Linux Iptable Firewall

Return to Previous Page
Administration RéseauSécurité

Linux Iptable Firewall

A adapter biensûr… X.X.X.X = IP du serveur local, Y.Y.Y.Y = IP du serveur distant (Rsync).

Pour qu’il soit lancé au démarrage le sauvegarder dans le fichier 

/etc/init.d/firewall.sh

puis on fait un:

chmod +x /etc/init.d/firewall.sh
update-rc.d firewall.sh defaults
#Pour l'enlever si besoin
#update-rc.d firewall.sh remove
### BEGIN INIT INFO
# Provides:          firewall
# Setting firewall rules...
#
# config de base dedibox
echo ""
echo '################# INIT  #################'
###### Debut Initialisation ######
# Vider les tables actuelles
iptables -t filter -F
iptables -t filter -X
echo - Vidage de toutes les regles: [OK]


###### Interdiction de tout entrant ######
# Interdire toute connexion entrante
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
echo - Interdire toute connexion entrante : [OK]

# Ne pas casser les connexions établies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - Ne pas casser les connexions etablies : [OK]

###### Fin Inialisation ######
echo '################# INIT  #################'
echo ""
echo '################# RULES  ################'
# Autoriser les pings
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - Ping autorise : [OK]


##### Debut Regles ######
## On drop les scans XMAS et NULL.
iptables -t filter -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j LOG --log-prefix "FIN  KILL: "
iptables -t filter -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS KILL: "
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL KILL: "
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN  KILL: "
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo - DROP : [OK]

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
iptables -t filter   -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t filter   -A INPUT -p tcp --tcp-flags ALL ALL -j  DROP
iptables -t filter   -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -t filter   -A INPUT -p tcp --tcp-flags ALL NONE -j  DROP
iptables -t filter   -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t filter   -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
echo - Drop those nasty packets : [OK]

## Dropper silencieusement tous les paquets broadcasts
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix "BROAD  KILL: "
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
echo - Broadcast : [OK]


# DNS
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]


# Autoriser SSH
iptables -t filter -A INPUT -s  X.X.X.X -p tcp --dport 2200 -m recent --rcheck --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "SSH REJECT"
iptables -t filter -A INPUT -s  X.X.X.X -p tcp --dport 2200 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -t filter -A INPUT -s  X.X.X.X -p tcp --dport 2200 -m state --state NEW -m recent --set --name SSH -j ACCEPT


#Pour RSYNC on enlève les blocages sur le nombre de paquets
iptables -t filter -A OUTPUT -s Y.Y.Y.Y -p tcp --dport 2200 -m recent --rcheck --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "SSH REJECT"
iptables -t filter -A OUTPUT -s Y.Y.Y.Y -p tcp --dport 2200 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -t filter -A OUTPUT -s  Y.Y.Y.Y -p tcp --dport 2200 -m state --state NEW -m recent --set --name SSH -j ACCEPT
echo - SSH OK : [OK]


# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Autoriser loopback : [OK]


# Autoriser ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - Autoriser ping : [OK]


# HTTP et HTTPS IN
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables  -t filter -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables  -t filter -A INPUT -p tcp --dport 81 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t' -j LOG  --log-prefix "w00t DROP: "   --log-level 7
iptables -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t' -j DROP
iptables -t filter -A INPUT -p tcp --dport 24816  -m limit --limit 25/minute --limit-burst 100  -j ACCEPT

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
echo - Autoriser HTTP et HTTPS : [OK]

#Transmission
iptables -t filter -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 51413 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 9091 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 49152:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 49152:65535 -j ACCEPT



# FTP
#iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
#echo - Autoriser FTP : [OK]

# SMTP
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - Autoriser SMTP OUT : [OK]

# WHOIS
iptables -t filter -A INPUT -p tcp --dport 43 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
echo - Whois : [OK]



## On log les paquets en entree
iptables -A INPUT -j LOG --log-prefix "IN  LOG: " --log-level 4
echo - LOG INPUT [OK]

## On log les paquets forward
iptables -A FORWARD -j LOG --log-prefix "FOR LOG: " --log-level 7
ip6tables -A FORWARD -j LOG --log-prefix "FO6 LOG: " --log-level 7
echo - LOG FORWARD [OK]

## On log les paquets en sortie
iptables -A OUTPUT -j LOG --log-prefix "OUT LOG: " --log-level 7
ip6tables -A OUTPUT -j LOG --log-prefix "OUT LOG: " --log-level 7
echo - LOG FORWARD [OK]


# NTP In/Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
echo - NTP [OK]


# Syn Flood
iptables -t filter  -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -t filter  -A FORWARD -p udp  -m limit --limit 1/second -j ACCEPT


# NTP In/Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
echo - NTP [OK]


# Syn Flood
iptables -t filter  -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -t filter  -A FORWARD -p udp  -m limit --limit 1/second -j ACCEPT

# Spoofing
iptables -N SPOOFED
iptables -A SPOOFED -s 127.0.0.0/8 -j DROP
iptables -A SPOOFED -s 169.254.0.0/12 -j DROP
iptables -A SPOOFED -s 172.16.0.0/12 -j DROP
iptables -A SPOOFED -s 192.168.0.0/16 -j DROP
iptables -A SPOOFED -s 10.0.0.0/8 -j DROP
echo - Spoofing : [OK]


# LOG des paquets rejetes
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix "DROPPED: " --log-level 7
iptables -A LOG_DROP -j DROP
echo - LogAll : [OK]
echo '################# RULES  ################'
echo ""

###### Fin Regles ######
echo "Firewall mis a jour avec succes !!!!!!"
echo ""

iptables-save > /home/user/iptable.save
ip6tables-save > /home/user/ip6table.save
###### Backup Regles ######
echo - Backup Regles : [OK]
echo ""

echo ""
echo '################# END  ################'
echo ""

Avec cette configuration + Psad + logwatch + mod-security + fail2ban (voir autres tutoriels) vous êtes vraiment tranquilles (ne pas oublier de changer le port 22 SSH par un plus personnel…)

Étiquettes : , , , ,
Previous
Asterisk Installation à partir sources + meetme sur Debian 7
Next
Powershell encryption decryption

Leave a reply

Your email address will not be published. Required fields are marked