voila mon système :
- Debian 3r1,
- kernel 2.4.21,
- XFree 4.1.0 (c'est celui qui est de base sur les CD de la Debian 3r1,
je ne suis pas encore connecté
à internet) : je me sers de Gnome.
Je me suis concentré sur l'écriture de règles iptables pour mettre au
point mon firewall.
Je joins le contenu du fichier /etc/iptables.rules et le script de
lancement /etc/init.d/iptables.
Si j'installe le firewall :
- je me connecte à Gnome ctrl+F7 (il est déjà lancé au démarrage),
- je tape le login, le password,
- gnome démarre, affiche la barre des tâches en bas,
- plus rien, seul le curseur de la souris bouge encore, le clavier ne
répond plus,
- système bloqué.
Si je n'installe pas le firewall, je n'ai aucun souci avec Gnome.
Qu'est-ce que je peux faire ? Idées, conseils sont les bienvenus.
# Load all required IPTables modules
# Needed to initially load modules
$DEPMOD -a
# Load appropriate modules.
$MODPROBE ip_tables
# Support for connection tracking
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# MODIF BEGIN
$MODPROBE ip_conntrack_irc
# Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE.
$MODPROBE ipt_LOG
$MODPROBE ipt_REJECT
$MODPROBE ipt_MASQUERADE
# Support for owner matching
$MODPROBE ipt_owner
# MODIF END
## ===========================================================
## Reset all configurations
#
# These lines are here in case rules are already in place and the script
is ever rerun on the fly.
# We want to :
# - remove all rules,
# - remove pre-exisiting user defined chains,
# - zero the counters.
# before we implement new rules.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
## ===========================================================
## Default Policy
#
# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a
default DROP
# policy), what happens is that there is a small time period when
packets are denied until
# the new rules are back in place. There is no period, however small,
when packets we
# don't want are allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
## ===========================================================
## Some definitions:
# Le DNS primaire du fournisseur d'accès Free
NAMESERVER_1="212.27.32.5"
# Le DNS secondaire du fournisseur d'accès Free
NAMESERVER_2="212.27.32.6"
# Note : si je mets des FQDN, iptables essaye de les résoudre. Comme le
réseau n'est pas encore branché, ca tombe à l'eau.
# Il faudra peut etre prévoir le fait rejouer les règles avec des FDQN
une fois la connexion ADSL ou PPP établie.
# Le serveur de courrier POP du fournisseur d'accès Free
# Le FQDN : pop.free.fr : 213.228.0.14, 213.228.0.141, 213.228.0.142,
213.228.0.165 213.228.0.12
INCOMINGMAILSERVER_1="213.228.0.14"
# Le serveur de courrier POP du fournisseur d'accès Club-Internet
# Le FQDN : mail.club-internet.fr : 195.36.166.10, 195.36.162.10
INCOMINGMAILSERVER_2="195.36.166.10"
# Le serveur de courrier SMTP du fournisseur d'accès Free
# Le FQDN : smtp.free.fr : 213.228.0.44, 213.228.0.62, 213.228.0.169,
213.228.0.176
OUTGOINGMAILSERVER="213.228.0.44"
# Les serveurs de temps
# Le FQDN : ntp.uvsq.fr : 193.51.24.1
TIMESERVER_1="193.51.24.1"
# Le FQDN : delphi.phys.univ-tours.fr : 193.52.212.3
TIMESERVER_2="193.52.212.3"
# Le FQDN : ntp0.oleane.net : 194.2.0.28
TIMESERVER_3="194.2.0.28"
# Le FQDN : ntp1.oleane.net : 94.2.0.58
TIMESERVER_4="94.2.0.58"
# Le FQDN : ntp.via.ecp.fr : 138.195.130.71
TIMESERVER_5="138.195.130.71"
# Le FQDN : ntp.chronos.org : 129.186.121.29
TIMESERVER_6="129.186.121.29"
## ============================================================
## Kernel flags
#
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this
# option. This enables dynamic-ip address hacking in IP MASQ, making the
connection
# with Diald and similar programs much easier.
# MODIF BEGIN
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MODIF END
# Disable response to ping.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing
to generate
# traffic pretending to be from inside your network, but which is routed
back along
# the path from which it came, namely outside, so attackers can
compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
your routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the
network
# interface they're arriving on. This has security advantages because it
prevents
# so-called IP spoofing, however it can pose problems if you use
asymmetric routing
# (packets from you to a host take a different path than packets from
that host to you)
# or if you operate a non-routing host which has several IP addresses on
different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Make sure that IP forwarding is turned off. We only want this for a
multi-homed host.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled before being
# passed to the packet-filtering code so there is no ip_always_defrag
switch as there
# was in the 2.2 kernel.
## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do
this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to
limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one
second. After this, one
# of the burst is regained every second and connections are allowed
again. The default limit
# is 3/hour. The default limit burst is 5.
#
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to
effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent
interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
$IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES -A INPUT -f -j DROP
## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary
with the flags we
# have set in the kernel above ........... but you never know there
isn't a bug somewhere in
# your IP stack.
#
# Refuse spoofed packets pretending to be from your IP address.
# ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE IP
DES INTERFACES CONCERNEES )
#$IPTABLES -A INPUT -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
$IPTABLES -A INPUT -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
$IPTABLES -A INPUT -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
$IPTABLES -A INPUT -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source
address.
$IPTABLES -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
$IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an
icmp source
# quench to the loopback.
$IPTABLES -A INPUT -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
# ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE DES
SOUS RESEAUX DES INTERFACES CONCERNEES )
#$IPTABLES -A INPUT -d $BROADCAST -j DROP
## TELNET
# Allow telnet outbound.
#$IPTABLES -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED
-j ACCEPT
## FTP
# Allow ftp outbound.
#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Now for the connection tracking part of ftp. This is discussed more
completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine,
to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp
module recognizes
# the connection as RELATED to the original outgoing connection to port
21 so we don't
# need NEW as a state match.
#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local
machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a
PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the
original outgoing
# connection to port 21 so we don't need NEW as a state match.
#$IPTABLES -A INPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED,RELATED -j ACCEPT
## Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of
this rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
$IPTABLES -A INPUT -p udp -s $NAMESERVER_1 --sport 53 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $NAMESERVER_2 --sport 53 -m state --state
ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
$IPTABLES -A OUTPUT -p udp -d $NAMESERVER_1 --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $NAMESERVER_2 --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
## WWW
# Allow www outbound to 80.
$IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Allow www outbound to 443. JE METS LE SERVEUR SSH SUR CE PORT
#$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
## SSH
# Allow ssh outbound.
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
## SMTP
# Allow smtp outbound.
$IPTABLES -A INPUT -p tcp -s $OUTGOINGMAILSERVER --sport 25 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $OUTGOINGMAILSERVER --dport 25 -m state
--state NEW,ESTABLISHED -j ACCEPT
## POP
# Allow pop outbound.
$IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_1 --sport 110 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_2 --sport 110 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_1 --dport 110 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_2 --dport 110 -m
state --state NEW,ESTABLISHED -j ACCEPT
## AUTH server
# Reject ident probes with a tcp reset.
# I need to do this for a broken mailhost that won't accept my mail if I
just drop its ident probe.
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with
by the next rule.
$IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS
-m state --state NEW -j ACCEPT
## NTP
# Allow ntp outbound.
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_1 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_1 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_2 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_2 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_3 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_3 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_4 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_4 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_5 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_5 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_6 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_6 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_1 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_1 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_2 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_2 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_3 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_3 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_4 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_4 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_5 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_5 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_6 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_6 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
# ICMP
# We accept icmp in if it is "related" to other connections (e.g a time
exceeded (11)
# from a traceroute) or it is part of an "established" connection (e.g.
an echo reply (0)
# from an echo-request (8)).
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# We always allow icmp out.
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
## LOGGING
# You don't have to split up your logging like I do below, but I prefer
to do it this way
# because I can then grep for things in the logs more easily. One thing
you probably want
# to do is rate-limit the logging. I didn't do that here because it is
probably best not too
# when you first set things up ................. you actually really
want to see everything going to
# the logs to work out what isn't working and why. You cam implement
logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG
in each case.
#
# Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
$IPTABLES -A OUTPUT -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
$IPTABLES -A INPUT -p tcp -j DROP
$IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
$IPTABLES -A OUTPUT -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be
paranoid.
$IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
$IPTABLES -A OUTPUT -j DROP
# THE END
# ==================================================================
# check we have the iptables executable
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# check we have the right kernel version
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi
start() {
# don't do squat if we don't have the script
if [ -f $IPTABLES_CONFIG ]; then
echo "Applying iptables firewall rules:"
/etc/iptables.rules
touch /var/lock/subsys/iptables
fi
}
stop() {
echo "Flushing all chains:"
iptables -F
echo "Removing user defined chains:"
iptables -X
echo "Resetting built-in chains to the default ACCEPT policy:"
iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P
OUTPUT ACCEPT &&
# IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN
CONSEQUENCE
# success "Resetting built-in chains to the default ACCEPT policy" ||
# failure "Resetting built-in chains to the default ACCEPT policy"
rm -f /var/lock/subsys/iptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
status)
iptables --list
;;
panic)
echo "Changing target policies to DROP: "
iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P
OUTPUT DROP
# IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS
EN CONSEQUENCE
# success "Changing target policies to DROP" || \
# failure "Changing target policies to DROP"
echo
echo "Flushing all chains:"
iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT
echo
echo "Removing user defined chains:"
iptables -X
;;
Cette action est irreversible, confirmez la suppression du commentaire ?
Signaler le commentaire
Veuillez sélectionner un problème
Nudité
Violence
Harcèlement
Fraude
Vente illégale
Discours haineux
Terrorisme
Autre
Alexandre Touret
Je pense , premiere vue que tu n as pas permi la connexion au serveur X essaye d ajouter une regle IPTABLES
AT
Jeannot Lelapin wrote:
Bonjour,
voila mon système : - Debian 3r1, - kernel 2.4.21, - XFree 4.1.0 (c'est celui qui est de base sur les CD de la Debian 3r1, je ne suis pas encore connecté à internet) : je me sers de Gnome.
Je me suis concentré sur l'écriture de règles iptables pour mettre au point mon firewall. Je joins le contenu du fichier /etc/iptables.rules et le script de lancement /etc/init.d/iptables.
Si j'installe le firewall : - je me connecte à Gnome ctrl+F7 (il est déjà lancé au démarrage), - je tape le login, le password, - gnome démarre, affiche la barre des tâches en bas, - plus rien, seul le curseur de la souris bouge encore, le clavier ne répond plus, - système bloqué.
Si je n'installe pas le firewall, je n'ai aucun souci avec Gnome.
Qu'est-ce que je peux faire ? Idées, conseils sont les bienvenus.
