP protocols TO
569
# (remote end-point) which the LAN hosts are permitted to connect to.
570
# -----------------------------------------------------------------------------
575
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
576
# end-point) which LAN hosts are NOT permitted to connect to.
577
# -----------------------------------------------------------------------------
582
# Put in the following variables the TCP/UDP ports or IP
583
# protocols TO (remote end-point) which certain LAN hosts are
584
# permitted to connect to.
586
# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
587
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
589
# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
590
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
591
# -----------------------------------------------------------------------------
596
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
597
# end-point) which certain LAN hosts are NOT permitted to connect to.
599
# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
600
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
602
# IP protocol format (LAN_INPUT_HOST_DENY_xxx):
603
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
604
# -----------------------------------------------------------------------------
610
###############################################################################
611
# LAN_INET_xxx = LAN->internet access rules (forward) #
613
# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT #
614
# used, the default policy for this chain is accept (unless denied #
615
# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
616
###############################################################################
618
# Enable this to allow for ICMP-requests(ping) for LAN->INET
619
# -----------------------------------------------------------------------------
622
# Put in the following variables the TCP/UDP ports or IP
623
# protocols TO (remote end-point) which the LAN hosts are
624
# permitted to connect to via the external (internet) interface.
625
# -----------------------------------------------------------------------------
630
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
631
# end-point) which the LAN hosts are NOT permitted to connect to
632
# via the external (internet) interface. Examples of usage are for blocking
633
# IRC (TCP 6666:6669) for the internal network.
634
# -----------------------------------------------------------------------------
639
# Put in the following variables which LAN hosts you want to allow to certain
640
# hosts/services on the internet. By default all services are allowed.
643
# "SRCIP1,SRCIP2,...>DESTIP1:port \
644
# SRCIP3,...>DESTIP2:port"
647
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
648
# SRCIP3,...>DESTIP2:protocol"
652
# (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
653
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4:80"
655
# (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
656
# allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
657
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 192.168.0.10>80"
659
# IP protocol example:
660
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
661
# LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
663
# NOTE 1: If no SRCIPx is specified, any source host is used
664
# NOTE 2: If no DESTIPx is specified, any destination host is used
665
# NOTE 3: If no port is specified, any port is used
666
# -----------------------------------------------------------------------------
667
LAN_INET_HOST_OPEN_TCP=""
668
LAN_INET_HOST_OPEN_UDP=""
669
LAN_INET_HOST_OPEN_IP=""
671
# Put in the following variables which DMZ hosts you want to deny to certain
672
# hosts/services on the internet.
675
# "SRCIP1,SRCIP2,...>DESTIP1:port \
676
# SRCIP3,...>DESTIP2:port"
679
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
680
# SRCIP3,...>DESTIP2:protocol"
683
# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
684
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4:80"
685
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
686
# deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
687
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4:20,21 192.168.0.10>1.2.3.4:80"
689
# IP protocol example:
690
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
691
# LAN_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
693
# NOTE 1: If no SRCIPx is specified, any source host is used
694
# NOTE 2: If no DESTIPx is specified, any destination host is used
695
# NOTE 3: If no port is specified, any port is used
696
# -----------------------------------------------------------------------------
697
LAN_INET_HOST_DENY_TCP=""
698
LAN_INET_HOST_DENY_UDP=""
699
LAN_INET_HOST_DENY_IP=""
