update firewall rules

2019-11-11 13:36:12 +00:00 · 2019-11-11 13:36:12 +00:00 · 523e2fc32b
parent 96a32927c8
commit 523e2fc32b
1 changed files with 20 additions and 13 deletions
--- a/etc/init.d/S41firewall
+++ b/etc/init.d/S41firewall
@ -294,37 +294,44 @@ if [ "$1" = "start" ]; then
 	# Selectively allow certain inbound connections, block the rest.
 	#------------------------------------------------------------------------------

-	# dns
-	$IPT -w -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
+	# dns (local unbound)
+	$IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 192.168.1.1 -p tcp --dport 53 -j ACCEPT

 	# finger
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 79 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 79 -j ACCEPT

 	# ident
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 113 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 113 -j ACCEPT

 	# gopher
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 70 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 70 -j ACCEPT

 	# http/https
 	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
 	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

 	# gemini
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 1965 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 1965 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 1965 -j ACCEPT

 	# ssh
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2222 -j ACCEPT
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 2223 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 22 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 2222 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 2223 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p tcp --dport 22 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p tcp --dport 2222 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p tcp --dport 2223 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p tcp --dport 80 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p tcp --dport 443 -j ACCEPT

 	# mosh
-	$IPT -w -A INPUT -m state --state NEW -p udp --dport 60001:61000 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p udp --dport 60001:61000 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 5.199.139.30 -p udp --dport 60001:61000 -j ACCEPT

 	# znc
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
-	$IPT -w -A INPUT -m state --state NEW -p tcp --dport 6697 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 6667 -j ACCEPT
+	$IPT -w -A INPUT -m state --state NEW -d 89.163.145.170 -p tcp --dport 6697 -j ACCEPT


 	# Miscellaneous.