# Load all required IPTables modules # Needed to initially load modules $DEPMOD -a # Load appropriate modules. $MODPROBE ip_tables # Support for connection tracking $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp
# MODIF BEGIN $MODPROBE ip_conntrack_irc # Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE. $MODPROBE ipt_LOG $MODPROBE ipt_REJECT $MODPROBE ipt_MASQUERADE # Support for owner matching $MODPROBE ipt_owner # MODIF END
## ========================================================== > ## Reset all configurations # # These lines are here in case rules are already in place and the script is ever rerun on the fly. # We want to : # - remove all rules, # - remove pre-exisiting user defined chains, # - zero the counters. # before we implement new rules.
$IPTABLES -F $IPTABLES -X $IPTABLES -Z
## ========================================================== > ## Default Policy # # Set up a default DROP policy for the built-in chains. # If we modify and re-run the script mid-session then (because we have a default DROP # policy), what happens is that there is a small time period when packets are denied until # the new rules are back in place. There is no period, however small, when packets we # don't want are allowed. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP
## ========================================================== > ## Some definitions:
# Le DNS primaire du fournisseur d'accès Free NAMESERVER_1="212.27.32.5" # Le DNS secondaire du fournisseur d'accès Free NAMESERVER_2="212.27.32.6"
# Note : si je mets des FQDN, iptables essaye de les résoudre. Comme le réseau n'est pas encore branché, ca tombe à l'eau. # Il faudra peut etre prévoir le fait rejouer les règles avec des FDQN une fois la connexion ADSL ou PPP établie.
# Le serveur de courrier POP du fournisseur d'accès Free # Le FQDN : pop.free.fr : 213.228.0.14, 213.228.0.141, 213.228.0.142, 213.228.0.165 213.228.0.12 INCOMINGMAILSERVER_1="213.228.0.14" # Le serveur de courrier POP du fournisseur d'accès Club-Internet # Le FQDN : mail.club-internet.fr : 195.36.166.10, 195.36.162.10 INCOMINGMAILSERVER_2="195.36.166.10" # Le serveur de courrier SMTP du fournisseur d'accès Free # Le FQDN : smtp.free.fr : 213.228.0.44, 213.228.0.62, 213.228.0.169, 213.228.0.176 OUTGOINGMAILSERVER="213.228.0.44"
# Les serveurs de temps # Le FQDN : ntp.uvsq.fr : 193.51.24.1 TIMESERVER_1="193.51.24.1" # Le FQDN : delphi.phys.univ-tours.fr : 193.52.212.3 TIMESERVER_2="193.52.212.3" # Le FQDN : ntp0.oleane.net : 194.2.0.28 TIMESERVER_3="194.2.0.28" # Le FQDN : ntp1.oleane.net : 94.2.0.58 TIMESERVER_4="94.2.0.58" # Le FQDN : ntp.via.ecp.fr : 138.195.130.71 TIMESERVER_5="138.195.130.71" # Le FQDN : ntp.chronos.org : 129.186.121.29 TIMESERVER_6="129.186.121.29"
## =========================================================== > ## Kernel flags # # To dynamically change kernel parameters and variables on the fly you need # CONFIG_SYSCTL defined in your kernel. I would advise the following:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # option. This enables dynamic-ip address hacking in IP MASQ, making the connection # with Diald and similar programs much easier. # MODIF BEGIN echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MODIF END
# Disable response to ping. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts. # You don't want yourself becoming a Smurf amplifier. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing # tables, possibly to a bad end. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection. /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use # legitimate source addresses, by automatically rejecting incoming packets # if the routing table entry for their source address doesn't match the network # interface they're arriving on. This has security advantages because it prevents # so-called IP spoofing, however it can pose problems if you use asymmetric routing # (packets from you to a host take a different path than packets from that host to you) # or if you operate a non-routing host which has several IP addresses on different # interfaces. (Note - If you turn on IP forwarding, you will also get this). for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done
# Make sure that IP forwarding is turned off. We only want this for a multi-homed host. /bin/echo "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled before being # passed to the packet-filtering code so there is no ip_always_defrag switch as there # was in the 2.2 kernel.
## SYN-FLOODING PROTECTION # This rule maximises the rate of incoming connections. In order to do this we divert tcp # packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections # can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one # of the burst is regained every second and connections are allowed again. The default limit # is 3/hour. The default limit burst is 5. # $IPTABLES -N syn-flood $IPTABLES -A INPUT -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP
## FRAGMENTS # I have to say that fragments scare me more than anything. # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such # fragments is very OS-dependent (see this paper for details). # I am not going to trust any fragments. # Log fragments just to see if we get any, and deny them too. $IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " $IPTABLES -A INPUT -f -j DROP
## SPOOFING # Most of this anti-spoofing stuff is theoretically not really necessary with the flags we # have set in the kernel above ........... but you never know there isn't a bug somewhere in # your IP stack. # # Refuse spoofed packets pretending to be from your IP address. # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE IP DES INTERFACES CONCERNEES ) #$IPTABLES -A INPUT -s $IPADDR -j DROP # Refuse packets claiming to be from a Class A private network. $IPTABLES -A INPUT -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network. $IPTABLES -A INPUT -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network. $IPTABLES -A INPUT -s $CLASS_C -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. $IPTABLES -A INPUT -s $CLASS_D_MULTICAST -j DROP # Refuse Class E reserved IP addresses. $IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP # Refuse packets claiming to be to the loopback interface. # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. $IPTABLES -A INPUT -d $LOOPBACK -j DROP # Refuse broadcast address packets. # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE DES SOUS RESEAUX DES INTERFACES CONCERNEES ) #$IPTABLES -A INPUT -d $BROADCAST -j DROP
## TELNET # Allow telnet outbound. #$IPTABLES -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
## FTP # Allow ftp outbound. #$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Now for the connection tracking part of ftp. This is discussed more completely in my section # on connection tracking to be found here. # 1) Active ftp. # This involves a connection INbound from port 20 on the remote machine, to a local port # passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes # the connection as RELATED to the original outgoing connection to port 21 so we don't # need NEW as a state match. #$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # 2) Passive ftp. # This involves a connection outbound from a port >1023 on the local machine, to a port >1023 # on the remote machine previously passed over the ftp channel via a PORT command. The # ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing # connection to port 21 so we don't need NEW as a state match. #$IPTABLES -A INPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
## Make sure NEW tcp connections are SYN packets $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## LOOPBACK # Allow unlimited traffic on the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
## DNS # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain # platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it # Allow UDP packets in for DNS client from nameservers. $IPTABLES -A INPUT -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
## WWW # Allow www outbound to 80. $IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow www outbound to 443. JE METS LE SERVEUR SSH SUR CE PORT #$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## SSH # Allow ssh outbound. $IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## SMTP # Allow smtp outbound. $IPTABLES -A INPUT -p tcp -s $OUTGOINGMAILSERVER --sport 25 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $OUTGOINGMAILSERVER --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
## POP # Allow pop outbound. $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_1 --sport 110 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_2 --sport 110 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_1 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
## AUTH server # Reject ident probes with a tcp reset. # I need to do this for a broken mailhost that won't accept my mail if I just drop its ident probe. $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
## TRACEROUTE # Outgoing traceroute anywhere. # The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule. $IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT
## NTP # Allow ntp outbound. $IPTABLES -A INPUT -p tcp -s $TIMESERVER_1 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_1 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_2 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_2 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_3 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_3 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_4 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_4 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_5 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_5 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_6 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_6 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_1 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_1 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_2 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_2 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_3 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_3 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_4 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_4 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_5 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_5 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_6 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_6 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# ICMP # We accept icmp in if it is "related" to other connections (e.g a time exceeded (11) # from a traceroute) or it is part of an "established" connection (e.g. an echo reply (0) # from an echo-request (8)). $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # We always allow icmp out. $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## LOGGING # You don't have to split up your logging like I do below, but I prefer to do it this way # because I can then grep for things in the logs more easily. One thing you probably want # to do is rate-limit the logging. I didn't do that here because it is probably best not too # when you first set things up ................. you actually really want to see everything going to # the logs to work out what isn't working and why. You cam implement logging with # "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case. # # Any udp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " $IPTABLES -A INPUT -p udp -j DROP $IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: " $IPTABLES -A OUTPUT -p udp -j DROP # Any icmp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: " $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: " $IPTABLES -A OUTPUT -p icmp -j DROP # Any tcp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " $IPTABLES -A INPUT -p tcp -j DROP $IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: " $IPTABLES -A OUTPUT -p tcp -j DROP # Anything else not already allowed is logged and then dropped. # It will be dropped by the default policy anyway ........ but let's be paranoid. $IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: " $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: " $IPTABLES -A OUTPUT -j DROP
# THE END # ================================================================= >
# check we have the iptables executable if [ ! -x /sbin/iptables ]; then exit 0 fi
# check we have the right kernel version KERNELMAJ=`uname -r | sed -e 's,..*,,'` KERNELMIN=`uname -r | sed -e 's,[^.]*.,,' -e 's,..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then exit 0 fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then # Don't do both exit 0 fi
start() { # don't do squat if we don't have the script if [ -f $IPTABLES_CONFIG ]; then echo "Applying iptables firewall rules:" /etc/iptables.rules touch /var/lock/subsys/iptables fi }
stop() { echo "Flushing all chains:" iptables -F echo "Removing user defined chains:" iptables -X echo "Resetting built-in chains to the default ACCEPT policy:" iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN CONSEQUENCE # success "Resetting built-in chains to the default ACCEPT policy" || # failure "Resetting built-in chains to the default ACCEPT policy" rm -f /var/lock/subsys/iptables }
case "$1" in start) start ;;
stop) stop ;;
restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy start ;;
status) iptables --list ;;
panic) echo "Changing target policies to DROP: " iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT DROP # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN CONSEQUENCE # success "Changing target policies to DROP" || # failure "Changing target policies to DROP" echo echo "Flushing all chains:" iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT echo echo "Removing user defined chains:" iptables -X ;;
Je pense , premiere vue que tu n as pas permi la connexion au serveur X
essaye d ajouter une regle IPTABLES
AT
Jeannot Lelapin wrote:
Bonjour,
voila mon système :
- Debian 3r1,
- kernel 2.4.21,
- XFree 4.1.0 (c'est celui qui est de base sur les CD de la Debian 3r1,
je ne suis pas encore connecté
à internet) : je me sers de Gnome.
Je me suis concentré sur l'écriture de règles iptables pour mettre au
point mon firewall.
Je joins le contenu du fichier /etc/iptables.rules et le script de
lancement /etc/init.d/iptables.
Si j'installe le firewall :
- je me connecte à Gnome ctrl+F7 (il est déjà lancé au démarrage),
- je tape le login, le password,
- gnome démarre, affiche la barre des tâches en bas,
- plus rien, seul le curseur de la souris bouge encore, le clavier ne
répond plus,
- système bloqué.
Si je n'installe pas le firewall, je n'ai aucun souci avec Gnome.
Qu'est-ce que je peux faire ? Idées, conseils sont les bienvenus.
# Load all required IPTables modules
# Needed to initially load modules
$DEPMOD -a
# Load appropriate modules.
$MODPROBE ip_tables
# Support for connection tracking
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# MODIF BEGIN
$MODPROBE ip_conntrack_irc
# Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE.
$MODPROBE ipt_LOG
$MODPROBE ipt_REJECT
$MODPROBE ipt_MASQUERADE
# Support for owner matching
$MODPROBE ipt_owner
# MODIF END
## ========================================================== > ## Reset all configurations
#
# These lines are here in case rules are already in place and the script
is ever rerun on the fly.
# We want to :
# - remove all rules,
# - remove pre-exisiting user defined chains,
# - zero the counters.
# before we implement new rules.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
## ========================================================== > ## Default Policy
#
# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a
default DROP
# policy), what happens is that there is a small time period when
packets are denied until
# the new rules are back in place. There is no period, however small,
when packets we
# don't want are allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
## ========================================================== > ## Some definitions:
# Le DNS primaire du fournisseur d'accès Free
NAMESERVER_1="212.27.32.5"
# Le DNS secondaire du fournisseur d'accès Free
NAMESERVER_2="212.27.32.6"
# Note : si je mets des FQDN, iptables essaye de les résoudre. Comme le
réseau n'est pas encore branché, ca tombe à l'eau.
# Il faudra peut etre prévoir le fait rejouer les règles avec des FDQN
une fois la connexion ADSL ou PPP établie.
# Le serveur de courrier POP du fournisseur d'accès Free
# Le FQDN : pop.free.fr : 213.228.0.14, 213.228.0.141, 213.228.0.142,
213.228.0.165 213.228.0.12
INCOMINGMAILSERVER_1="213.228.0.14"
# Le serveur de courrier POP du fournisseur d'accès Club-Internet
# Le FQDN : mail.club-internet.fr : 195.36.166.10, 195.36.162.10
INCOMINGMAILSERVER_2="195.36.166.10"
# Le serveur de courrier SMTP du fournisseur d'accès Free
# Le FQDN : smtp.free.fr : 213.228.0.44, 213.228.0.62, 213.228.0.169,
213.228.0.176
OUTGOINGMAILSERVER="213.228.0.44"
# Les serveurs de temps
# Le FQDN : ntp.uvsq.fr : 193.51.24.1
TIMESERVER_1="193.51.24.1"
# Le FQDN : delphi.phys.univ-tours.fr : 193.52.212.3
TIMESERVER_2="193.52.212.3"
# Le FQDN : ntp0.oleane.net : 194.2.0.28
TIMESERVER_3="194.2.0.28"
# Le FQDN : ntp1.oleane.net : 94.2.0.58
TIMESERVER_4="94.2.0.58"
# Le FQDN : ntp.via.ecp.fr : 138.195.130.71
TIMESERVER_5="138.195.130.71"
# Le FQDN : ntp.chronos.org : 129.186.121.29
TIMESERVER_6="129.186.121.29"
## =========================================================== > ## Kernel flags
#
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this
# option. This enables dynamic-ip address hacking in IP MASQ, making the
connection
# with Diald and similar programs much easier.
# MODIF BEGIN
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MODIF END
# Disable response to ping.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing
to generate
# traffic pretending to be from inside your network, but which is routed
back along
# the path from which it came, namely outside, so attackers can
compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
your routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the
network
# interface they're arriving on. This has security advantages because it
prevents
# so-called IP spoofing, however it can pose problems if you use
asymmetric routing
# (packets from you to a host take a different path than packets from
that host to you)
# or if you operate a non-routing host which has several IP addresses on
different
# interfaces. (Note - If you turn on IP forwarding, you will also get
this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Make sure that IP forwarding is turned off. We only want this for a
multi-homed host.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled before
being
# passed to the packet-filtering code so there is no ip_always_defrag
switch as there
# was in the 2.2 kernel.
## SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do
this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to
limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one
second. After this, one
# of the burst is regained every second and connections are allowed
again. The default limit
# is 3/hour. The default limit burst is 5.
#
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to
effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent
interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
$IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES -A INPUT -f -j DROP
## SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary
with the flags we
# have set in the kernel above ........... but you never know there
isn't a bug somewhere in
# your IP stack.
#
# Refuse spoofed packets pretending to be from your IP address.
# ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE IP
DES INTERFACES CONCERNEES )
#$IPTABLES -A INPUT -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
$IPTABLES -A INPUT -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
$IPTABLES -A INPUT -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
$IPTABLES -A INPUT -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source
address.
$IPTABLES -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
$IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects
against
# source quench, whereby a machine can be told to slow itself down by an
icmp source
# quench to the loopback.
$IPTABLES -A INPUT -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
# ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE DES
SOUS RESEAUX DES INTERFACES CONCERNEES )
#$IPTABLES -A INPUT -d $BROADCAST -j DROP
## TELNET
# Allow telnet outbound.
#$IPTABLES -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED
-j ACCEPT
## FTP
# Allow ftp outbound.
#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Now for the connection tracking part of ftp. This is discussed more
completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine,
to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp
module recognizes
# the connection as RELATED to the original outgoing connection to port
21 so we don't
# need NEW as a state match.
#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local
machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a
PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the
original outgoing
# connection to port 21 so we don't need NEW as a state match.
#$IPTABLES -A INPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED,RELATED -j ACCEPT
## Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of
this rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
$IPTABLES -A INPUT -p udp -s $NAMESERVER_1 --sport 53 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $NAMESERVER_2 --sport 53 -m state --state
ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
$IPTABLES -A OUTPUT -p udp -d $NAMESERVER_1 --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $NAMESERVER_2 --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
## WWW
# Allow www outbound to 80.
$IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Allow www outbound to 443. JE METS LE SERVEUR SSH SUR CE PORT
#$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j
ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
## SSH
# Allow ssh outbound.
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
## SMTP
# Allow smtp outbound.
$IPTABLES -A INPUT -p tcp -s $OUTGOINGMAILSERVER --sport 25 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $OUTGOINGMAILSERVER --dport 25 -m state
--state NEW,ESTABLISHED -j ACCEPT
## POP
# Allow pop outbound.
$IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_1 --sport 110 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_2 --sport 110 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_1 --dport 110 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_2 --dport 110 -m
state --state NEW,ESTABLISHED -j ACCEPT
## AUTH server
# Reject ident probes with a tcp reset.
# I need to do this for a broken mailhost that won't accept my mail if I
just drop its ident probe.
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with
by the next rule.
$IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS
-m state --state NEW -j ACCEPT
## NTP
# Allow ntp outbound.
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_1 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_1 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_2 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_2 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_3 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_3 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_4 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_4 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_5 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_5 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $TIMESERVER_6 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $TIMESERVER_6 --sport 123 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_1 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_1 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_2 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_2 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_3 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_3 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_4 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_4 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_5 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_5 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_6 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $TIMESERVER_6 --dport 123 -m state
--state NEW,ESTABLISHED -j ACCEPT
# ICMP
# We accept icmp in if it is "related" to other connections (e.g a time
exceeded (11)
# from a traceroute) or it is part of an "established" connection (e.g.
an echo reply (0)
# from an echo-request (8)).
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# We always allow icmp out.
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
## LOGGING
# You don't have to split up your logging like I do below, but I prefer
to do it this way
# because I can then grep for things in the logs more easily. One thing
you probably want
# to do is rate-limit the logging. I didn't do that here because it is
probably best not too
# when you first set things up ................. you actually really
want to see everything going to
# the logs to work out what isn't working and why. You cam implement
logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG
in each case.
#
# Any udp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
$IPTABLES -A OUTPUT -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
$IPTABLES -A INPUT -p icmp -j DROP
$IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
$IPTABLES -A OUTPUT -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
$IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
$IPTABLES -A INPUT -p tcp -j DROP
$IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
$IPTABLES -A OUTPUT -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be
paranoid.
$IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
$IPTABLES -A OUTPUT -j DROP
# THE END
# ================================================================= >
# check we have the iptables executable
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# check we have the right kernel version
KERNELMAJ=`uname -r | sed -e 's,..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^.]*.,,' -e 's,..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi
start() {
# don't do squat if we don't have the script
if [ -f $IPTABLES_CONFIG ]; then
echo "Applying iptables firewall rules:"
/etc/iptables.rules
touch /var/lock/subsys/iptables
fi
}
stop() {
echo "Flushing all chains:"
iptables -F
echo "Removing user defined chains:"
iptables -X
echo "Resetting built-in chains to the default ACCEPT policy:"
iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P
OUTPUT ACCEPT &&
# IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN
CONSEQUENCE
# success "Resetting built-in chains to the default ACCEPT policy" ||
# failure "Resetting built-in chains to the default ACCEPT policy"
rm -f /var/lock/subsys/iptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
status)
iptables --list
;;
panic)
echo "Changing target policies to DROP: "
iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P
OUTPUT DROP
# IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN
CONSEQUENCE
# success "Changing target policies to DROP" ||
# failure "Changing target policies to DROP"
echo
echo "Flushing all chains:"
iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT
echo
echo "Removing user defined chains:"
iptables -X
;;
Je pense , premiere vue que tu n as pas permi la connexion au serveur X essaye d ajouter une regle IPTABLES
AT
Jeannot Lelapin wrote:
Bonjour,
voila mon système : - Debian 3r1, - kernel 2.4.21, - XFree 4.1.0 (c'est celui qui est de base sur les CD de la Debian 3r1, je ne suis pas encore connecté à internet) : je me sers de Gnome.
Je me suis concentré sur l'écriture de règles iptables pour mettre au point mon firewall. Je joins le contenu du fichier /etc/iptables.rules et le script de lancement /etc/init.d/iptables.
Si j'installe le firewall : - je me connecte à Gnome ctrl+F7 (il est déjà lancé au démarrage), - je tape le login, le password, - gnome démarre, affiche la barre des tâches en bas, - plus rien, seul le curseur de la souris bouge encore, le clavier ne répond plus, - système bloqué.
Si je n'installe pas le firewall, je n'ai aucun souci avec Gnome.
Qu'est-ce que je peux faire ? Idées, conseils sont les bienvenus.
# Load all required IPTables modules # Needed to initially load modules $DEPMOD -a # Load appropriate modules. $MODPROBE ip_tables # Support for connection tracking $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp
# MODIF BEGIN $MODPROBE ip_conntrack_irc # Adds some $IPTABLES targets like LOG, REJECT and MASQUARADE. $MODPROBE ipt_LOG $MODPROBE ipt_REJECT $MODPROBE ipt_MASQUERADE # Support for owner matching $MODPROBE ipt_owner # MODIF END
## ========================================================== > ## Reset all configurations # # These lines are here in case rules are already in place and the script is ever rerun on the fly. # We want to : # - remove all rules, # - remove pre-exisiting user defined chains, # - zero the counters. # before we implement new rules.
$IPTABLES -F $IPTABLES -X $IPTABLES -Z
## ========================================================== > ## Default Policy # # Set up a default DROP policy for the built-in chains. # If we modify and re-run the script mid-session then (because we have a default DROP # policy), what happens is that there is a small time period when packets are denied until # the new rules are back in place. There is no period, however small, when packets we # don't want are allowed. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP
## ========================================================== > ## Some definitions:
# Le DNS primaire du fournisseur d'accès Free NAMESERVER_1="212.27.32.5" # Le DNS secondaire du fournisseur d'accès Free NAMESERVER_2="212.27.32.6"
# Note : si je mets des FQDN, iptables essaye de les résoudre. Comme le réseau n'est pas encore branché, ca tombe à l'eau. # Il faudra peut etre prévoir le fait rejouer les règles avec des FDQN une fois la connexion ADSL ou PPP établie.
# Le serveur de courrier POP du fournisseur d'accès Free # Le FQDN : pop.free.fr : 213.228.0.14, 213.228.0.141, 213.228.0.142, 213.228.0.165 213.228.0.12 INCOMINGMAILSERVER_1="213.228.0.14" # Le serveur de courrier POP du fournisseur d'accès Club-Internet # Le FQDN : mail.club-internet.fr : 195.36.166.10, 195.36.162.10 INCOMINGMAILSERVER_2="195.36.166.10" # Le serveur de courrier SMTP du fournisseur d'accès Free # Le FQDN : smtp.free.fr : 213.228.0.44, 213.228.0.62, 213.228.0.169, 213.228.0.176 OUTGOINGMAILSERVER="213.228.0.44"
# Les serveurs de temps # Le FQDN : ntp.uvsq.fr : 193.51.24.1 TIMESERVER_1="193.51.24.1" # Le FQDN : delphi.phys.univ-tours.fr : 193.52.212.3 TIMESERVER_2="193.52.212.3" # Le FQDN : ntp0.oleane.net : 194.2.0.28 TIMESERVER_3="194.2.0.28" # Le FQDN : ntp1.oleane.net : 94.2.0.58 TIMESERVER_4="94.2.0.58" # Le FQDN : ntp.via.ecp.fr : 138.195.130.71 TIMESERVER_5="138.195.130.71" # Le FQDN : ntp.chronos.org : 129.186.121.29 TIMESERVER_6="129.186.121.29"
## =========================================================== > ## Kernel flags # # To dynamically change kernel parameters and variables on the fly you need # CONFIG_SYSCTL defined in your kernel. I would advise the following:
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # option. This enables dynamic-ip address hacking in IP MASQ, making the connection # with Diald and similar programs much easier. # MODIF BEGIN echo "1" > /proc/sys/net/ipv4/ip_dynaddr # MODIF END
# Disable response to ping. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts. # You don't want yourself becoming a Smurf amplifier. /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing # tables, possibly to a bad end. /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection. /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use # legitimate source addresses, by automatically rejecting incoming packets # if the routing table entry for their source address doesn't match the network # interface they're arriving on. This has security advantages because it prevents # so-called IP spoofing, however it can pose problems if you use asymmetric routing # (packets from you to a host take a different path than packets from that host to you) # or if you operate a non-routing host which has several IP addresses on different # interfaces. (Note - If you turn on IP forwarding, you will also get this). for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done
# Make sure that IP forwarding is turned off. We only want this for a multi-homed host. /bin/echo "0" > /proc/sys/net/ipv4/ip_forward
# Note: With connection tracking, all fragments are reassembled before being # passed to the packet-filtering code so there is no ip_always_defrag switch as there # was in the 2.2 kernel.
## SYN-FLOODING PROTECTION # This rule maximises the rate of incoming connections. In order to do this we divert tcp # packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections # can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one # of the burst is regained every second and connections are allowed again. The default limit # is 3/hour. The default limit burst is 5. # $IPTABLES -N syn-flood $IPTABLES -A INPUT -p tcp --syn -j syn-flood $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP
## FRAGMENTS # I have to say that fragments scare me more than anything. # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such # fragments is very OS-dependent (see this paper for details). # I am not going to trust any fragments. # Log fragments just to see if we get any, and deny them too. $IPTABLES -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " $IPTABLES -A INPUT -f -j DROP
## SPOOFING # Most of this anti-spoofing stuff is theoretically not really necessary with the flags we # have set in the kernel above ........... but you never know there isn't a bug somewhere in # your IP stack. # # Refuse spoofed packets pretending to be from your IP address. # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE IP DES INTERFACES CONCERNEES ) #$IPTABLES -A INPUT -s $IPADDR -j DROP # Refuse packets claiming to be from a Class A private network. $IPTABLES -A INPUT -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network. $IPTABLES -A INPUT -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network. $IPTABLES -A INPUT -s $CLASS_C -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. $IPTABLES -A INPUT -s $CLASS_D_MULTICAST -j DROP # Refuse Class E reserved IP addresses. $IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP # Refuse packets claiming to be to the loopback interface. # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. $IPTABLES -A INPUT -d $LOOPBACK -j DROP # Refuse broadcast address packets. # ( CETTE REGLE SERA MISE EN OEUVRE LORSQUE JE RECUPERERAI L'ADRESSE DES SOUS RESEAUX DES INTERFACES CONCERNEES ) #$IPTABLES -A INPUT -d $BROADCAST -j DROP
## TELNET # Allow telnet outbound. #$IPTABLES -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
## FTP # Allow ftp outbound. #$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Now for the connection tracking part of ftp. This is discussed more completely in my section # on connection tracking to be found here. # 1) Active ftp. # This involves a connection INbound from port 20 on the remote machine, to a local port # passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes # the connection as RELATED to the original outgoing connection to port 21 so we don't # need NEW as a state match. #$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # 2) Passive ftp. # This involves a connection outbound from a port >1023 on the local machine, to a port >1023 # on the remote machine previously passed over the ftp channel via a PORT command. The # ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing # connection to port 21 so we don't need NEW as a state match. #$IPTABLES -A INPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
## Make sure NEW tcp connections are SYN packets $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## LOOPBACK # Allow unlimited traffic on the loopback interface. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
## DNS # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 bytes (possible, but unusual), and on certain # platforms like AIX (I am told), so you might have to add a copy of this rule for tcp if you need it # Allow UDP packets in for DNS client from nameservers. $IPTABLES -A INPUT -p udp -s $NAMESERVER_1 --sport 53 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $NAMESERVER_2 --sport 53 -m state --state ESTABLISHED -j ACCEPT # Allow UDP packets to DNS servers from client. $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
## WWW # Allow www outbound to 80. $IPTABLES -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow www outbound to 443. JE METS LE SERVEUR SSH SUR CE PORT #$IPTABLES -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT #$IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## SSH # Allow ssh outbound. $IPTABLES -A INPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## SMTP # Allow smtp outbound. $IPTABLES -A INPUT -p tcp -s $OUTGOINGMAILSERVER --sport 25 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $OUTGOINGMAILSERVER --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
## POP # Allow pop outbound. $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_1 --sport 110 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $INCOMINGMAILSERVER_2 --sport 110 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_1 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $INCOMINGMAILSERVER_2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
## AUTH server # Reject ident probes with a tcp reset. # I need to do this for a broken mailhost that won't accept my mail if I just drop its ident probe. $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
## TRACEROUTE # Outgoing traceroute anywhere. # The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule. $IPTABLES -A OUTPUT -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT
## NTP # Allow ntp outbound. $IPTABLES -A INPUT -p tcp -s $TIMESERVER_1 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_1 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_2 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_2 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_3 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_3 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_4 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_4 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_5 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_5 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -s $TIMESERVER_6 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p udp -s $TIMESERVER_6 --sport 123 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_1 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_1 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_2 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_2 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_3 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_3 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_4 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_4 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_5 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_5 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d $TIMESERVER_6 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -p udp -d $TIMESERVER_6 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# ICMP # We accept icmp in if it is "related" to other connections (e.g a time exceeded (11) # from a traceroute) or it is part of an "established" connection (e.g. an echo reply (0) # from an echo-request (8)). $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # We always allow icmp out. $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
## LOGGING # You don't have to split up your logging like I do below, but I prefer to do it this way # because I can then grep for things in the logs more easily. One thing you probably want # to do is rate-limit the logging. I didn't do that here because it is probably best not too # when you first set things up ................. you actually really want to see everything going to # the logs to work out what isn't working and why. You cam implement logging with # "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case. # # Any udp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " $IPTABLES -A INPUT -p udp -j DROP $IPTABLES -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: " $IPTABLES -A OUTPUT -p udp -j DROP # Any icmp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: " $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: " $IPTABLES -A OUTPUT -p icmp -j DROP # Any tcp not already allowed is logged and then dropped. $IPTABLES -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " $IPTABLES -A INPUT -p tcp -j DROP $IPTABLES -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: " $IPTABLES -A OUTPUT -p tcp -j DROP # Anything else not already allowed is logged and then dropped. # It will be dropped by the default policy anyway ........ but let's be paranoid. $IPTABLES -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: " $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: " $IPTABLES -A OUTPUT -j DROP
# THE END # ================================================================= >
# check we have the iptables executable if [ ! -x /sbin/iptables ]; then exit 0 fi
# check we have the right kernel version KERNELMAJ=`uname -r | sed -e 's,..*,,'` KERNELMIN=`uname -r | sed -e 's,[^.]*.,,' -e 's,..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then exit 0 fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then # Don't do both exit 0 fi
start() { # don't do squat if we don't have the script if [ -f $IPTABLES_CONFIG ]; then echo "Applying iptables firewall rules:" /etc/iptables.rules touch /var/lock/subsys/iptables fi }
stop() { echo "Flushing all chains:" iptables -F echo "Removing user defined chains:" iptables -X echo "Resetting built-in chains to the default ACCEPT policy:" iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN CONSEQUENCE # success "Resetting built-in chains to the default ACCEPT policy" || # failure "Resetting built-in chains to the default ACCEPT policy" rm -f /var/lock/subsys/iptables }
case "$1" in start) start ;;
stop) stop ;;
restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy start ;;
status) iptables --list ;;
panic) echo "Changing target policies to DROP: " iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT DROP # IL FAUT RECUPERER LE RESULTAT DE L'EXECUTION ET FAIRE LES ECHOS EN CONSEQUENCE # success "Changing target policies to DROP" || # failure "Changing target policies to DROP" echo echo "Flushing all chains:" iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT echo echo "Removing user defined chains:" iptables -X ;;
J'avais une règle qui bloquait tout le traffic sur l'interface loopback $IPTABLES -A INPUT -d lo -j DROP J'étais fatigué quand j'ai écrit iptables.rules.
Je place iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT après les règles policy. Tout marche bien.
Jeannot Lelapin
Merci beaucoup,
J'avais une règle qui bloquait tout le traffic sur l'interface loopback
$IPTABLES -A INPUT -d lo -j DROP
J'étais fatigué quand j'ai écrit iptables.rules.
Je place
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
après les règles policy.
Tout marche bien.
J'avais une règle qui bloquait tout le traffic sur l'interface loopback $IPTABLES -A INPUT -d lo -j DROP J'étais fatigué quand j'ai écrit iptables.rules.
Je place iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT après les règles policy. Tout marche bien.