702
###############################################################################
703
# Firewall policies for the DMZ (EXPERT SETTINGS!) #
704
###############################################################################
706
###############################################################################
707
# DMZ_xxx = DMZ->localhost(this machine) input access rules #
708
###############################################################################
710
# Enable this to allow ICMP-requests(ping) from the DMZ
711
# -----------------------------------------------------------------------------
714
# Put in the following variables which DMZ hosts are permitted to connect to
715
# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
716
# services are blocked for DMZ hosts.
717
# -----------------------------------------------------------------------------
722
# Put in the following variables which DMZ hosts you want to allow for certain
723
# services. By default all (local) services are blocked for DMZ hosts.
724
# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
725
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
727
# IP protocol format (DMZ_HOST_OPEN_IP):
728
# "host1,host2>proto1,proto2 host3,host4>proto3,proto4 ..."
729
# -----------------------------------------------------------------------------
735
###############################################################################
736
# INET_DMZ_xxx = Internet->DMZ access rules (forward) #
738
# Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT #
739
# used, the default policy for this chain is accept (unless denied #
740
# through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)! #
741
###############################################################################
743
# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
744
# -----------------------------------------------------------------------------
747
# Put in the following variables which INET hosts are permitted to connect to
748
# certain the TCP/UDP ports or IP protocols in the DMZ.
749
# -----------------------------------------------------------------------------
754
# Put in the following variables which INET hosts are NOT permitted to connect
755
# to certain the TCP/UDP ports or IP protocols in the DMZ.
756
# -----------------------------------------------------------------------------
761
# Put in the following variables which INET hosts you want to allow to certain
762
# hosts/services on the DMZ net. By default all services are allowed.
765
# "SRCIP1,SRCIP2,...>DESTIP1:port \
766
# SRCIP3,...>DESTIP2:port"
769
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
770
# SRCIP3,...>DESTIP2:protocol"
773
# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
774
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4:80"
775
# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
776
# allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
777
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
779
# IP protocol example:
780
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
781
# INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
783
# NOTE 1: If no SRCIPx is specified, any source host is used
784
# NOTE 2: If no DESTIPx is specified, any destination host is used
785
# NOTE 3: If no port is specified, any port is used
786
# -----------------------------------------------------------------------------
787
INET_DMZ_HOST_OPEN_TCP=""
788
INET_DMZ_HOST_OPEN_UDP=""
789
INET_DMZ_HOST_OPEN_IP=""
791
# Put in the following variables which INET hosts you want to deny to certain
792
# hosts/services on the DMZ net.
795
# "SRCIP1,SRCIP2,...>DESTIP1:port \
796
# SRCIP3,...>DESTIP2:port"
799
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
800
# SRCIP3,...>DESTIP2:protocol"
803
# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
804
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4:80"
805
# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
806
# deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
807
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
809
# IP protocol example:
810
# (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
811
# INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4:47,48"
813
# NOTE 1: If no SRCIPx is specified, any source host is used
814
# NOTE 2: If no DESTIPx is specified, any destination host is used
815
# NOTE 3: If no port is specified, any port is used
816
# -----------------------------------------------------------------------------
817
INET_DMZ_HOST_DENY_TCP=""
818
INET_DMZ_HOST_DENY_UDP=""
819
INET_DMZ_HOST_DENY_IP=""
822
###############################################################################
823
# DMZ_INET_xxx = DMZ->internet access rules (forward) #
825
# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT #
826
# used, the default policy for this chain is accept (unless denied #
827
# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
828
###############################################################################
830
# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
831
# -----------------------------------------------------------------------------
834
# Put in the following variables the TCP/UDP ports or IP
835
# protocols TO (remote end-point) which the DMZ hosts are
836
# permitted to connect to via the external (internet) interface.
837
# -----------------------------------------------------------------------------
842
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
843
# end-point) which the DMZ hosts are NOT permitted to connect to
844
# via the external (internet) interface. Examples of usage are for blocking
845
# IRC (TCP 6666:6669) for the internal network.
846
# -----------------------------------------------------------------------------
851
# Put in the following variables which DMZ hosts you want to allow to certain
852
# hosts/services on the internet. By default all services are allowed.
855
# "SRCIP1,SRCIP2,...>DESTIP1:port \
856
# SRCIP3,...>DESTIP2:port"
859
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
860
# SRCIP3,...>DESTIP2:protocol"
863
# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
864
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4:80"
865
# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
866
# allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
867
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
869
# IP protocol example:
870
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
871
# DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
873
# NOTE 1: If no SRCIPx is specified, any source host is used
874
# NOTE 2: If no DESTIPx is specified, any destination host is used
875
# NOTE 3: If no port is specified, any port is used
876
# -----------------------------------------------------------------------------
877
DMZ_INET_HOST_OPEN_TCP=""
878
DMZ_INET_HOST_OPEN_UDP=""
879
DMZ_INET_HOST_OPEN_IP=""
881
# Put in the following variables which DMZ hosts you want to deny to certain
882
# hosts/services on the internet.
885
# "SRCIP1,SRCIP2,...>DESTIP1:port \
886
# SRCIP3,...>DESTIP2:port"
889
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
890
# SRCIP3,...>DESTIP2:protocol"
893
# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
894
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4:80"
895
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
896
# deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
897
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
899
# IP protocol example:
900
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
901
# DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
903
# NOTE 1: If no SRCIPx is specified, any source host is used
904
# NOTE 2: If no DESTIPx is specified, any destination host is used
905
# NOTE 3: If no port is specified, any port is used
906
# -----------------------------------------------------------------------------
907
DMZ_INET_HOST_DENY_TCP=""
908
DMZ_INET_HOST_DENY_UDP=""
909
DMZ_INET_HOST_DENY_IP=""
912
###############################################################################
913
# DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
914
###############################################################################
916
# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
917
# -----------------------------------------------------------------------------
920
# Put in the following variables which DMZ hosts you want to allow to certain
921
# hosts/services on the LAN (net).
924
# "SRCIP1,SRCIP2,...>DESTIP1:port \
925
# SRCIP3,...>DESTIP2:port"
928
# "SRCIP1,SRCIP2,...>DESTIP1:protocol \
929
# SRCIP3,...>DESTIP2:protocol"
932
# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
933
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4:80"
934
# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
935
# allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
937
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80"
939
# IP protocol example:
940
# (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
941
# DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4:47,48"
943
# NOTE 1: If no SRCIPx is specified, any source host is used
944
# NOTE 2: If no DESTIPx is specified, any destination host is used
945
# NOTE 3: If no port is specified, any port is used
946
# -----------------------------------------------------------------------------
947
DMZ_LAN_HOST_OPEN_TCP=""
948
DMZ_LAN_HOST_OPEN_UDP=""
949
DMZ_LAN_HOST_OPEN_IP=""
