Optimisation de firewall et vous vous utilisez koi ?

Optimisation de firewall et vous vous utilisez koi ? - Installation - Linux et OS Alternatifs

Marsh Posté le 02-05-2003 à 18:55:40    

voici mon firewall :

Citation :

start () {
#on degage tous
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
 
#police par defaut DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
#echo "[Activation de la passerelle]"
echo 1 > /proc/sys/net/ipv4/ip_forward
#test
echo 0 > /proc/sys/net/ipv4/tcp_ecn
 
 
# pour le localhost c obligatoire !
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
#pour accepter tous ce qui passe sur le rezo
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -o ppp0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -i ppp0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 
#pour accepter le partage de connexion
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
 
#pour voir
iptables -A OUTPUT -o ppp0 -p icmp --icmp-type ping -j ACCEPT
 
#DNS OK
iptables -A INPUT -i ppp0 --protocol udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol udp --destination-port 53 -j ACCEPT
 
#pour le serveur web
#iptables -A INPUT -i ppp0 -p TCP --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o ppp0 -p TCP --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#SSH autorisé depuis internet
#iptables -A INPUT -i ppp0 -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o ppp0 -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#pour accepter le FTP sur mon rezo local
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
 
iptables -A INPUT -i ppp0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 
iptables -A INPUT -i ppp0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
 
iptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m  state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 
LOG_FLOOD="2/s"
 
#regle qui log les packets et les drop
iptables -N LDROP
iptables -A LDROP -p tcp --dport 137:139 -j DROP
iptables -A LDROP -p udp --dport 137:139 -j DROP
iptables -A LDROP -p tcp -m limit --limit $LOG_FLOOD -j LOG --log-level 6 --log-prefix '[IPTABLES TCP Dropped] '
iptables -A LDROP -p udp -m limit --limit $LOG_FLOOD -j LOG --log-level 6 --log-prefix '[IPTABLES UDP Dropped] '
iptables -A LDROP -p icmp -m limit --limit $LOG_FLOOD -j LOG --log-level 6 --log-prefix '[IPTABLES ICMP Dropped] '
iptables -A LDROP -f -m limit --limit $LOG_FLOOD -j LOG --log-level 6 --log-prefix '[IPTABLES FRAGMENT Dropped] '
iptables -A LDROP -j DROP
 
#activer les log
iptables -A FORWARD -j LDROP
iptables -A INPUT -j LDROP
iptables -A OUTPUT -j LDROP
 
echo "régle appliqué"
}


 
pouvais vous me dire à quoi correspond :

Citation :

iptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m  state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT


 
merci d'avance !


Message édité par stef_dobermann le 02-05-2003 à 22:32:54

---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 18:55:40   

Reply

Marsh Posté le 02-05-2003 à 19:04:44    

i

ptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m  state --state ESTABLISHED -j ACCEPT


 
tout ce qui arrive sur ta passerelle, en provenance du Web, sur un port TCP/IP > 1024, venant d'un port > 1024 et concernant une connexion établie est accepté.
 

iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT


 
idem sauf que c'est qui sort de ta passerelle et qu'on accepte en plus les connexions liées (c'est à dire en gros ouverte par une autre connexion).
 
pour + de détails :
http://christian.caleca.free.fr rubrique netfilter


---------------
Celui qui pose une question est idiot 5 minutes. Celui qui n'en pose pas le reste toute sa vie. |  Membre du grand complot pharmaceutico-médico-scientifico-judéo-maçonnique.
Reply

Marsh Posté le 02-05-2003 à 19:12:16    

il te manque la parade a pas mal d'attaque mon coco !!!


---------------
FFFF
Reply

Marsh Posté le 02-05-2003 à 19:15:01    

jamiroq a écrit :

il te manque la parade a pas mal d'attaque mon coco !!!


Ben expliques lui plutot que de critiquer de façon aussi stérile ...  :sarcastic:  
Sois un peu constructif pour une fois ... :o

Reply

Marsh Posté le 02-05-2003 à 19:15:10    

jamiroq a écrit :

il te manque la parade a pas mal d'attaque mon coco !!!


 
je pense que c'est pour ça qu'il demande l'aide :heink:

Reply

Marsh Posté le 02-05-2003 à 19:21:59    

jamiroq a écrit :

il te manque la parade a pas mal d'attaque mon coco !!!


 
merci de le dire ! mais je le savait déjà ! ce que je cherche maintenant c'est améliorer ce script, sinon j'aurais pas ouvert ce topic ;)


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 19:30:50    

SteF_DOBERMANN a écrit :


 
merci de le dire ! mais je le savait déjà ! ce que je cherche maintenant c'est améliorer ce script, sinon j'aurais pas ouvert ce topic ;)


je vais te donner un petit indice ..au lieu de te peter la tete a avaler la synthaxe de iptables qui va chger ds 1 an ou deux avec un nouveau truc .... apprends les concepts c plus pro : Fwbuilder est ton amis !!!
 
