Conversation
precedente ou
suivante
Serveur Apache derrière FireWall
Envoyé par:
loicblutz
Voilà, au secours. Je n'aarive pas à permettre l'accés à mon serveur Web. Il se trouve derrière un pare feu constitué de 3 cartes : une vers internet eth0, une vers mon réseau "clients" eth1(avec du NAT, mais ça c'est bon), et une vers mon serveur de messagerie (là c'est ok) et mon serveur apache eth2.
Voici ma config iptables (euh, j'ai pas mis le NAT etc...) :
*mangle
COMMIT
*filter
:LOG_ACCEPT - [0:0]
:LOG_DROP - [0:0]
#
################################################
#Entrée
################################################
#
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
################################################
#carte eth0
################################################
#
#TCP
#
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
#
#UDP
#
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
#
#
################################################
#carte eth2
################################################
#
-A INPUT -i eth2 -j ACCEPT
#
#TCP
#
-A INPUT -i eth2 -p tcp -m state --state ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
#
#UDP
#
-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
#
-A INPUT -j DROP
#
################################################
# Forwarding
################################################
#
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#
#Port 20 : FTP-Data - File Transfer [Default Data]
#
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
#Port 21 : FTP - File Transfert [Control]
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 22 : SSH - SSH Remote Login Protocol
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#
#Port 25 : SMTP - Simple Mail Transfer
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 53 : DOMAIN - Domain Name Server
#
-A FORWARD -i eth2 -o eth0 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 53 -j ACCEPT
#
#Port 69 : TFTP - Trivial File Transfert
#
-A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 69 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 80 : HTTP/WWW/WWW-HTTP - World Wide Web HTTP
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#
#Port 143 : IMAP - Internet Message Access Protocol
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
#
#Port 443 : HTTPS - Http protocol over TLS/SSL
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#
#Port 3128 : NDL-AAS - Active API Server Port
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 3128 -j ACCEPT
#
#Autres
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
-A FORWARD -j DROP
#
################################################
# Sortie
################################################
#
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
#
################################################
#carte eth0
################################################
#
-A OUTPUT -o eth0 -j ACCEPT
#
#TCP
#
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 20 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
#
#UDP
#
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
#
################################################
#carte eth2
################################################
#
-A OUTPUT -o eth2 -j ACCEPT
#
#TCP
#
-A OUTPUT -o eth2 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp --sport 22 -j ACCEPT
#
#UDP
#
-A OUTPUT -o eth2 -p udp -m udp --sport 53 -j ACCEPT
#
-A OUTPUT -j DROP
#
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] :"
-A LOG_ACCEPT -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] :"
-A LOG_DROP -j DROP
COMMIT
Pouvez vous me dire où je me suis trompé svp ??? là je suis paumé. Merci d'avance
Voici ma config iptables (euh, j'ai pas mis le NAT etc...) :
*mangle
COMMIT
*filter
:LOG_ACCEPT - [0:0]
:LOG_DROP - [0:0]
#
################################################
#Entrée
################################################
#
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
################################################
#carte eth0
################################################
#
#TCP
#
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --sport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
#
#UDP
#
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
#
#
################################################
#carte eth2
################################################
#
-A INPUT -i eth2 -j ACCEPT
#
#TCP
#
-A INPUT -i eth2 -p tcp -m state --state ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
#
#UDP
#
-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
#
-A INPUT -j DROP
#
################################################
# Forwarding
################################################
#
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
#
#Port 20 : FTP-Data - File Transfer [Default Data]
#
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
#Port 21 : FTP - File Transfert [Control]
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 22 : SSH - SSH Remote Login Protocol
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#
#Port 25 : SMTP - Simple Mail Transfer
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 53 : DOMAIN - Domain Name Server
#
-A FORWARD -i eth2 -o eth0 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 53 -j ACCEPT
#
#Port 69 : TFTP - Trivial File Transfert
#
-A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 69 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#Port 80 : HTTP/WWW/WWW-HTTP - World Wide Web HTTP
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
#
#Port 143 : IMAP - Internet Message Access Protocol
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
#
#Port 443 : HTTPS - Http protocol over TLS/SSL
#
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#
#Port 3128 : NDL-AAS - Active API Server Port
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 3128 -j ACCEPT
#
#Autres
#
-A FORWARD -i eth1 -o eth2 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
-A FORWARD -j DROP
#
################################################
# Sortie
################################################
#
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
#
################################################
#carte eth0
################################################
#
-A OUTPUT -o eth0 -j ACCEPT
#
#TCP
#
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 20 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
#
#UDP
#
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
#
################################################
#carte eth2
################################################
#
-A OUTPUT -o eth2 -j ACCEPT
#
#TCP
#
-A OUTPUT -o eth2 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp --sport 22 -j ACCEPT
#
#UDP
#
-A OUTPUT -o eth2 -p udp -m udp --sport 53 -j ACCEPT
#
-A OUTPUT -j DROP
#
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] :"
-A LOG_ACCEPT -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] :"
-A LOG_DROP -j DROP
COMMIT
Pouvez vous me dire où je me suis trompé svp ??? là je suis paumé. Merci d'avance
Poste le Monday 6 February 2006 16:15:51
Ce forum !
Serveur Apache derrière FireWall
Un problème avec une commande du shell ? Comment utiliser la crontab ? Vous avez des soucis pour la gestion réseau sous Linux ? Pour vous la gestion des utilisateurs/groupes est du chinois ? Etc... Posez donc vos questions ici.
Sauf mention contraire, les documentations publiées sont sous licence Creative-Commons