Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [07/11/2014 09:07] Hypathie [Sauvegarde des règles iptables avec systemd] |
utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [15/11/2014 10:18] Hypathie [Sauvegarde des règles iptables avec systemd] |
||
---|---|---|---|
Ligne 778: | Ligne 778: | ||
/sbin/iptables -F | /sbin/iptables -F | ||
- | |||
/sbin/iptables -X | /sbin/iptables -X | ||
- | |||
- | /sbin/iptables -t nat -F | ||
- | |||
- | /sbin/iptables -t nat -X | ||
- | |||
- | /sbin/iptables -P INPUT ACCEPT | ||
- | |||
- | /sbin/iptables -P FORWARD ACCEPT | ||
- | |||
- | /sbin/iptables -P OUTPUT ACCEPT | ||
- | |||
/sbin/iptables -P INPUT DROP | /sbin/iptables -P INPUT DROP | ||
- | |||
/sbin/iptables -P OUTPUT DROP | /sbin/iptables -P OUTPUT DROP | ||
- | |||
/sbin/iptables -P FORWARD DROP | /sbin/iptables -P FORWARD DROP | ||
- | |||
/sbin/iptables -t nat -P PREROUTING ACCEPT | /sbin/iptables -t nat -P PREROUTING ACCEPT | ||
- | |||
/sbin/iptables -t nat -P POSTROUTING ACCEPT | /sbin/iptables -t nat -P POSTROUTING ACCEPT | ||
- | |||
/sbin/iptables -t nat -P INPUT ACCEPT | /sbin/iptables -t nat -P INPUT ACCEPT | ||
- | |||
/sbin/iptables -t nat -P OUTPUT ACCEPT | /sbin/iptables -t nat -P OUTPUT ACCEPT | ||
- | |||
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
+ | ##commenter / décommenter et adapter les quatre lignes suivantes pour ne pas mettre en place / mettre en place | ||
+ | ##un proxy transparent (squid) | ||
+ | /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3129 | ||
+ | /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129 | ||
+ | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP | ||
+ | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP | ||
+ | #accepter l'interface lo | ||
/sbin/iptables -A INPUT -i lo -j ACCEPT | /sbin/iptables -A INPUT -i lo -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -o lo -j ACCEPT | /sbin/iptables -A OUTPUT -o lo -j ACCEPT | ||
+ | #accepter le sous-réseau | ||
/sbin/iptables -A INPUT -i eth1 -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | ||
+ | #permettre le passage entre les deux interfaces eternet de la passerelle | ||
/sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | ||
+ | #accepter le ping entre les réseaux locaux | ||
/sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
- | |||
- | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP | /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP | ||
- | |||
/sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | ||
- | |||
/sbin/iptables -N syn_flood | /sbin/iptables -N syn_flood | ||
- | |||
/sbin/iptables -I INPUT -p tcp --syn -j syn_flood | /sbin/iptables -I INPUT -p tcp --syn -j syn_flood | ||
- | |||
/sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | /sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | ||
- | |||
/sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | ||
- | |||
/sbin/iptables -A syn_flood -j DROP | /sbin/iptables -A syn_flood -j DROP | ||
+ | #autoriser la connexion avec les serveurs DNS | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | #autoriser la navigation web | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
+ | #Si le serveur cups est branché sur un ordinateur du réseau 192.168.0.0/24, par exemple sur 192.168.0.22 | ||
+ | # laisser décommenter les deux lignes suivantes : | ||
+ | /sbin/iptables -A INPUT -i eth0 -s 192.168.0.22 -d 192.168.0.1 -p tcp --sport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.1 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | #créer une chaîne utilisateur pour les connexion ssh, les loguer et les accepter | ||
/sbin/iptables -t filter -N InComingSSH | /sbin/iptables -t filter -N InComingSSH | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH | /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH | ||
- | |||
/sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | ||
- | |||
/sbin/iptables -A InComingSSH -j ACCEPT | /sbin/iptables -A InComingSSH -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
+ | #créer une chaîne utilisateur pour les connexions ftp, et les accepter | ||
/sbin/iptables -N ftp_in_accept | /sbin/iptables -N ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | ||
- | |||
/sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | ||
Ligne 1002: | Ligne 932: | ||
# Author: hypathie <hypathie@debian-facile> | # Author: hypathie <hypathie@debian-facile> | ||
# | # | ||
- | ##Set up /etc/init.d/firewall-client | + | ##Set up /etc/init.d/firewall_gateway.sh |
case "$1" in | case "$1" in | ||
'start') | 'start') | ||
- | ##Set up firewall-client | ||
- | # Clear any existing rules | ||
/sbin/iptables -F | /sbin/iptables -F | ||
- | # Delete all User-specified chains | ||
/sbin/iptables -X | /sbin/iptables -X | ||
- | #set default policy to DROP | + | /sbin/iptables -t nat -F |
+ | /sbin/iptables -t nat -X | ||
+ | /sbin/iptables -P INPUT ACCEPT | ||
+ | /sbin/iptables -P FORWARD ACCEPT | ||
+ | /sbin/iptables -P OUTPUT ACCEPT | ||
/sbin/iptables -P INPUT DROP | /sbin/iptables -P INPUT DROP | ||
/sbin/iptables -P OUTPUT DROP | /sbin/iptables -P OUTPUT DROP | ||
/sbin/iptables -P FORWARD DROP | /sbin/iptables -P FORWARD DROP | ||
- | # Allow trafic with DNS server | + | /sbin/iptables -t nat -P PREROUTING ACCEPT |
- | /sbin/iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT | + | /sbin/iptables -t nat -P POSTROUTING ACCEPT |
- | /sbin/iptables -t filter -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | + | /sbin/iptables -t nat -P INPUT ACCEPT |
- | #Allow trafic on internal network | + | /sbin/iptables -t nat -P OUTPUT ACCEPT |
- | /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT | + | /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
- | /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT | + | ##commenter / décommenter et adapter les quatre lignes suivantes pour ne pas mettre en place / mettre en place |
- | #Allow ping to internal network | + | ##un proxy transparent (squid) |
- | /sbin/iptables -A OUTPUT -o eth0 -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | + | /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3129 |
- | /sbin/iptables -A INPUT -i eth0 -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT | + | /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129 |
- | #Get web | + | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP |
- | /sbin/iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443,8000 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT | + | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP |
- | /sbin/iptables -t filter -A INPUT -p tcp -m multiport --sports 80,443,8000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | + | #accepter l'interface lo |
- | #Allow cups | + | /sbin/iptables -A INPUT -i lo -j ACCEPT |
- | iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | + | /sbin/iptables -A OUTPUT -o lo -j ACCEPT |
- | + | #accepter le sous-réseau | |
- | iptables -A OUTPUT -o eth0 -s 192.168.0.22 -d 192.168.0.0/24 -p tcp --sport 631 -m state ! --state INVALID -j ACCEPT | + | /sbin/iptables -A INPUT -i eth1 -j ACCEPT |
- | #Allow cups from sub-net | + | /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT |
- | /sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | + | #permettre le passage entre les deux interfaces eternet de la passerelle |
- | /sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.22 -d 192.168.1.0/24 -p tcp --sport 631 -m state ! --state INVALID -j ACCEPT | + | /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
- | #Set up a user chain for ssh outgoing | + | /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT |
- | /sbin/iptables -t filter -N OutGoingSSH | + | /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT |
- | /sbin/iptables -I INPUT -p tcp --dport 22 -j OutGoingSSH | + | #accepter le ping entre les réseaux locaux |
- | /sbin/iptables -A OutGoingSSH -j LOG --log-prefix '[OUTGOING_SSH] : ' | + | /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
- | #Set up a user chain for ssh incoming | + | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
+ | /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | ||
+ | /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP | ||
+ | /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | ||
+ | /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | ||
+ | /sbin/iptables -N syn_flood | ||
+ | /sbin/iptables -I INPUT -p tcp --syn -j syn_flood | ||
+ | /sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | ||
+ | /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | ||
+ | /sbin/iptables -A syn_flood -j DROP | ||
+ | #autoriser la connexion avec les serveurs DNS | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | #autoriser la navigation web | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
+ | #Si le serveur cups est branché sur un ordinateur du réseau 192.168.0.0/24, par exemple sur 192.168.0.22 | ||
+ | # laisser décommenter les deux lignes suivantes : | ||
+ | /sbin/iptables -A INPUT -i eth0 -s 192.168.0.22 -d 192.168.0.1 -p tcp --sport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.1 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | #créer une chaîne utilisateur pour les connexion ssh, les loguer et les accepter | ||
/sbin/iptables -t filter -N InComingSSH | /sbin/iptables -t filter -N InComingSSH | ||
- | /sbin/iptables -I OUTPUT -p tcp --sport 22 -j InComingSSH | + | /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH |
/sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | ||
- | #Allow ssh connection from inside to outside | + | /sbin/iptables -A InComingSSH -j ACCEPT |
- | #Change in nexts lines this range ip "192.168.0.0/24" with your internal network | + | |
- | /sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | + | |
/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
- | /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT | + | /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
- | # Allow ssh connection form external to inside | + | /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | + | #créer une chaîne utilisateur pour les connexions ftp, et les accepter |
- | /sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | + | /sbin/iptables -N ftp_in_accept |
- | echo "set up firewall-client .........> [OK]" | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept |
- | /sbin/iptables-save > /etc/firewall-client | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept |
- | echo "iptables-save > /etc/firewall-client .........> [OK]" | + | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept |
+ | /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | ||
+ | echo "set up firewall_gateway.sh .........> [OK]" | ||
+ | /sbin/iptables-save > /etc/firewall_gateway.sh | ||
+ | echo "iptables-save > /etc/firewall_gateway.sh .........> [OK]" | ||
RETVAL=$? | RETVAL=$? | ||
;; | ;; | ||
'stop') | 'stop') | ||
- | # Supprime toutes les règles du pare-feu | + | # Supprime toutes les règles de la tables FILTER et pose la police ACCEPT pour toutes les chaînes |
+ | /sbin/iptables -t filter -F | ||
+ | /sbin/iptables -t filter -X | ||
+ | /sbin/iptables -t filter -P INPUT ACCEPT | ||
+ | /sbin/iptables -t filter -P OUTPUT ACCEPT | ||
+ | /sbin/iptables -t filter -P FORWARD ACCEPT | ||
+ | echo "FILTER [ALL firewall_gateway.sh's rules .... [FLUSH] ..... POLICY ......> [ACCEPT]" | ||
+ | echo "NAT ...POSTROUTING ... MASQUERADE .... [STILL SET UP]" | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | 'restart') | ||
+ | #ré-installe le pare-feu complet, y compris NAT (masquerade), DNAT (port 631) | ||
+ | /sbin/iptables-restore < /etc/firewall_gateway.sh | ||
+ | echo "/etc/firewall-client ........> [OK]" | ||
+ | echo "NAT (masquerade) ........> [OK]" | ||
+ | echo "DNAT (port 631) ........> [OK]" | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | 'status') | ||
+ | /sbin/iptables -L -n --line-numbers | ||
+ | /sbin/iptables -t nat -L -n --line-numbers | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | 'flush') | ||
+ | #supprime toutes les règles de toutes les tables ; accepte tout | ||
/sbin/iptables -t filter -F | /sbin/iptables -t filter -F | ||
/sbin/iptables -t nat -F | /sbin/iptables -t nat -F | ||
Ligne 1063: | Ligne 1075: | ||
/sbin/iptables -t filter -P OUTPUT ACCEPT | /sbin/iptables -t filter -P OUTPUT ACCEPT | ||
/sbin/iptables -t filter -P FORWARD ACCEPT | /sbin/iptables -t filter -P FORWARD ACCEPT | ||
- | echo "FILTER [ALL RULES .... [FLUSH] ..... POLICY ......> [ACCEPT]" | + | echo "FILTER [ALL RULES .......> [FLUSH]" |
+ | echo "WARNING ........ ALL POLICY ......> [ACCEPT]" | ||
+ | RETVAL=$? | ||
+ | ;; | ||
+ | 'deletnat') | ||
+ | /sbin/iptables -t nat -F | ||
+ | /sbin/iptables -t nat -X | ||
+ | /sbin/iptables -t mangle -F | ||
/sbin/iptables -t nat -P PREROUTING ACCEPT | /sbin/iptables -t nat -P PREROUTING ACCEPT | ||
/sbin/iptables -t nat -P POSTROUTING ACCEPT | /sbin/iptables -t nat -P POSTROUTING ACCEPT | ||
Ligne 1070: | Ligne 1089: | ||
/sbin/iptables -t mangle -P OUTPUT ACCEPT | /sbin/iptables -t mangle -P OUTPUT ACCEPT | ||
/sbin/iptables -t mangle -P POSTROUTING ACCEPT | /sbin/iptables -t mangle -P POSTROUTING ACCEPT | ||
- | /sbin/iptables -t mangle -P FORWARD ACCEPT | + | |
- | /sbin/iptables -t mangle -P INPUT ACCEPT | + | echo "NAT/MANGLE [ALL RULES .... [FLUSH] ..... POLICY ......> [ACCEPT]" |
- | /sbin/iptables -t raw -P OUTPUT ACCEPT | + | echo "INFO ......> [NAT/DNAT is OFF]" |
- | /sbin/iptables -t raw -P PREROUTING ACCEPT | + | echo "INFO ......> [FILTER STILL SET UP]" |
- | echo "ALL TABLES ....[FLUSH] ..... ALL POLICY .......> [ACCEPT]" | + | |
- | RETVAL=$? | + | |
- | ;; | + | |
- | 'restart') | + | |
- | /sbin/iptables-restore < /etc/firewall-client | + | |
- | echo "/etc/firewall-client ........[OK]" | + | |
- | RETVAL=$? | + | |
- | ;; | + | |
- | 'status') | + | |
- | /sbin/iptables -L | + | |
- | /sbin/iptables -t nat -L | + | |
RETVAL=$? | RETVAL=$? | ||
;; | ;; | ||
*) | *) | ||
- | echo "Usage: $0 { start | stop | restart | status }" | + | echo "Usage: $0 { start | stop | restart | status | flush | deletnat }" |
RETVAL=1 | RETVAL=1 | ||
;; | ;; |