• interfaces
loc     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
net     eth1            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
wifi    eth2        detect        tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
tun     tun0        detect        tcpflags,dhcp,nosmurfs,routefilter,logmartians=0
  • masq
eth0  ,\
  • policy
loc        net        ACCEPT
wifi        net        ACCEPT
tun        net        ACCEPT
net        all        DROP        info
all        all        REJECT        info
  • rules
DNS(ACCEPT)    $FW        net
DNS(ACCEPT)    loc        $FW
DNS(ACCEPT)    wifi        $FW
DNS(ACCEPT)    tun        $FW
DNS(ACCEPT)    tun        loc

NTP(ACCEPT)    $FW        net

#    Accept SSH connections from the local network to the firewall and wifi
SSH(ACCEPT)     net             $FW
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             wifi
SSH(ACCEPT)     loc             tun

#on autorise les connexions vers le serveur web et https
ACCEPT       net             $FW             tcp    443     #https
ACCEPT       net             $FW             udp    443     #https
ACCEPT       net             $FW             tcp    www      #web
ACCEPT       net             $FW             udp    www      #web

#on autorise l'accès au proxy :) et on redirige le trafic qui essaye de
#sortir directement via le port 81 (a ameliorer cf webadmin)
ACCEPT       tun             $FW             tcp    www
ACCEPT       tun             $FW             udp    www
ACCEPT       wifi            $FW             tcp    www
ACCEPT       wifi            $FW             udp    www

#autorisation de sortie pour le reseau chilli
ACCEPT              wifi             net        tcp    www
ACCEPT              wifi             net        udp    www

ACCEPT       tun             $FW             tcp    443
ACCEPT       tun             $FW             udp    443
ACCEPT       wifi            $FW             tcp    443
ACCEPT       wifi            $FW             udp    443
ACCEPT       $FW             tun             tcp    443
ACCEPT       $FW             tun             udp    443
ACCEPT       $FW             wifi            tcp    443
ACCEPT       $FW             wifi            udp    443

ACCEPT       tun             $FW             tcp    1812
ACCEPT       tun             $FW             udp    1812
ACCEPT       wifi            $FW             tcp    1812
ACCEPT       wifi            $FW             udp    1812
ACCEPT       tun             $FW             tcp    1813
ACCEPT       tun             $FW             udp    1813
ACCEPT       wifi            $FW             tcp    1813
ACCEPT       wifi            $FW             udp    1813

#acces chilli
ACCEPT       tun             $FW             tcp    3990
ACCEPT       tun             $FW             udp    3990
ACCEPT       wifi            $FW             tcp    3990
ACCEPT       wifi            $FW             udp    3990

#ACCEPT       wifi            $FW             tcp    3128
#ACCEPT       wifi            $FW             udp    3128
#ACCEPT       tun             $FW             tcp    3128
#ACCEPT       tun             $FW             udp    3128

ACCEPT       wifi            $FW             tcp    81
ACCEPT       wifi            $FW             udp    81
REDIRECT    wifi        81        tcp    www     -
REDIRECT    wifi        81        udp    www     -

ACCEPT       tun             $FW             tcp    81
ACCEPT       tun             $FW             udp    81
REDIRECT    tun         81        tcp    www     -
REDIRECT    tun         81        udp    www     -

ACCEPT       loc             $FW             tcp    www
ACCEPT       loc             $FW             udp    www
ACCEPT       loc             $FW             tcp    81
ACCEPT       loc             $FW             udp    81
ACCEPT       loc             $FW             tcp    3128
ACCEPT       loc             $FW             udp    3128
REDIRECT    loc        81        tcp    www     -
REDIRECT    loc        81        udp    www     -
#a ameliorer pour eviter que les utilisateurs en TX ne puissent surfer
#sans filtre
ACCEPT        $FW        net        tcp    www

# Drop Ping from the "bad" net zone.

Ping(DROP)       net             $FW

#       Make ping work bi-directionally between the wifi, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).

Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    wifi            $FW
Ping(ACCEPT)    tun             $FW
Ping(ACCEPT)    loc             wifi
Ping(ACCEPT)    loc             tun
Ping(ACCEPT)    wifi            loc
Ping(ACCEPT)    tun             loc
Ping(ACCEPT)    wifi            net
Ping(ACCEPT)    tun             net

ACCEPT        $FW        net        icmp
ACCEPT        $FW        loc        icmp
ACCEPT        $FW        wifi        icmp
ACCEPT        $FW        tun        icmp
  • zones
#ZONE    TYPE    OPTIONS            IN            OUT
#                    OPTIONS            OPTIONS
fw    firewall
loc    ipv4
net    ipv4
wifi    ipv4
tun    ipv4
Redmine Appliance - Powered by TurnKey Linux