bonjour,
ouf! c pas tres simple pour un bleu :,(
nmap -v -sV -O 19X.XXX.X.XXX #donne ca
"PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
37/tcp open time?
113/tcp open ident OpenBSD identd
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [
www.insecure.org] :
SF-Port37-TCP:V=3.75%D=1/18%Time=3884D951%P=i486-slackware-linux-gnu%r(NUL
SF:L,4,"\xbc/W\xd1")%r(GenericLines,4,"\xbc/W\xd1")%r(GetRequest,4,"\xbc/W
SF:\xd1")%r(HTTPOptions,4,"\xbc/W\xd1")%r(RTSPRequest,4,"\xbc/W\xd1")%r(RP
SF:CCheck,4,"\xbc/W\xd1")%r(DNSVersionBindReq,4,"\xbc/W\xd1")%r(DNSStatusR
SF:equest,4,"\xbc/W\xd1")%r(Help,4,"\xbc/W\xd1")%r(SSLSessionReq,4,"\xbc/W
SF:\xd1")%r(SMBProgNeg,4,"\xbc/W\xd1")%r(X11Probe,4,"\xbc/W\xd1")%r(LPDStr
SF:ing,4,"\xbc/W\xd1")%r(LDAPBindReq,4,"\xbc/W\xd1")%r(LANDesk-RC,4,"\xbc/
SF:W\xd1")%r(TerminalServer,4,"\xbc/W\xd1")%r(NCP,4,"\xbc/W\xd1")%r(NotesR
SF
C,4,"\xbc/W\xd1")%r(WMSRequest,4,"\xbc/W\xd1")%r(oracle-tns,4,"\xbc/W\
SF:xd1");
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Tue Jan 18 20:57:45 2000)
TCP Sequence Prediction: Class=random positive increments
Difficulty=5077897 (Good luck!)
IPID Sequence Generation: All zeros
Nmap run completed -- 1 IP address (1 host up) scanned in 8.580 seconds "
bref mon pc est une vraie concierge :-/
voila ce que j'ai mis dans mon rc.local:
#!/bin/sh -x
# $Id: firewall,v 2.0 2002/08/01 13:42:22 chryjs Exp $
# File provided by www.firewall-net.com
# Parameters
# $1 : external interface name
# $2 : external interface ip address
# $3 : Gateway ip address
echo "Starting firewalling... "
# ----------------------------------------------------------------------------
if [ ! -z "$1" ]; then
EXTERNAL_INTERFACE=$1
GATEWAY=$2
else
EXTERNAL_INTERFACE="eth0"
GATEWAY="0/0"
fi
LOOPBACK_INTERFACE="lo"
IPADDR=`LANG= LC_ALL= ifconfig ${EXTERNAL_INTERFACE} | grep 'inet addr' |
awk -F: '{ print $2 } ' | awk '{ print $1 }'`
ANYWHERE="0/0"
DHCP_SERVER="0/0"
if [ -f /etc/resolv.conf ]; then
NAMESERVER_1=`grep nameserver /etc/resolv.conf | head -1 | awk '{print $2}'`
else
NAMESERVER_1="127.0.0.1"
fi
SMTP_SERVER="127.0.0.1"
POP_SERVER="0/0"
NEWS_SERVER="any/0"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# ----------------------------------------------------------------------------
NFS_PORT="2049"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
CVS_PSERVER_PORT="2401"
MYSQL_PORT="3306"
# ----------------------------------------------------------------------------
iptables -F
iptables -F -t nat
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT REJECT
iptables -P FORWARD DROP
# ----------------------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ----------------------------------------------------------------------------
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
# ----------------------------------------------------------------------------
iptables -A INPUT -s $IPADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $CVS_PSERVER_PORT -j REJECT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $MYSQL_PORT -j REJECT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $NAMESERVER_1 --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $NAMESERVER_1 --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SMTP_SERVER --destination-port 25 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SMTP_SERVER --source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 113 -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 43 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 43 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 79 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 79 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 6667 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# ----------------------------------------------------------------------------
# CABLE
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $IPADDR --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $DHCP_SERVER --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 67 \
-d $BROADCAST_DEST --destination-port 68 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC --source-port 68 \
-d $BROADCAST_DEST --destination-port 67 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER --source-port 67 \
--destination-port 68 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 67 \
-d $IPADDR --destination-port 68 -j DROP
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d any/0 --destination-port 123 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s any/0 --source-port 123 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, #fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j REJECT #ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j REJECT #ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 3 -j LOG
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp -j LOG
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j LOG
# ----------------------------------------------------------------------------
echo "done"
exit 0
ou est l'erreur :-( ?