###Mémo pour mettre en place un parefeu sur un linux
Pré requis:
- Accès root
- iptables
Script:
!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
Services entrants -
TCP_SERVICES="22 80 8080 8081 2368 3128 9091 32400 8888 3000 4040"
UDP_SERVICES="3000"
Services sortants -
REMOTE_TCP_SERVICES="80 8083 443 563 8888 3000"
REMOTE_UDP_SERVICES="53 3000"
management -
SSH_PORT="22"
if ! [ -x /sbin/iptables ]; then
exit 0
fi
START
fw_start () {
Entrant: -
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Services -
if [ -n "$TCP_SERVICES" ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$UDP_SERVICES" ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
Management -
if [ -n "$NETWORK_MGMT" ] ; then
/sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
else
/sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
fi
Testing -
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -j LOG
Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ping autorisé:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
ainsi que les services définis:
if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$REMOTE_UDP_SERVICES" ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
Log des connexions -
/sbin/iptables -A OUTPUT -j LOG
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -P OUTPUT DROP
Protection supplémentaires -
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
STOP
fw_stop () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
CLEAR -
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
TEST -
fw_save () {
/sbin/iptables-save > /etc/iptables.backup
}
fw_restore () {
if [ -e /etc/iptables.backup ]; then
/sbin/iptables-restore < /etc/iptables.backup
fi
}
fw_test () {
fw_save
sleep 30 && echo "Remise en place des règles précédentes..." && fw_restore &
fw_stop
fw_start
}
case "$1" in
start|restart)
echo -n "Starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "Stopping firewall.."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing firewall rules.."
fw_clear
echo "done."
;;
test)
echo -n "Test Firewall rules..."
fw_test
echo -n "La configuration précédente sera remise en place dans 30 secondes"
;;
*)
echo "Usage: $0 {start|stop|restart|clear|test}"
echo "Attention tout sera stoppé !!!"
exit 1
;;
esac
exit 0