#!/bin/bash
/usr/sbin/startadsl
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/rc.d/init.d/vsftpd stop
/etc/rc.d/init.d/smb stop
vncserver -kill :1
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
#---------------------------------------------------------------
# Supprime la triangulisation de routage. Reponds aux requetes
# en sortie sur la meme interface, pas une autre.
# De plus, protection anti IP-spoofing
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#---------------------------------------------------------------
# Loggue les paquets avec une adresse ip malformee
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#---------------------------------------------------------------
# Supprime les redirections
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#---------------------------------------------------------------
# Supprime les source routed paquets
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#---------------------------------------------------------------
# N'autorise pas les redirections ICMP
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#---------------------------------------------------------------
# Protection contre les attaques DOS Deny Of Service
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------
# Ne pas repondre aux pings broadcastes
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#---------------------------------------------------------------
# Charge le module de tracking de connexion ftp
# Pour le ftp passif
#---------------------------------------------------------------
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
iptables -F
iptables -t nat -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -s toto.dyndns.org -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 22 -m state --state ! INVALID -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -i eth0 -o ppp0 -m state --state ! INVALID -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s toto.dyndns.org -o eth0 -m state --state ! INVALID -j ACCEPT
iptables -A FORWARD -i eth0 -d toto.dyndns.org -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#
j'ai aussi un prob:
iptables -A INPUT -s toto.dyndns.org -p tcp --dport 22 -j ACCEPT cette ligne la ne fonctionne pas!!
pq? tu a une idée? stp!!
Poste le Friday 23 September 2005 00:16:32