en + il propose un gui emprunter au meilleur fwall professionel , alors que demander de plus !!
 
http://www.fwbuilder.org/


---------------
FFFF
Reply

Marsh Posté le 02-05-2003 à 19:33:30    

Mjules a écrit :

i

ptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m  state --state ESTABLISHED -j ACCEPT


 
tout ce qui arrive sur ta passerelle, en provenance du Web, sur un port TCP/IP > 1024, venant d'un port > 1024 et concernant une connexion établie est accepté.
 

iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT


 
idem sauf que c'est qui sort de ta passerelle et qu'on accepte en plus les connexions liées (c'est à dire en gros ouverte par une autre connexion).
 
pour + de détails :
http://christian.caleca.free.fr rubrique netfilter


 
merci pour la definition, mais est-ce utile pour faire de l'irc du jeu en rézo, pour les PC derriére celui-ci.
 
je rappelle que ce PC, ne fait rien d'autre que du serveur ftp web et ssh, plutard j'utiliserais aussi tomcat4 mais plus tard


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 19:34:50    

SteF_DOBERMANN a écrit :


 
merci pour la definition, mais est-ce utile pour faire de l'irc du jeu en rézo, pour les PC derriére celui-ci.
 
je rappelle que ce PC, ne fait rien d'autre que du serveur ftp web et ssh, plutard j'utiliserais aussi tomcat4 mais plus tard


 
Firewall Builder is multi-platform firewall configuration and
management tool. It consists of a GUI and set of policy compilers for various firewall platforms. Firewall Builder uses object-oriented approach, it helps administrator maintain a database of network objects and allows policy editing using simple drag-and-drop operations. Firewall Builder currently supports iptables, ipfilter, OpenBSD PF and Cisco PIX.
 
... tu vas halluciner la facilité de manipulation des paquet s irc et consor compris !!


---------------
FFFF
Reply

Marsh Posté le 02-05-2003 à 19:43:00    

dsl mais j'ai pas acces au site ! j'ai un petit soucis avec mon firewall ou avec mes route !


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 19:43:00   

Reply

Marsh Posté le 02-05-2003 à 19:44:25    

si c un pb resolution voici l'ip :
 
http://66.35.250.210/


---------------
FFFF
Reply

Marsh Posté le 02-05-2003 à 21:21:00    

voila le message que j'ai

Citation :


You have probably reached this page in error.
 
If you were attempting to reach a site that's domain ends in .sourceforge.net, it is likely that your browser is not HTTP/1.1 compliant. This may be because you're running a very old version of MSIE or Netscape.  
 
Please upgrade your browser and try again.  
 
Please Click Here


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 21:48:49    

ra la la, je suis une quiche pour compiler un truc !
vous avez pas un truc en ligne ? ou un script deja tout fait ?
edit :j'ai qu'une debian sans rien du tout !


Message édité par stef_dobermann le 02-05-2003 à 22:01:10

---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 23:20:59    

j'ai trouvé ca :
http://monmotha.mplug.org/~monmoth [...] 2.3.8-pre9
vous en pensez koi ?


Message édité par stef_dobermann le 02-05-2003 à 23:26:40

---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 23:25:00    

je sais pas ;) mais pour abrandre en profondeur je trouve qu il est mieux de faire soi meme tes sripts iptables (et les principes des firewalls pour bien les connaitres faut lire les rfc sur le net;) de plus tu conneras aussi bien et mieux qu avaec firebuilder)
 
en plus apres pour integrer du qos c plus facile qd meme :D ;)

Reply

Marsh Posté le 02-05-2003 à 23:26:13    

GUG a écrit :

je sais pas ;) mais pour abrandre en profondeur je trouve qu il est mieux de faire soi meme tes sripts iptables (et les principes des firewalls pour bien les connaitres faut lire les rfc sur le net;) de plus tu conneras aussi bien et mieux qu avaec firebuilder)
 
en plus apres pour integrer du qos c plus facile qd meme :D ;)  


as tu utilisé fwbuilder ?


---------------
FFFF
Reply

Marsh Posté le 02-05-2003 à 23:27:03    

alors tu aurais koi pour amélioré le mien ?


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 02-05-2003 à 23:43:50    

jamiroq tu pourrais me générer un script avec fwbuilder ?


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 03-05-2003 à 00:38:32    

SteF_DOBERMANN a écrit :

jamiroq tu pourrais me générer un script avec fwbuilder ?


donne t'as config , tes interfaces , tes lan et host et l'ip de la gateway


---------------
FFFF
Reply

Marsh Posté le 03-05-2003 à 01:08:39    

ip gateway : 192.168.0.13
ppp0 (eth0) => internet
eth1 => reseau local (192.168.0.0)
serveur web, ftp sur le firewall qui est aussi la gateway


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 03-05-2003 à 01:10:53    

jamiroq a écrit :

il te manque la parade a pas mal d'attaque mon coco !!!


 
toujours à faire le malin celui là [:rofl2]


---------------
Non au projet de loi DADVSI ! (droits d'auteurs)
Reply

Marsh Posté le 03-05-2003 à 01:25:47    

udok a écrit :


 
toujours à faire le malin celui là [:rofl2]


attends t'as vu son script !!!
je vois pas ou je fais le malin a part le prevenir ... mais bon je suis sur osa  !  ah oui c vrai ...


---------------
FFFF
Reply

Marsh Posté le 03-05-2003 à 01:27:02    

SteF_DOBERMANN a écrit :

ip gateway : 192.168.0.13
ppp0 (eth0) => internet
eth1 => reseau local (192.168.0.0)
serveur web, ftp sur le firewall qui est aussi la gateway


ok je te fais ca demain  A++ ( ss mdk 9.1)
en fait ca te fera un scritp iptables t'auras plus qu'a faire sh script...


---------------
FFFF
Reply

Marsh Posté le 03-05-2003 à 01:39:14    

Citation :

ok je te fais ca demain  A++ ( ss mdk 9.1)  
en fait ca te fera un scritp iptables t'auras plus qu'a faire sh script...


 
oué, c ce que j'ai lu, et je doit dir que ca a fait vraiment pencher la balance pour que je l'installe. Je croyais que ct un truc à la crosoft (propriaitaire mais juste au niveau des scripts => obligation d'avoir le soft pour faire tourner les script  :sweat:  ) mais la c vrai que c pas mal (comme ca je peu l'installer sur une autre Debian (VMware) est c bon, pas de fichier superflux sur mon server ;) )
 
Je te remercie quand meme et je regarderais ton script avec grand interet (le temps de comprendre le fonctionnement de fwbuilder)


Message édité par stef_dobermann le 03-05-2003 à 01:40:22

---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 03-05-2003 à 02:39:25    

Code :
  1. #!/bin/sh
  2. #
  3. # Generated iptables firewall script for the Linux 2.4 kernel
  4. # Script generated by Easy Firewall Generator for IPTables
  5. # copyright 2002 Timothy Scott Morizot
  6. #
  7. # Redhat chkconfig comments - firewall applied early,
  8. #                             removed late
  9. # chkconfig: 2345 08 92
  10. # description: This script applies or removes iptables firewall rules
  11. #
  12. # This generator is primarily designed for RedHat installations,
  13. # although it should be adaptable for others.
  14. #
  15. # It can be executed with the typical start and stop arguments.
  16. # If used with stop, it will stop after flushing the firewall.
  17. # The save and restore arguments will save or restore the rules
  18. # from the /etc/sysconfig/iptables file.  The save and restore
  19. # arguments are included to preserve compatibility with
  20. # Redhat's init.d script (at least in 7.x) if you prefer to use it.
  21. # Redhat installation instructions
  22. #
  23. # 1. Ensure that ipchains will not automatically start.
  24. #    chkconfig --level 0123456 ipchains off
  25. #    This will make sure that the ipchains init.d script
  26. #    is not linked to an S file in any of the rc directories.
  27. #
  28. # 2. Stop ipchains if it's running.
  29. #    service ipchains stop
  30. #
  31. # 3. Execute lsmod to see if the ipchains kernel module is still loaded.
  32. #    If it is, use rmmod to unload it. -- rmmod ipchains
  33. #
  34. # 4. Have the system link the iptables init.d startup script into run states
  35. #    2, 3, and 5.
  36. #    chkconfig --level 235 iptables on
  37. #
  38. # 5. Save this script and execute it to load the ruleset from this file.
  39. #    You may need to run the dos2unix command on it to remove carraige returns.
  40. #
  41. # 6. To have it applied at startup, copy this script to
  42. #    /etc/init.d/iptables.  It accepts stop, start, save, and restore
  43. #    arguments.  (You may wish to save the existing one first.)
  44. #
  45. # 7. For non-Redhat systems (or Redhat systems if you have a problem), you
  46. #    may want to append the command to execute this script to rc.local.
  47. #    rc.local is typically located in /etc and /etc/rc.d and is usually
  48. #    the last thing executed on startup.  Simply add /path/to/script/script_name
  49. #    on its own line in the rc.local file.
  50. ###############################################################################
  51. #
  52. # Local Settings
  53. #
  54. # sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
  55. # If this is set to the empty string (or is unset), the use of sysctl
  56. # is disabled.
  57. SYSCTL="/sbin/sysctl -w"
  58. # To echo the value directly to the /proc file instead
  59. # SYSCTL=""
  60. # IPTables Location - adjust if needed
  61. IPT="/sbin/iptables"
  62. IPTS="/sbin/iptables-save"
  63. IPTR="/sbin/iptables-restore"
  64. # Internet Interface
  65. INET_IFACE="eth0"
  66. # Local Interface Information
  67. LOCAL_IFACE="eth1"
  68. LOCAL_IP="192.168.0.13"
  69. LOCAL_NET="192.168.0.0/24"
  70. LOCAL_BCAST="192.168.0.255"
  71. # Localhost Interface
  72. LO_IFACE="lo"
  73. LO_IP="127.0.0.1"
  74. # Save and Restore arguments handled here
  75. if [ "$1" = "save" ]
  76. then
  77. echo -n "Saving firewall to /etc/sysconfig/iptables ... "
  78. $IPTS > /etc/sysconfig/iptables
  79. echo "done"
  80. exit 0
  81. elif [ "$1" = "restore" ]
  82. then
  83. echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
  84. $IPTR < /etc/sysconfig/iptables
  85. echo "done"
  86. exit 0
  87. fi
  88. ###############################################################################
  89. #
  90. # Load Modules
  91. #
  92. echo "Loading kernel modules ..."
  93. # You should uncomment the line below and run it the first time just to
  94. # ensure all kernel module dependencies are OK.  There is no need to run
  95. # every time, however.
  96. # /sbin/depmod -a
  97. # Unless you have kernel module auto-loading disabled, you should not
  98. # need to manually load each of these modules.  Other than ip_tables,
  99. # ip_conntrack, and some of the optional modules, I've left these
  100. # commented by default.  Uncomment if you have any problems or if
  101. # you have disabled module autoload.  Note that some modules must
  102. # be loaded by another kernel module.
  103. # core netfilter module
  104. /sbin/modprobe ip_tables
  105. # the stateful connection tracking module
  106. /sbin/modprobe ip_conntrack
  107. # filter table module
  108. # /sbin/modprobe iptable_filter
  109. # mangle table module
  110. # /sbin/modprobe iptable_mangle
  111. # nat table module
  112. # /sbin/modprobe iptable_nat
  113. # LOG target module
  114. # /sbin/modprobe ipt_LOG
  115. # This is used to limit the number of packets per sec/min/hr
  116. # /sbin/modprobe ipt_limit
  117. # masquerade target module
  118. # /sbin/modprobe ipt_MASQUERADE
  119. # filter using owner as part of the match
  120. # /sbin/modprobe ipt_owner
  121. # REJECT target drops the packet and returns an ICMP response.
  122. # The response is configurable.  By default, connection refused.
  123. # /sbin/modprobe ipt_REJECT
  124. # This target allows packets to be marked in the mangle table
  125. # /sbin/modprobe ipt_mark
  126. # This target affects the TCP MSS
  127. # /sbin/modprobe ipt_tcpmss
  128. # This match allows multiple ports instead of a single port or range
  129. # /sbin/modprobe multiport
  130. # This match checks against the TCP flags
  131. # /sbin/modprobe ipt_state
  132. # This match catches packets with invalid flags
  133. # /sbin/modprobe ipt_unclean
  134. # The ftp nat module is required for non-PASV ftp support
  135. /sbin/modprobe ip_nat_ftp
  136. # the module for full ftp connection tracking
  137. /sbin/modprobe ip_conntrack_ftp
  138. # the module for full irc connection tracking
  139. /sbin/modprobe ip_conntrack_irc
  140. ###############################################################################
  141. #
  142. # Kernel Parameter Configuration
  143. #
  144. # See http://ipsysctl-tutorial.frozentux [...] index.html
  145. # for a detailed tutorial on sysctl and the various settings
  146. # available.
  147. # Required to enable IPv4 forwarding.
  148. # Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
  149. # Alternatively, it can be set in /etc/sysctl.conf
  150. if [ "$SYSCTL" = "" ]
  151. then
  152.     echo "1" > /proc/sys/net/ipv4/ip_forward
  153. else
  154.     $SYSCTL net.ipv4.ip_forward="1"
  155. fi
  156. # This enables dynamic address hacking.
  157. # This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
  158. #if [ "$SYSCTL" = "" ]
  159. #then
  160. #    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
  161. #else
  162. #    $SYSCTL net.ipv4.ip_dynaddr="1"
  163. #fi
  164. # This enables source validation by reversed path according to RFC1812.
  165. # In other words, did the response packet originate from the same interface
  166. # through which the source packet was sent?  It's recommended for single-homed
  167. # systems and routers on stub networks.  Since those are the configurations
  168. # this firewall is designed to support, I turn it on by default.
  169. # Turn it off if you use multiple NICs connected to the same network.
  170. if [ "$SYSCTL" = "" ]
  171. then
  172.     echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
  173. else
  174.     $SYSCTL net.ipv4.conf.all.rp_filter="1"
  175. fi
  176. # This option allows a subnet to be firewalled with a single IP address.
  177. # It's used to build a DMZ.  Since that's not a focus of this firewall
  178. # script, it's not enabled by default, but is included for reference.
  179. # See: http://www.sjdjweis.com/linux/proxyarp/
  180. #if [ "$SYSCTL" = "" ]
  181. #then
  182. #    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
  183. #else
  184. #    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
  185. #fi
  186. # The following kernel settings were suggested by Alex Weeks. Thanks!
  187. # This kernel parameter instructs the kernel to ignore all ICMP
  188. # echo requests sent to the broadcast address.  This prevents
  189. # a number of smurfs and similar DoS nasty attacks.
  190. if [ "$SYSCTL" = "" ]
  191. then
  192.     echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  193. else
  194.     $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
  195. fi
  196. # This option can be used to accept or refuse source routed
  197. # packets.  It is usually on by default, but is generally
  198. # considered a security risk.  This option turns it off.
  199. if [ "$SYSCTL" = "" ]
  200. then
  201.     echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  202. else
  203.     $SYSCTL net.ipv4.conf.all.accept_source_route="0"
  204. fi
  205. # This option can disable ICMP redirects.  ICMP redirects
  206. # are generally considered a security risk and shouldn't be
  207. # needed by most systems using this generator.
  208. #if [ "$SYSCTL" = "" ]
  209. #then
  210. #    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
  211. #else
  212. #    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
  213. #fi
  214. # However, we'll ensure the secure_redirects option is on instead.
  215. # This option accepts only from gateways in the default gateways list.
  216. if [ "$SYSCTL" = "" ]
  217. then
  218.     echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
  219. else
  220.     $SYSCTL net.ipv4.conf.all.secure_redirects="1"
  221. fi
  222. # This option logs packets from impossible addresses.
  223. if [ "$SYSCTL" = "" ]
  224. then
  225.     echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
  226. else
  227.     $SYSCTL net.ipv4.conf.all.log_martians="1"
  228. fi
  229. ###############################################################################
  230. #
  231. # Flush Any Existing Rules or Chains
  232. #
  233. echo "Flushing Tables ..."
  234. # Reset Default Policies
  235. $IPT -P INPUT ACCEPT
  236. $IPT -P FORWARD ACCEPT
  237. $IPT -P OUTPUT ACCEPT
  238. $IPT -t nat -P PREROUTING ACCEPT
  239. $IPT -t nat -P POSTROUTING ACCEPT
  240. $IPT -t nat -P OUTPUT ACCEPT
  241. $IPT -t mangle -P PREROUTING ACCEPT
  242. $IPT -t mangle -P OUTPUT ACCEPT
  243. # Flush all rules
  244. $IPT -F
  245. $IPT -t nat -F
  246. $IPT -t mangle -F
  247. # Erase all non-default chains
  248. $IPT -X
  249. $IPT -t nat -X
  250. $IPT -t mangle -X
  251. if [ "$1" = "stop" ]
  252. then
  253. echo "Firewall completely flushed!  Now running with no firewall."
  254. exit 0
  255. fi
  256. ###############################################################################
  257. #
  258. # Rules Configuration
  259. #
  260. ###############################################################################
  261. #
  262. # Filter Table
  263. #
  264. ###############################################################################
  265. # Set Policies
  266. $IPT -P INPUT DROP
  267. $IPT -P OUTPUT DROP
  268. $IPT -P FORWARD DROP
  269. ###############################################################################
  270. #
  271. # User-Specified Chains
  272. #
  273. # Create user chains to reduce the number of rules each packet
  274. # must traverse.
  275. echo "Create and populate custom rule chains ..."
  276. # Create a chain to filter INVALID packets
  277. $IPT -N bad_packets
  278. # Create another chain to filter bad tcp packets
  279. $IPT -N bad_tcp_packets
  280. # Create separate chains for icmp, tcp (incoming and outgoing),
  281. # and incoming udp packets.
  282. $IPT -N icmp_packets
  283. # Used for UDP packets inbound from the Internet
  284. $IPT -N udp_inbound
  285. # Used to block outbound UDP services from internal network
  286. # Default to allow all
  287. $IPT -N udp_outbound
  288. # Used to allow inbound services if desired
  289. # Default fail except for established sessions
  290. $IPT -N tcp_inbound
  291. # Used to block outbound services from internal network
  292. # Default to allow all
  293. $IPT -N tcp_outbound
  294. ###############################################################################
  295. #
  296. # Populate User Chains
  297. #
  298. # bad_packets chain
  299. #
  300. # Drop INVALID packets immediately
  301. $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
  302.     --log-prefix "fp=bad_packets:1 a=DROP "
  303. $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
  304. # Then check the tcp packets for additional problems
  305. $IPT -A bad_packets -p tcp -j bad_tcp_packets
  306. # All good, so return
  307. $IPT -A bad_packets -p ALL -j RETURN
  308. # bad_tcp_packets chain
  309. #
  310. # All tcp packets will traverse this chain.
  311. # Every new connection attempt should begin with
  312. # a syn packet.  If it doesn't, it is likely a
  313. # port scan.  This drops packets in state
  314. # NEW that are not flagged as syn packets.
  315. # Return to the calling chain if the bad packets originate
  316. # from the local interface. This maintains the approach
  317. # throughout this firewall of a largely trusted internal
  318. # network.
  319. $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
  320. # However, I originally did apply this filter to the forward chain
  321. # for packets originating from the internal network.  While I have
  322. # not conclusively determined its effect, it appears to have the
  323. # interesting side effect of blocking some of the ad systems.
  324. # Apparently some ad systems have the browser initiate a NEW
  325. # connection that is not flagged as a syn packet to retrieve
  326. # the ad image.  If you wish to experiment further comment the
  327. # rule above. If you try it, you may also wish to uncomment the
  328. # rule below.  It will keep those packets from being logged.
  329. # There are a lot of them.
  330. # $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
  331. #     --state NEW -j DROP
  332. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
  333.     --log-prefix "fp=bad_tcp_packets:1 a=DROP "
  334. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
  335. # All good, so return
  336. $IPT -A bad_tcp_packets -p tcp -j RETURN
  337. # icmp_packets chain
  338. #
  339. # This chain is for inbound (from the Internet) icmp packets only.
  340. # Type 8 (Echo Request) is not accepted by default
  341. # Enable it if you want remote hosts to be able to reach you.
  342. # 11 (Time Exceeded) is the only one accepted
  343. # that would not already be covered by the established
  344. # connection rule.  Applied to INPUT on the external interface.
  345. #
  346. # See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
  347. # for more info on ICMP types.
  348. #
  349. # Note that the stateful settings allow replies to ICMP packets.
  350. # These rules allow new packets of the specified types.
  351. # ICMP packets should fit in a Layer 2 frame, thus they should
  352. # never be fragmented.  Fragmented ICMP packets are a typical sign
  353. # of a denial of service attack.
  354. $IPT -A icmp_packets --fragment -p ICMP -j LOG \
  355.     --log-prefix "fp=icmp_packets:1 a=DROP "
  356. $IPT -A icmp_packets --fragment -p ICMP -j DROP
  357. # Echo - uncomment to allow your system to be pinged.
  358. # Uncomment the LOG command if you also want to log PING attempts
  359. #
  360. # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
  361. #    --log-prefix "fp=icmp_packets:2 a=ACCEPT "
  362. # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
  363. # Time Exceeded
  364. $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
  365. # Not matched, so return so it will be logged
  366. $IPT -A icmp_packets -p ICMP -j RETURN
  367. # TCP & UDP
  368. # Identify ports at:
  369. #    http://www.chebucto.ns.ca/~rakerman/port-table.html
  370. #    http://www.iana.org/assignments/port-numbers
  371. # udp_inbound chain
  372. #
  373. # This chain describes the inbound UDP packets it will accept.
  374. # It's applied to INPUT on the external or Internet interface.
  375. # Note that the stateful settings allow replies.
  376. # These rules are for new requests.
  377. # It drops netbios packets (windows) immediately without logging.
  378. # Drop netbios calls
  379. # Please note that these rules do not really change the way the firewall
  380. # treats netbios connections.  Connections from the localhost and
  381. # internal interface (if one exists) are accepted by default.
  382. # Responses from the Internet to requests initiated by or through
  383. # the firewall are also accepted by default.  To get here, the
  384. # packets would have to be part of a new request received by the
  385. # Internet interface.  You would have to manually add rules to
  386. # accept these.  I added these rules because some network connections,
  387. # such as those via cable modems, tend to be filled with noise from
  388. # unprotected Windows machines.  These rules drop those packets
  389. # quickly and without logging them.  This prevents them from traversing
  390. # the whole chain and keeps the log from getting cluttered with
  391. # chatter from Windows systems.
  392. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
  393. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
  394. # Ident requests (Port 113) must have a REJECT rule rather than the
  395. # default DROP rule.  This is the minimum requirement to avoid
  396. # long delays while connecting.  Also see the tcp_inbound rule.
  397. $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
  398. # A more sophisticated configuration could accept the ident requests.
  399. # $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
  400. # However, if this is a gateway system that masquerades/nats for internal systems
  401. # and the internal systems wish to chat, a simple changing these rules to
  402. # ACCEPT won't work.  The ident daemon on the gateway will need to know how
  403. # to handle the requests.  The stock daemon in most linux distributions
  404. # can't do that.   oidentd is one package that can.
  405. # See: http://dev.ojnk.net/
  406. # Dynamic Address
  407. # If DHCP, the initial request is a broadcast. The response
  408. # doesn't exactly match the outbound packet.  This explicitly
  409. # allow the DHCP ports to alleviate this problem.
  410. # If you receive your dynamic address by a different means, you
  411. # can probably comment this line.
  412. $IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
  413.      -j ACCEPT
  414. # Not matched, so return for logging
  415. $IPT -A udp_inbound -p UDP -j RETURN
  416. # udp_outbound chain
  417. #
  418. # This chain is used with a private network to prevent forwarding for
  419. # UDP requests on specific protocols.  Applied to the FORWARD rule from
  420. # the internal network.  Ends with an ACCEPT
  421. # No match, so ACCEPT
  422. $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
  423. # tcp_inbound chain
  424. #
  425. # This chain is used to allow inbound connections to the
  426. # system/gateway.  Use with care.  It defaults to none.
  427. # It's applied on INPUT from the external or Internet interface.
  428. # Ident requests (Port 113) must have a REJECT rule rather than the
  429. # default DROP rule.  This is the minimum requirement to avoid
  430. # long delays while connecting.  Also see the tcp_inbound rule.
  431. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
  432. # A more sophisticated configuration could accept the ident requests.
  433. # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
  434. # However, if this is a gateway system that masquerades/nats for internal systems
  435. # and the internal systems wish to chat, a simple changing these rules to
  436. # ACCEPT won't work.  The ident daemon on the gateway will need to know how
  437. # to handle the requests.  The stock daemon in most linux distributions
  438. # can't do that.   oidentd is one package that can.
  439. # See: http://dev.ojnk.net/
  440. # Web Server
  441. # HTTP
  442. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
  443. # HTTPS (Secure Web Server)
  444. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
  445. # FTP Server (Control)
  446. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
  447. # FTP Client (Data Port for non-PASV transfers)
  448. $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
  449. # Passive FTP
  450. #
  451. # With passive FTP, the server provides a port to the client
  452. # and allows the client to initiate the connection rather
  453. # than initiating the connection with the client from the data port.
  454. # Web browsers and clients operating behind a firewall generally
  455. # use passive ftp transfers.  A general purpose FTP server
  456. # will need to support them.
  457. #
  458. # However, by default an FTP server will select a port from the entire
  459. # range of high ports.  It is not particularly safe to open all
  460. # high ports.  Fortunately, that range can be restricted.  This
  461. # firewall presumes that the range has been restricted to a specific
  462. # selected range.  That range must also be configured in the ftp server.
  463. #
  464. # Instructions for specifying the port range for the wu-ftpd server
  465. # can be found here:
  466. # http://www.wu-ftpd.org/man/ftpaccess.html
  467. # (See the passive ports option.)
  468. #
  469. # Instructions for the ProFTPD server can be found here:
  470. # http://proftpd.linux.co.uk/localsi [...] /x861.html
  471. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:64000 -j ACCEPT
  472. # sshd
  473. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
  474. # Not matched, so return so it will be logged
  475. $IPT -A tcp_inbound -p TCP -j RETURN
  476. # tcp_outbound chain
  477. #
  478. # This chain is used with a private network to prevent forwarding for
  479. # requests on specific protocols.  Applied to the FORWARD rule from
  480. # the internal network.  Ends with an ACCEPT
  481. # No match, so ACCEPT
  482. $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
  483. ###############################################################################
  484. #
  485. # INPUT Chain
  486. #
  487. echo "Process INPUT chain ..."
  488. # Allow all on localhost interface
  489. $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
  490. # Drop bad packets
  491. $IPT -A INPUT -p ALL -j bad_packets
  492. # DOCSIS compliant cable modems
  493. # Some DOCSIS compliant cable modems send IGMP multicasts to find
  494. # connected PCs.  The multicast packets have the destination address
  495. # 224.0.0.1.  You can accept them.  If you choose to do so,
  496. # Uncomment the rule to ACCEPT them and comment the rule to DROP
  497. # them  The firewall will drop them here by default to avoid
  498. # cluttering the log.  The firewall will drop all multicasts
  499. # to the entire subnet (224.0.0.1) by default.  To only affect
  500. # IGMP multicasts, change '-p ALL' to '-p 2'.  Of course,
  501. # if they aren't accepted elsewhere, it will only ensure that
  502. # multicasts on other protocols are logged.
  503. # Drop them without logging.
  504. $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
  505. # The rule to accept the packets.
  506. # $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
  507. # Rules for the private network (accessing gateway system itself)
  508. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
  509. $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
  510. # Inbound Internet Packet Rules
  511. # Accept Established Connections
  512. $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
  513.      -j ACCEPT
  514. # Route the rest to the appropriate user chain
  515. $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
  516. $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
  517. $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
  518. # Drop without logging broadcasts that get this far.
  519. # Cuts down on log clutter.
  520. # Comment this line if testing new rules that impact
  521. # broadcast protocols.
  522. $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
  523. # Log packets that still don't match
  524. $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
  525. ###############################################################################
  526. #
  527. # FORWARD Chain
  528. #
  529. echo "Process FORWARD chain ..."
  530. # Used if forwarding for a private network
  531. # Drop bad packets
  532. $IPT -A FORWARD -p ALL -j bad_packets
  533. # Accept TCP packets we want to forward from internal sources
  534. $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
  535. # Accept UDP packets we want to forward from internal sources
  536. $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
  537. # If not blocked, accept any other packets from the internal interface
  538. $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
  539. # Deal with responses from the internet
  540. $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
  541.      -j ACCEPT
  542. # Log packets that still don't match
  543. $IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
  544. ###############################################################################
  545. #
  546. # OUTPUT Chain
  547. #
  548. echo "Process OUTPUT chain ..."
  549. # Generally trust the firewall on output
  550. # However, invalid icmp packets need to be dropped
  551. # to prevent a possible exploit.
  552. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
  553. # Localhost
  554. $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
  555. $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
  556. # To internal network
  557. $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
  558. $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
  559. # To internet
  560. $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
  561. # Log packets that still don't match
  562. $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
  563. ###############################################################################
  564. #
  565. # nat table
  566. #
  567. ###############################################################################
  568. # The nat table is where network address translation occurs if there
  569. # is a private network.  If the gateway is connected to the Internet
  570. # with a static IP, snat is used.  If the gateway has a dynamic address,
  571. # masquerade must be used instead.  There is more overhead associated
  572. # with masquerade, so snat is better when it can be used.
  573. # The nat table has a builtin chain, PREROUTING, for dnat and redirects.
  574. # Another, POSTROUTING, handles snat and masquerade.
  575. echo "Load rules for nat table ..."
  576. ###############################################################################
  577. #
  578. # PREROUTING chain
  579. #
  580. ###############################################################################
  581. #
  582. # POSTROUTING chain
  583. #
  584. $IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
  585. ###############################################################################
  586. #
  587. # mangle table
  588. #
  589. ###############################################################################
  590. # The mangle table is used to alter packets.  It can alter or mangle them in
  591. # several ways.  For the purposes of this generator, we only use its ability
  592. # to alter the TTL in packets.  However, it can be used to set netfilter
  593. # mark values on specific packets.  Those marks could then be used in another
  594. # table like filter, to limit activities associated with a specific host, for
  595. # instance.  The TOS target can be used to set the Type of Service field in
  596. # the IP header.  Note that the TTL target might not be included in the
  597. # distribution on your system.  If it is not and you require it, you will
  598. # have to add it.  That may require that you build from source.
  599. echo "Load rules for mangle table ..."

 
 
CF : http://easyfwgen.morizot.net/
 
Vais me coucher moi ... :pt1cable:


Message édité par sebweb le 03-05-2003 à 02:42:55
Reply

Marsh Posté le 03-05-2003 à 11:48:17    

merci pour ton post, jolie script beaucoup de commantaires !
 
edit : en plus c un script php !
mais j'ai fini d'installer gnome hier soir (3h10) et fwbuilder est vraiment beau! par contre pour le configurer je cherche mais je crois avoir trouvé ...
 
wait & see ....


Message édité par stef_dobermann le 03-05-2003 à 11:50:47

---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 03-05-2003 à 13:15:18    

SteF_DOBERMANN a écrit :

merci pour ton post, jolie script beaucoup de commantaires !
 
edit : en plus c un script php !
mais j'ai fini d'installer gnome hier soir (3h10) et fwbuilder est vraiment beau! par contre pour le configurer je cherche mais je crois avoir trouvé ...
 
wait & see ....


li les tuto ils sont super bien fait .... et hyper rapide !!


---------------
FFFF
Reply

Marsh Posté le 03-05-2003 à 13:23:35    

ok, mais l'anglais et moi on est pas trop pote, si tu voi ce que je dir ...  :whistle:


---------------
Tout à commencé par un rêve...
Reply

Marsh Posté le 03-05-2003 à 14:06:01    

SteF_DOBERMANN a écrit :

ok, mais l'anglais et moi on est pas trop pote, si tu voi ce que je dir ...  :whistle:  

files moi ton mail je t'envoie le fichier de ma stratégie fwbuilder (*.xml) ... avec sa version compilé !!


---------------
FFFF
Reply

Marsh Posté le    

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed