Skip to content

Instantly share code, notes, and snippets.

@funollet

funollet/gist:905524

Created April 6, 2011 11:54
Show Gist options
  • Save funollet/905524 to your computer and use it in GitHub Desktop.
Save funollet/905524 to your computer and use it in GitHub Desktop.
Download ZIP
ferm.conf @ stallman
Raw
gistfile1.eclass
# ferm.conf @ stallman
# Llistat de IPs de les quals accepta correu.
@def $MX_SERVER = (147.83.2.50 147.83.2.51) ;
table filter {
chain INPUT {
policy DROP;
# Connection tracking.
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# Allow local connections.
interface lo ACCEPT;
# Permet ping.
protocol icmp icmp-type echo-request ACCEPT;
# Serveis oberts a tot-hom.
protocol tcp dport (ssh http https) ACCEPT;
# Accepta ftp, ftp-data i rang de ports per ftp passiu.
protocol tcp dport (20 21 50000:60000) ACCEPT;
# Accepta DNS.
protocol (tcp udp) dport domain ACCEPT;
# Accepta correu dels servidors de la UPC.
saddr $MX_SERVER protocol tcp dport (smtp ssmtp) ACCEPT;
# Genera logs de les connexions denegades.
LOG log-prefix "iptables/DROP: " ;
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
@funollet
Copy link
Author

funollet commented Apr 6, 2011 

$ ferm --noexec --lines ferm.conf

# Generated by ferm 2.0.7 on Wed Apr  6 14:00:02 2011
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT --match state --state INVALID --jump DROP
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
-A INPUT --in-interface lo --jump ACCEPT
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
-A INPUT --protocol tcp --dport http --jump ACCEPT
-A INPUT --protocol tcp --dport https --jump ACCEPT
-A INPUT --protocol tcp --dport 20 --jump ACCEPT
-A INPUT --protocol tcp --dport 21 --jump ACCEPT
-A INPUT --protocol tcp --dport 50000:60000 --jump ACCEPT
-A INPUT --protocol tcp --dport domain --jump ACCEPT
-A INPUT --protocol udp --dport domain --jump ACCEPT
-A INPUT --source 147.83.2.50 --protocol tcp --dport smtp --jump ACCEPT
-A INPUT --source 147.83.2.50 --protocol tcp --dport ssmtp --jump ACCEPT
-A INPUT --source 147.83.2.51 --protocol tcp --dport smtp --jump ACCEPT
-A INPUT --source 147.83.2.51 --protocol tcp --dport ssmtp --jump ACCEPT
-A INPUT --jump LOG --log-prefix "iptables/DROP: "
COMMIT

@alexm
Copy link

alexm commented Apr 6, 2011

En principi em sembla bé, per mi endavant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment