31 lines
992 B
Plaintext
31 lines
992 B
Plaintext
|
*filter
|
||
|
:INPUT DROP [0:0]
|
||
|
:FORWARD DROP [0:0]
|
||
|
:OUTPUT DROP [0:0]
|
||
|
|
||
|
###################################################################
|
||
|
# Simple webserver filter
|
||
|
#
|
||
|
# Usage:
|
||
|
# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
|
||
|
# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
|
||
|
#
|
||
|
###################################################################
|
||
|
|
||
|
# allow webserver traffic
|
||
|
-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
|
||
|
-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||
|
-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
|
||
|
|
||
|
# allow incoming ping
|
||
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||
|
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||
|
|
||
|
# allow outgoing DNS
|
||
|
-A OUTPUT -p udp --dport 53 -j ACCEPT
|
||
|
-A INPUT -p udp --sport 53 -j ACCEPT
|
||
|
|
||
|
COMMIT
|
||
|
|