IOTハウスのRaspberry Piへネットフィルターを追加

旧Raspberry Piへはiptables-persistentでネットフィルターの機能を使っていた

新Verのzeroですっかり忘れていたものを復活させた

cat /etc/iptables/rules.v4

# Generated by iptables-save v1.4.14 on Fri Apr 22 11:37:23 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Pepo-Firewall – [0:0]
-A INPUT -j Pepo-Firewall
-A FORWARD -j Pepo-Firewall
-A OUTPUT -j Pepo-Firewall
-A Pepo-Firewall -p icmp -m icmp –icmp-type any -j ACCEPT
-A Pepo-Firewall -p esp -j ACCEPT
-A Pepo-Firewall -p ah -j ACCEPT
-A Pepo-Firewall -d 224.0.0.251/32 -p udp -m udp –dport 5353 -j ACCEPT
-A Pepo-Firewall -p udp -m udp –dport 631 -j ACCEPT
-A Pepo-Firewall -m state –state RELATED,ESTABLISHED -j ACCEPT
-A Pepo-Firewall -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT
-A Pepo-Firewall -p tcp -m state –state NEW -m tcp –sport 20 -j ACCEPT
.

-A Pepo-Firewall -p tcp -m state –state NEW -m tcp –dport 143 -j ACCEPT
-A Pepo-Firewall -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A Pepo-Firewall -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
.
/etc/rc.localへ追加

iptables-restore < /etc/iptables/rules.v4

iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
Pepo-Firewall all — anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
Pepo-Firewall all — anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
Pepo-Firewall all — anywhere anywhere

Chain Pepo-Firewall (3 references)
target prot opt source destination
ACCEPT icmp — anywhere anywhere icmp any
ACCEPT esp — anywhere anywhere
ACCEPT ah — anywhere anywhere
ACCEPT udp — anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp — anywhere anywhere udp dpt:ipp
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp — anywhere anywhere state NEW tcp spt:ftp-data

.
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:https

.