Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format
PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
doc:reseau:iptables-pare-feu-pour-une-passerelle [15/10/2014 09:10] Hypathie [La table NAT] |
doc:reseau:iptables-pare-feu-pour-une-passerelle [15/10/2014 14:50] Hypathie [Détail pour les protocole TCP et UDP] |
||
---|---|---|---|
Ligne 953: | Ligne 953: | ||
/sbin/iptables -P FORWARD ACCEPT | /sbin/iptables -P FORWARD ACCEPT | ||
/sbin/iptables -P OUTPUT ACCEPT | /sbin/iptables -P OUTPUT ACCEPT | ||
- | |||
/sbin/iptables -P INPUT DROP | /sbin/iptables -P INPUT DROP | ||
/sbin/iptables -P OUTPUT DROP | /sbin/iptables -P OUTPUT DROP | ||
/sbin/iptables -P FORWARD DROP | /sbin/iptables -P FORWARD DROP | ||
- | |||
/sbin/iptables -t nat -P PREROUTING ACCEPT | /sbin/iptables -t nat -P PREROUTING ACCEPT | ||
/sbin/iptables -t nat -P POSTROUTING ACCEPT | /sbin/iptables -t nat -P POSTROUTING ACCEPT | ||
Ligne 963: | Ligne 961: | ||
/sbin/iptables -t nat -P OUTPUT ACCEPT | /sbin/iptables -t nat -P OUTPUT ACCEPT | ||
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
- | |||
- | #Maintenant que tout est à DROP il faut s'occuper de la boucle local | ||
/sbin/iptables -A INPUT -i lo -j ACCEPT | /sbin/iptables -A INPUT -i lo -j ACCEPT | ||
/sbin/iptables -A OUTPUT -o lo -j ACCEPT | /sbin/iptables -A OUTPUT -o lo -j ACCEPT | ||
- | |||
- | # Et notre interface interne : | ||
/sbin/iptables -A INPUT -i eth1 -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | ||
- | + | /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
- | #On garde nos règles concernant le DROP sur FORWARD (FILTER) | + | /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT |
- | #mais on oublie pas eth1 ! | + | |
- | /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24\ | + | |
- | -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0\ | + | |
- | -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | + | |
- | + | ||
/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | ||
- | + | /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
- | /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack\ | + | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
- | --ctstate ESTABLISHED,RELATED -j ACCEPT | + | /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
- | + | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
- | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack\ | + | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
- | --ctstate ESTABLISHED,RELATED -j ACCEPT | + | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT |
- | + | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
- | /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack\ | + | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT |
- | --ctstate ESTABLISHED,RELATED -j ACCEPT | + | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
- | + | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
- | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack\ | + | |
- | --ctstate ESTABLISHED,RELATED -j ACCEPT | + | |
- | + | ||
- | # Et on prend soin de laisser entrer et sortir (INPUT, OUTPUT de FILTER) | + | |
- | # le flux nécessaire au DNS (53) et au web (80, 443..) | + | |
- | # et là encore on n'oublie pas eth1 | + | |
- | + | ||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53\ | + | |
- | -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53\ | + | |
- | -m state --state RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53\ | + | |
- | -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53\ | + | |
- | -m state --state RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports\ | + | |
- | 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports\ | + | |
- | 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | + | |
- | + | ||
/sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
- | |||
- | |||
- | # Les règles ICMP pour OUTPUT INPUT et FORWARD | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | ||
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | ||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | ||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | ||
Ligne 1047: | Ligne 1000: | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | ||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | ||
/sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | ||
- | + | /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | |
- | /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp\ | + | /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP |
- | --icmp-type echo-request -j ACCEPT | + | |
- | + | ||
- | # Pour le retour nous utilisons la dernière règle | + | |
- | /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp\ | + | |
- | --icmp-type echo-reply -j DROP | + | |
- | + | ||
/sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | ||
/sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | ||
- | |||
- | |||
- | #TCP_BAD | ||
- | |||
/sbin/iptables -N syn_flood | /sbin/iptables -N syn_flood | ||
/sbin/iptables -I INPUT -p tcp --syn -j syn_flood | /sbin/iptables -I INPUT -p tcp --syn -j syn_flood | ||
Ligne 1074: | Ligne 1015: | ||
/sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | ||
/sbin/iptables -A syn_flood -j DROP | /sbin/iptables -A syn_flood -j DROP | ||
- | |||
- | # SSH | ||
/sbin/iptables -t filter -N InComingSSH | /sbin/iptables -t filter -N InComingSSH | ||
- | /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp\ | + | /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH |
- | --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH | + | |
/sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | ||
/sbin/iptables -A InComingSSH -j ACCEPT | /sbin/iptables -A InComingSSH -j ACCEPT | ||
- | + | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp\ | + | /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
- | --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | + | /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
- | + | ||
- | /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp\ | + | |
- | --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp\ | + | |
- | --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | + | |
- | + | ||
- | #FTP_IN | + | |
- | + | ||
/sbin/iptables -N ftp_in_accept | /sbin/iptables -N ftp_in_accept | ||
- | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state\ | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept |
- | --state ESTABLISHED,RELATED -j ftp_in_accept | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept |
- | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | |
- | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state\ | + | |
- | --state ESTABLISHED,RELATED -j ftp_in_accept | + | |
- | + | ||
- | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport\ | + | |
- | 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | + | |
- | + | ||
/sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | ||
- | + | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
- | + | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
- | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state\ | + | /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT |
- | --state ESTABLISHED,RELATED -j ACCEPT | + | |
- | /sbin/iptables -A NPUT -i eth1 -p tcp --sport 20 -m state\ | + | |
- | --state ESTABLISHED,RELATED -j ACCEPT | + | |
- | /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport\ | + | |
- | 1024:65535 -m state --state ESTABLISHED -j ACCEPT | + | |
RETVAL=$? | RETVAL=$? | ||
;; | ;; |