L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →

Différences

Ci-dessous, les différences entre deux révisions de la page.

--- doc:reseau:iptables-pare-feu-pour-une-passerelle [15/10/2014 11:19]
Hypathie [Détail pour les protocole TCP et UDP]
+++ doc:reseau:iptables-pare-feu-pour-une-passerelle [15/10/2014 14:50]
Hypathie [Détail pour les protocole TCP et UDP]
@@ Ligne 953: / Ligne 953: @@
 /sbin/iptables -P FORWARD ACCEPT
 /sbin/iptables -P OUTPUT ACCEPT
 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -P FORWARD DROP
 /sbin/iptables -t nat -P PREROUTING ACCEPT
 /sbin/iptables -t nat -P POSTROUTING ACCEPT
@@ Ligne 963: / Ligne 961: @@
 /sbin/iptables -t nat -P OUTPUT ACCEPT
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-#Maintenant que tout est à DROP il faut s'occuper de la boucle local
 /sbin/iptables -A INPUT -i lo -j ACCEPT
 /sbin/iptables -A OUTPUT -o lo -j ACCEPT
-# Et notre interface interne :
 /sbin/iptables -A INPUT -i eth1 -j ACCEPT
 /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
+/sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#On garde nos règles concernant le DROP sur FORWARD (FILTER)
+/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-#mais on oublie pas eth1 !
-/sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24\
- -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0\
- -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT
+/sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack\
+/sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack\
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
- --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack\
+/sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
- --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack\
- --ctstate ESTABLISHED,RELATED -j ACCEPT
-# Et on prend soin de laisser entrer et sortir (INPUT, OUTPUT de FILTER)
-# le flux nécessaire au DNS (53) et au web (80, 443..)
-# et là encore on n'oublie pas eth1
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53\
- -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53\
- -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53\
- -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53\
- -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports\
-,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports\
-,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT
 /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT
 /sbin/iptables -A INPUT -i eth1  -p tcp -m multiport --sports 80,443,8000 -j ACCEPT
-# Les règles ICMP pour OUTPUT  INPUT et FORWARD
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: "
@@ Ligne 1047: / Ligne 1000: @@
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT
+/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT
-/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp\
+/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP
- --icmp-type echo-request -j ACCEPT
-# Pour le retour nous utilisons la dernière règle
-/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp\
- --icmp-type echo-reply -j DROP
 /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: "
 /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: "
-#TCP_BAD
 /sbin/iptables -N syn_flood
 /sbin/iptables -I INPUT -p tcp --syn -j syn_flood
@@ Ligne 1074: / Ligne 1015: @@
 /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : '
 /sbin/iptables -A syn_flood -j DROP
-# SSH
 /sbin/iptables -t filter -N InComingSSH
-/sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp\
+/sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH
- --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH
 /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : '
 /sbin/iptables -A InComingSSH -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp\
+/sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
- --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp\
- --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp\
- --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-#FTP_IN
 /sbin/iptables -N ftp_in_accept
-/sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state\
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
- --state ESTABLISHED,RELATED -j ftp_in_accept
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept
-/sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state\
- --state ESTABLISHED,RELATED -j ftp_in_accept
-/sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport\
-:65535 -m state --state ESTABLISHED -j ftp_in_accept
 /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT
+/sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state\
+/sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state\
- --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport\
-:65535 -m state --state ESTABLISHED -j ACCEPT
 RETVAL=$?
 ;;

doc/reseau/iptables-pare-feu-pour-une-passerelle.txt · Dernière modification: 01/11/2015 18:20 par milou

Debian-facile

Différences

Pied de page des forums