952
###############################################################################
953
# Firewall policies for the external (inet) interface (default policy = drop) #
954
###############################################################################
956
# Put in the following variable which hosts (subnets) you want have full access
957
# via your internet (EXT_IF) connection(!). This is especially meant for
958
# networks/servers which use NIS/NFS, as these protocols require all ports
960
# NOTE: Don't mistake this variable with the one used for internal nets.
961
# -----------------------------------------------------------------------------
964
# Enable this to make the default policy allow for ICMP(ping) for INET access
965
# -----------------------------------------------------------------------------
968
# Put in the following variables which ports or IP protocols you want to leave
969
# open to the whole world.
970
# -----------------------------------------------------------------------------
975
# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
976
# everyone (and logged). Also use these variables if you want to log connection
977
# attempts to these ports from everyone (also trusted/full access hosts).
978
# In principle you don't need these variables, as everything is already blocked
979
# (denied) by default, but just exists for consistency.
980
# -----------------------------------------------------------------------------
984
# Put in the following variables which ports you want to DENY(DROP) for
985
# everyone but NOT logged. This is very useful if you have constant probes on
986
# the same port(s) over and over again (code red worm) and don't want your logs
988
# -----------------------------------------------------------------------------
992
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
993
# of DROP) for everyone (and logged).
994
# -----------------------------------------------------------------------------
998
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
999
# of DROP) for everyone but NOT logged.
1000
# -----------------------------------------------------------------------------
1004
# Put in the following variables which hosts you want to allow for certain
1006
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
1007
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1009
# IP protocol format (HOST_OPEN_IP):
1010
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1012
# ICMP protocol format (HOST_OPEN_ICMP):
1013
# "host1 host2 ...."
1014
# -----------------------------------------------------------------------------
1020
# Put in the following variables which hosts you want to DENY(DROP) for certain
1021
# services (and logged).
1022
# to DENY(DROP) for certain hosts.
1023
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
1024
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1026
# IP protocol format (HOST_DENY_IP):
1027
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1029
# ICMP protocol format (HOST_DENY_ICMP):
1030
# "host1 host2 ...."
1031
# -----------------------------------------------------------------------------
1037
# Put in the following variables which hosts you want to DENY(DROP) for certain
1038
# services but NOT logged.
1039
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
1040
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1042
# IP protocol format (HOST_DENY_IP_NOLOG):
1043
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1045
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
1046
# "host1 host2 ...."
1047
# -----------------------------------------------------------------------------
1048
HOST_DENY_TCP_NOLOG=""
1049
HOST_DENY_UDP_NOLOG=""
1050
HOST_DENY_IP_NOLOG=""
1051
HOST_DENY_ICMP_NOLOG=""
1053
# Put in the following variables which hosts you want to REJECT (instead of
1054
# DROP) for certain TCP/UDP ports.
1055
# TCP/UDP port format (HOST_REJECT_xxx):
1056
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1057
# -----------------------------------------------------------------------------
1061
# Put in the following variables which hosts you want to REJECT (instead of
1062
# DROP) for certain services but NOT logged.
1063
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
1064
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1065
# -----------------------------------------------------------------------------
1066
HOST_REJECT_TCP_NOLOG=""
1067
HOST_REJECT_UDP_NOLOG=""
1069
# Put in the following variables which services THIS machine is NOT
1070
# permitted to connect TO (remote end-point) via the external (internet)
1071
# interface. For example for blocking IRC (tcp 6666:6669).
1072
# -----------------------------------------------------------------------------
1077
# Put in the following variables to which hosts THIS machine is NOT
1078
# permitted to connect TO for certain services (remote end-point)
1079
# via the external (internet) interface. In principle you can also
1080
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
1081
# to your local subnet.
1082
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
1083
# "host1,host2>port1,port2 host3,host4>port3,port4 ..."
1085
# IP protocol format (HOST_DENY_IP_OUTPUT):
1086
# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..."
1087
# -----------------------------------------------------------------------------
1088
HOST_DENY_TCP_OUTPUT=""
1089
HOST_DENY_UDP_OUTPUT=""
1090
HOST_DENY_IP_OUTPUT=""
1092
# Put in the following variable which TCP/UDP ports you don't want to
1093
# see broadcasts from (ie. DHCP (67/68) on your EXTERNAL interface. Note that
1094
# to make this properly work you also need to set "EXTERNAL_NET"!
1095
# -----------------------------------------------------------------------------
1096
BROADCAST_TCP_NOLOG=""
1097
#BROADCAST_UDP_NOLOG="67 68"
1099
# Put in the following variable which hosts you want to block (blackhole,
1100
# dropping every packet from the host).
1101
# -----------------------------------------------------------------------------
1104
# Uncomment & specify here the location of the file that contains a list of
1105
# hosts(IP's) that should be BLOCKED. IP ranges can (only) be specified as
1106
# w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this file
1107
# should always contain a carriage-return (enter)!
1108
# -----------------------------------------------------------------------------
1109
#BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts