L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →

Différences

Ci-dessous, les différences entre deux révisions de la page.

--- utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [07/11/2014 09:07]
Hypathie [Sauvegarde des règles iptables avec systemd]
+++ utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [15/11/2014 10:18]
Hypathie [Sauvegarde des règles iptables avec systemd]
@@ Ligne 778: / Ligne 778: @@
 /sbin/iptables -F
 /sbin/iptables -X
-/sbin/iptables -t nat -F
-/sbin/iptables -t nat -X
-/sbin/iptables -P INPUT ACCEPT
-/sbin/iptables -P FORWARD ACCEPT
-/sbin/iptables -P OUTPUT ACCEPT
 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -P FORWARD DROP
 /sbin/iptables -t nat -P PREROUTING ACCEPT
 /sbin/iptables -t nat -P POSTROUTING ACCEPT
 /sbin/iptables -t nat -P INPUT ACCEPT
 /sbin/iptables -t nat -P OUTPUT ACCEPT
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+##commenter / décommenter et adapter les quatre lignes suivantes pour ne pas mettre en place / mettre en place
+##un proxy transparent (squid)
+/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3129
+/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129
+/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP
+/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
+#accepter l'interface lo
 /sbin/iptables -A INPUT -i lo -j ACCEPT
 /sbin/iptables -A OUTPUT -o lo -j ACCEPT
+#accepter le sous-réseau
 /sbin/iptables -A INPUT -i eth1 -j ACCEPT
 /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
+#permettre le passage entre les deux interfaces eternet de la passerelle
 /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT
+#accepter le ping entre les réseaux locaux
 /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT
-/sbin/iptables -A INPUT -i eth1  -p tcp -m multiport --sports 80,443,8000 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: "
 /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT
 /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
 /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
 /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT
 /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT
 /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP
 /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: "
 /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: "
 /sbin/iptables -N syn_flood
 /sbin/iptables -I INPUT -p tcp --syn -j syn_flood
 /sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
 /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : '
 /sbin/iptables -A syn_flood -j DROP
+#autoriser la connexion avec les serveurs DNS
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#autoriser la navigation web
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT
+/sbin/iptables -A INPUT -i eth1  -p tcp -m multiport --sports 80,443,8000 -j ACCEPT
+#Si le serveur cups est branché sur un ordinateur du réseau 192.168.0.0/24, par exemple sur 192.168.0.22
+# laisser décommenter les deux lignes suivantes :
+/sbin/iptables -A INPUT -i eth0 -s 192.168.0.22 -d 192.168.0.1 -p tcp --sport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.1 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+#créer une chaîne utilisateur pour les connexion ssh, les loguer et les accepter
 /sbin/iptables -t filter -N InComingSSH
 /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH
 /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : '
 /sbin/iptables -A InComingSSH -j ACCEPT
 /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+#créer une chaîne utilisateur pour les connexions ftp, et les accepter
 /sbin/iptables -N ftp_in_accept
 /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
 /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
 /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept
 /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT
 /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
@@ Ligne 1002: / Ligne 932: @@
 # Author: hypathie <hypathie@debian-facile>
 #
-##Set up /etc/init.d/firewall-client
+##Set up /etc/init.d/firewall_gateway.sh
 case "$1" in
 'start')
-##Set up firewall-client
-# Clear any existing rules
 /sbin/iptables -F
-# Delete all User-specified chains
 /sbin/iptables -X
-#set default policy to DROP
+/sbin/iptables -t nat -F
+/sbin/iptables -t nat -X
+/sbin/iptables -P INPUT ACCEPT
+/sbin/iptables -P FORWARD ACCEPT
+/sbin/iptables -P OUTPUT ACCEPT
 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -P FORWARD DROP
-# Allow trafic with DNS server
+/sbin/iptables -t nat -P PREROUTING ACCEPT
-/sbin/iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t nat -P POSTROUTING ACCEPT
-/sbin/iptables -t filter -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t nat -P INPUT ACCEPT
-#Allow trafic on internal network
+/sbin/iptables -t nat -P OUTPUT ACCEPT
-/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
+/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
+##commenter / décommenter et adapter les quatre lignes suivantes pour ne pas mettre en place / mettre en place
-#Allow ping to internal network
+##un proxy transparent (squid)
-/sbin/iptables -A OUTPUT -o eth0 -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3129
-/sbin/iptables -A INPUT -i eth0 -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129
-#Get web
+/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP
-/sbin/iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443,8000 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP
-/sbin/iptables -t filter -A INPUT -p tcp -m multiport --sports 80,443,8000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+#accepter l'interface lo
-#Allow cups
+/sbin/iptables -A INPUT -i lo -j ACCEPT
-iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+#accepter le sous-réseau
-iptables -A OUTPUT -o eth0 -s 192.168.0.22 -d 192.168.0.0/24 -p tcp --sport 631 -m state ! --state INVALID -j ACCEPT
+/sbin/iptables -A INPUT -i eth1 -j ACCEPT
-#Allow cups from sub-net
+/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
-/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+#permettre le passage entre les deux interfaces eternet de la passerelle
-/sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.22 -d 192.168.1.0/24 -p tcp --sport 631 -m state ! --state INVALID -j ACCEPT
+/sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-#Set up a user chain for ssh outgoing
+/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-/sbin/iptables -t filter -N OutGoingSSH
+/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT
-/sbin/iptables -I INPUT -p tcp --dport 22 -j OutGoingSSH
+#accepter le ping entre les réseaux locaux
-/sbin/iptables -A OutGoingSSH -j LOG --log-prefix '[OUTGOING_SSH] : '
+/sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-#Set up a user chain for ssh incoming
+/sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: "
+/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT
+/sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
+/sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
+/sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT
+/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT
+/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP
+/sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: "
+/sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: "
+/sbin/iptables -N syn_flood
+/sbin/iptables -I INPUT -p tcp --syn -j syn_flood
+/sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
+/sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : '
+/sbin/iptables -A syn_flood -j DROP
+#autoriser la connexion avec les serveurs DNS
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
+#autoriser la navigation web
+/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT
+/sbin/iptables -A INPUT -i eth1  -p tcp -m multiport --sports 80,443,8000 -j ACCEPT
+#Si le serveur cups est branché sur un ordinateur du réseau 192.168.0.0/24, par exemple sur 192.168.0.22
+# laisser décommenter les deux lignes suivantes :
+/sbin/iptables -A INPUT -i eth0 -s 192.168.0.22 -d 192.168.0.1 -p tcp --sport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.1 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+#créer une chaîne utilisateur pour les connexion ssh, les loguer et les accepter
 /sbin/iptables -t filter -N InComingSSH
-/sbin/iptables -I OUTPUT -p tcp --sport 22 -j InComingSSH
+/sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH
 /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : '
-#Allow ssh connection from inside to outside
+/sbin/iptables -A InComingSSH -j ACCEPT
-#Change in nexts lines this range ip "192.168.0.0/24" with your internal network
-/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
+/sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-# Allow ssh connection form external to inside
+/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+#créer une chaîne utilisateur pour les connexions ftp, et les accepter
-/sbin/iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+/sbin/iptables -N ftp_in_accept
-echo "set up firewall-client .........> [OK]"
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
-/sbin/iptables-save > /etc/firewall-client
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept
-echo "iptables-save > /etc/firewall-client .........> [OK]"
+/sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept
+/sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT
+/sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+echo "set up firewall_gateway.sh .........> [OK]"
+/sbin/iptables-save > /etc/firewall_gateway.sh
+echo "iptables-save > /etc/firewall_gateway.sh .........> [OK]"
 RETVAL=$?
 ;;
 'stop')
-# Supprime toutes les règles du pare-feu
+# Supprime toutes les règles de la tables FILTER et pose la police ACCEPT pour toutes les chaînes
+/sbin/iptables -t filter -F
+/sbin/iptables -t filter -X
+/sbin/iptables -t filter -P INPUT ACCEPT
+/sbin/iptables -t filter -P OUTPUT ACCEPT
+/sbin/iptables -t filter -P FORWARD ACCEPT
+echo "FILTER [ALL firewall_gateway.sh's rules .... [FLUSH] ..... POLICY ......> [ACCEPT]"
+echo "NAT ...POSTROUTING ... MASQUERADE .... [STILL SET UP]"
+RETVAL=$?
+;;
+'restart')
+#ré-installe le pare-feu complet, y compris NAT (masquerade), DNAT (port 631)
+/sbin/iptables-restore < /etc/firewall_gateway.sh
+echo "/etc/firewall-client ........> [OK]"
+echo "NAT (masquerade) ........> [OK]"
+echo "DNAT (port 631) ........> [OK]"
+RETVAL=$?
+;;
+'status')
+/sbin/iptables -L -n --line-numbers
+/sbin/iptables -t nat -L -n --line-numbers
+RETVAL=$?
+;;
+'flush')
+#supprime toutes les règles de toutes les tables ; accepte tout
 /sbin/iptables -t filter -F
 /sbin/iptables -t nat -F
@@ Ligne 1063: / Ligne 1075: @@
 /sbin/iptables -t filter -P OUTPUT ACCEPT
 /sbin/iptables -t filter -P FORWARD ACCEPT
-echo "FILTER [ALL RULES .... [FLUSH] ..... POLICY ......> [ACCEPT]"
+echo "FILTER [ALL RULES .......> [FLUSH]"
+echo "WARNING ........ ALL POLICY ......> [ACCEPT]"
+RETVAL=$?
+;;
+'deletnat')
+/sbin/iptables -t nat -F
+/sbin/iptables -t nat -X
+/sbin/iptables -t mangle -F
 /sbin/iptables -t nat -P PREROUTING ACCEPT
 /sbin/iptables -t nat -P POSTROUTING ACCEPT
@@ Ligne 1070: / Ligne 1089: @@
 /sbin/iptables -t mangle -P OUTPUT ACCEPT
 /sbin/iptables -t mangle -P POSTROUTING ACCEPT
-/sbin/iptables -t mangle -P FORWARD ACCEPT
-/sbin/iptables -t mangle -P INPUT ACCEPT
+echo "NAT/MANGLE [ALL RULES .... [FLUSH] ..... POLICY ......> [ACCEPT]"
-/sbin/iptables -t raw -P OUTPUT ACCEPT
+echo "INFO ......> [NAT/DNAT is OFF]"
-/sbin/iptables -t raw -P PREROUTING ACCEPT
+echo "INFO ......> [FILTER STILL SET UP]"
-echo "ALL TABLES ....[FLUSH] ..... ALL POLICY .......> [ACCEPT]"
-RETVAL=$?
-;;
-'restart')
-/sbin/iptables-restore < /etc/firewall-client
-echo "/etc/firewall-client ........[OK]"
-RETVAL=$?
-;;
-'status')
-/sbin/iptables -L
-/sbin/iptables -t nat -L
 RETVAL=$?
 ;;
 *)
-echo "Usage: $0 { start | stop | restart | status }"
+echo "Usage: $0 { start | stop | restart | status | flush | deletnat }"
 RETVAL=1
 ;;

utilisateurs/hypathie/tutos/brouillon-bac-a-sable-de-mes-mini-tutos.txt · Dernière modification: 10/03/2016 18:45 par Hypathie

Debian-facile

Différences

Pied de page des forums