[
www.homenethelp.com]
[
www.netfilter.org]
[
www.tldp.org]
[
www.ibiblio.org]
[
netfilter.kernelnotes.org]
En gros, c'est surtout une affaire de iptable.
A tout hasard, voici un script que j'utilisais, et que j'ai repris de Faré RIDEAU (merci à lui) [
fare.tunes.org] - j'ai utilisé ce script quand ma liaison ADSL était via une carte modem interne BEWAN PCI ST - depuis je préfère le modem routeur netopia
#!/bin/zsh -f
#
# firewall Activate/Deactivate the network firewall.
#
# description: this script manages the firewall between the local network \
# and the outer world.
#
# prcs $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $
# prcsproj $ProjectHeader: Scripts 0.104 Fri, 11 Feb 2005 07:13:35 +0100 basile $
# from fare firewall 1.26 2001/12/27 01:15:27 fare Exp
# Last ipchains version 1.20
#
# For Samaris only
#
# Kudos to <efge@mail.com>, <tril@tunes.org>
# See also:
# [netfilter.samba.org]
# [www.cs.princeton.edu]
# [www.boingworld.com]
#DEBUG=1
function DO () {
print -r "$*" >&2
$@
}
function disable_fw () {
echo '0' >>/proc/sys/net/ipv4/ip_forward
}
function enable_fw () {
echo '1' >>/proc/sys/net/ipv4/ip_forward
}
function environment () {
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LANG= LC_CTYPE=
LANG=C
export LANG
LOCALNET=127.0.0.0/8
HIDDENLAN=192.168.0.0/8
WIFILAN=192.168.1.0/8
TRUSTEDLANS=192.168.0.0/9
ADSLIP=62.212.121.80
PPP0=
ALL=0.0.0.0/0
BLOCKED=REJECT
#BLOCKED=DENY
ICMPPOL=ACCEPT
LANDEV=eth0
WIFIDEV=eth1 # le router Wifi est sur eth1
WIFIROUTER=192.168.1.1
#CABLEDEV=eth2
# ADSLDEV=eth1
PPPDEV=ppp0
# A=( $(ifcfg2IP $ADSLDEV addr) )
# if [ "$#A" = 4 ] ; then
# ADSLIP=$A[1].$A[2].$A[3].$A[4]
# ADSL=$A[1].$A[2].$A[3].0/24
# else
# print "# No ADSL modem!" >&2
# ADSLIP=
# ADSL=$ADSL0
# fi
A=( $(ifcfg2IP $PPPDEV inet.addr ) )
if [ "$#A" = 4 ] ; then
PPPIP=$A[1].$A[2].$A[3].$A[4]
PPP=$A[1].$A[2].0.0/16
else
print "# No ADSL connection!" >&2
PPPIP=
PPP=$PPP0
fi
A=( $(ifcfg2IP $WIFIDEV inet.addr ) )
if [ "$#A" = 4 ] ; then
WIFIIP=$A[1].$A[2].$A[3].$A[4]
echo wifi ip $WIFIIP
else
print "# No Wifi connection!" >&2
WIFIIP=
fi
}
# Load appropriate modules.
load_modules () {
modprobe -r ipchains
modprobe ip_tables #|| exit 1
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#modprobe ip_conntrack_irc # not in standard kernels
modprobe iptable_nat
modprobe ip_nat_ftp
#modprobe ip_nat_irc # not in standard kernels
}
ifcfg2IP () {
local DEV=$1 STR=$2
export LANG=C
=ifconfig $DEV | grep "${STR}:" | sed -e \
's/^.*'"$STR"':\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\) .*$/\1 \2 \3 \4/'
}
ipt () { iptables $@ || (logger failed "ipt $*" ; exit 1) }
INPUT () { ipt -A INPUT $@ }
OUTPUT () { ipt -A OUTPUT $@ }
INPUText () { INPUT -i $PPPDEV $@ }
OUTPUText () { OUTPUT -o $PPPDEV $@ }
FORWARD () { ipt -A FORWARD $@ }
PREROUTING () { ipt -A PREROUTING $@ }
POSTROUTING () { ipt -A POSTROUTING $@ }
PRENAT () { PREROUTING -t nat $@ }
POSTNAT () { POSTROUTING -t nat $@ }
PRENAText () { PRENAT -i $PPPDEV $@ }
POSTNAText () { POSTNAT -o $PPPDEV $@ }
log=(-j LOG --log-prefix)
drop_packets () {
# Set up a default DROP policy for the built-in chains. If we modify and
# re-run the script mid-session then (because we have a default DROP
# policy), what happens is that there is a small time period when
# packets are denied until the new rules are back in place. There is no
# period, however small, when packets we don't want are allowed.
ipt -P INPUT DROP
ipt -P FORWARD DROP
ipt -P OUTPUT ACCEPT
ipt -t nat -P PREROUTING ACCEPT
ipt -t nat -P POSTROUTING ACCEPT
ipt -t nat -P OUTPUT ACCEPT
}
clear_tables () {
# These lines are here in case rules are already in place and the script
# is ever rerun on the fly. We want to remove all rules and
# pre-exisiting user defined chains and zero the counters before we
# implement new rules.
ipt -F
ipt -F -t nat
ipt -X
ipt -X -t nat
ipt -Z
}
configure_kernel () {
# To dynamically change kernel parameters and variables on the fly you
# need CONFIG_SYSCTL defined in your kernel. I would advise the
# following:
# Disable ECN, which causes problems with some sites.
if [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo "0" > /proc/sys/net/ipv4/tcp_ecn
fi
# TCP Syncookies protection.
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
# TIME_WAIT assassination protection.
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
# Don't disable response to ping.
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log spoofed packets, source routed packets, redirect packets.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Make sure that IP forwarding is turned on. We want this for a
# multi-homed host.
echo "1" > /proc/sys/net/ipv4/ip_forward
# Turn on reverse path filtering.
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
# this option. This enables dynamic-ip address hacking in IP MASQ,
# making the connection with Diald and similar programs much easier.
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Note: With connection tracking, all fragments are reassembled before
# being passed to the packet-filtering code so there is no
# ip_always_defrag switch as there was in the 2.2 kernel.
}
## ---------- Rules ----------
debug_rules () {
if [ -n "$DEBUG" ]; then
debugopt=( -j LOG --log-level DEBUG --log-prefix )
INPUT $debugopt "IPTABLES DEBUG INPUT: "
OUTPUT $debugopt "IPTABLES DEBUG OUTPUT: "
FORWARD $debugopt "IPTABLES DEBUG FORWARD: "
PRENAT $debugopt "IPTABLES DEBUG NATPRER: "
POSTNAT $debugopt "IPTABLES DEBUG NATPOSTR: "
OUTPUT -t nat $debugopt "IPTABLES DEBUG NATOUT: "
fi
}
REDIRext () {
# Define a redirected service
# By default, all sources are good; specify restrictions in $4
# (add rejecting rules *before*)
local INPORT=$1 TRUESERVER=$2 TRUEPORT=${3:-$1} GOODSRC=${4:-0/0}
PRENAText -p tcp -s ${GOODSRC} --dport ${INPORT} \
-j DNAT --to ${TRUESERVER}:${TRUEPORT}
FORWARD -p tcp -s ${GOODSRC} -d ${TRUESERVER} --dport ${TRUEPORT} -j ACCEPT
}
redirected_services () {
# # SEND -> LimboEND (Genera Converse)
# PRENAT -p tcp -d $PPPIP --dport 262 -j DNAT --to 10.31.0.13
# FORWARD -p tcp -d 10.31.0.13 --dport 262 -j ACCEPT
# # 24 -> KadathSH
# REDIRext 24 10.31.0.3 22
}
allow_loopback () {
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
ipt -A INPUT -i lo -j ACCEPT
ipt -A OUTPUT -o lo -j ACCEPT
}
allow_LAN () {
## LOCAL NET
# Allow unlimited traffic on the local network.
INPUT -i $LANDEV -j ACCEPT
OUTPUT -o $LANDEV -j ACCEPT
## wifi
if [ -n "$WIFIIP" ]; then
# Allow unlimited traffic on the Wifi network.
INPUT -i $WIFIDEV -j ACCEPT
OUTPUT -o $WIFIDEV -j ACCEPT
else
echo wifi not connected
logger firewall_iptable_hector sans wifi
fi
# ## Modem
# INPUT -i $ADSLDEV -j ACCEPT
# OUTPUT -o $ADSLDEV -j ACCEPT
}
masquerade () { ## MASQUERADING (NAT)
#POSTNAText -j MASQUERADE
POSTNAText -j SNAT --to-source $PPPIP || echo echec to source
### Don't forward from some hosts:
### FORWARD -i $LANDEV -s 10.31.0.3 -j DROP
FORWARD -i $LANDEV -j ACCEPT
FORWARD -i $WIFIDEV -j ACCEPT
FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
redirected_services
FORWARD -m limit --limit 3/minute --limit-burst 3 $log "IPTABLES DROP FORWARD: "
FORWARD -j DROP
}
filter_crap () { ## FILTER CRAP
# IGMP
PRENAText -p 2 -j DROP
# Multicast addresses, reserved IP addresses.
PRENAText -s 224.0.0.0/4 -j DROP
PRENAText -s 240.0.0.0/5 -j DROP
}
filter_spoofing () { ## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary
# with the flags we have set in the kernel above... but you never know
# there isn't a bug somewhere in your IP stack.
ipt -N spoof -t nat
ipt -A spoof -t nat -m limit --limit 1/s --limit-burst 4 $log "IPTABLES DROP SPOOF: "
ipt -A spoof -t nat -j DROP
# Local IP address.
### PRENAText -s $IPADDR -j spoof
# Private networks.
PRENAText -s 192.168.0.0/16 -j spoof
PRENAText -s 172.16.0.0/12 -j spoof
PRENAText -s 10.0.0.0/8 -j spoof
# To loopback
PRENAText -d 127.0.0.0/8 -j spoof
}
filter_state () {
## Make sure NEW tcp connections are SYN packets. IMPORTANT!
INPUText -p tcp ! --syn -m state --state NEW -j DROP
## RELATED connections are ok for tcp, udp and icmp
# this covers ftp, dns, ntp, ping, traceroute, etc.
# (given suitable ip_conntrack modules)
INPUText -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUText -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUText -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
}
filter_attacks () {
# Removed commented code from CVS release 1.25,
# Re: SYN-Flooding Protection, PortScanner Protection,
# Ping of Death attempts and Fragments.
}
define_TCP_in () {
ipt -N tcpinok
ipt -A tcpinok -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
ipt -A tcpinok $log "IPTABLES DROP TCPINOK: "
ipt -A tcpinok -j DROP
}
## ---------- Allowed ports ----------
allowed_ports () {
NETBIOS="137:139"
ICQTCP=4090:4092
OPEN_SERVICES=(
20:22 # FTP & SSH
25 993 # SMTP IMAP-ssl
79:80 443 # finger & WWW
113 9999 # auth identtest
3136 # grubclient distributed web crawler
)
for port in $OPEN_SERVICES ; do
INPUText -p tcp --dport $port -j tcpinok
done
### INPUText -p tcp --dport 113 -j REJECT --reject-with tcp-reset
## IRC probe
INPUText -p tcp --dport 1080 $log "IPTABLES REJECT TCP-1080: "
INPUText -p tcp --dport 1080 -j REJECT --reject-with tcp-reset
## ICQ direct transfers
### INPUText -p tcp --dport $ICQTCP -j tcpinok
## Realplayer (udp 7170-7179)
### INPUText -p udp --dport 7170:7179 -j ACCEPT
## NETBIOS don't even log
INPUText -p tcp --dport $NETBIOS -j DROP
INPUText -p udp --dport $NETBIOS -j DROP
## NETBIOS block outgoing
OUTPUText -p tcp --dport $NETBIOS -j DROP
OUTPUText -p udp --dport $NETBIOS -j DROP
## block vega's drug chat rooms.
TCP_OUTGOING_BLOCKED=(
# ## chat.yahoo.com
# 204.71.200.89
# 204.71.200.95
)
for i in $TCP_OUTGOING_BLOCKED ; do
OUTPUText -p tcp -d $i -j DROP
done
}
logging () { ## ---------- Logging ----------
# tcp
INPUText -p tcp $log "IPTABLES DROP TCP-IN: "
INPUText -p tcp -j DROP
# OUTPUText -p tcp $log "IPTABLES DROP TCP-OUT: "
OUTPUText -p tcp -j ACCEPT
# udp
INPUText -p udp $log "IPTABLES DROP UDP-IN: "
INPUText -p udp -j DROP
# OUTPUText -p udp $log "IPTABLES DROP UDP-OUT: "
OUTPUText -p udp -j ACCEPT
# Limit pings to prevent pingfloods
# rule made by tril
INPUText -p icmp -m limit --limit 10/second -j ACCEPT
INPUText -p icmp -m limit --limit 3/minute -j LOG --log-prefix 'pingflood: '
INPUText -p icmp -j DROP
OUTPUText -p icmp -j ACCEPT
# other
INPUText $log "IPTABLES DROP IN: "
INPUText -j DROP
OUTPUText $log "IPTABLES DROP OUT: "
OUTPUText -j DROP
}
install_firewall () {
environment
load_modules
drop_packets
clear_tables
configure_kernel
debug_rules
allow_loopback
allow_LAN
masquerade
filter_crap
filter_spoofing
filter_state
filter_attacks
define_TCP_in
allowed_ports
logging
}
# See how we were called.
logger -t firewall "$*" '(prcs $ProjectHeader: Scripts 0.104 Fri, 11 Feb 2005 07:13:35 +0100 basile $ $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $)'
case "$1" in
start|)
echo -n "Installing firewall: ..."
install_firewall
echo " done."
;;
stop)
echo -n "Closing down firewall: "
echo NOT IMPLEMENTED YET
;;
status)
echo -n "IP forwarding is: "
cat /proc/sys/net/ipv4/ip_forward
echo "IP tables configuration:"
if [ -f /proc/net/ip_fwchains ]; then
iptables -L -n
fi
;;
nop)
;;
test)
environment
ifcfg2IP $PPPDEV inet.addr
;;
restart)
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart}"
exit 1
esac
: exit 0
#eof $Id: firewall_iptable_hector 1.14 Thu, 02 Sep 2004 18:59:05 +0200 basile $
----
Basile STARYNKEVITCH
Membre de l'
APRIL « promouvoir et défendre le logiciel libre » - adhérez vous aussi à l'APRIL!
Projet logiciel libre:
RefPerSys
Poste le Friday 21 April 2006 11:21:46