#!/bin/bash # 2003-06-09 Arnaud Fontaine ## Pare-Feu sur un poste faisant office de passerelle ## et ne proposant aucun service à l'extérieur # Affiche les commandes du script lors de son lancement # pour le déboguage # set -x # Réglages du chemin et des interfaces nécessaires à iptables IPT="/sbin/iptables" IFNET="eth1" IFLAN="eth0" IFLOC="lo" DAEMON_TCP="ssh,www,imap2,pop3,domain,https,smtp" OTHER_TCP="ntp,ircd,www,pop3,smtp,ssh,gpg,nntp,aim,jabber-client,domain,blb,rsync,ftp,ftp-data" DAEMON_UDP="domain" OTHER_UDP="ntp,bootpc,domain,bootps" function clean_table () { # On vide toutes les règles préexistantes $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # On remet les polices par défaut $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT } function start_fw () { ## Pour loguer tout ce qui a été rejeté $IPT -N pk_log $IPT -A pk_log -p all -j LOG -m limit --limit 1/hour --limit-burst 1 --log-level 1 --log-prefix '[IPTABLES DROP] : ' ## Default (in|out|fw) $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD ACCEPT ## Lan (in|out|fw) #$IPT -A INPUT -i $IFLAN -j ACCEPT #$IPT -A OUTPUT -o $IFLAN -j ACCEPT ## Localhost (in|out) $IPT -A INPUT -i $IFLOC -j ACCEPT $IPT -A OUTPUT -o $IFLOC -j ACCEPT ## Les adresses provenant de classes d'adresses réservées $IPT -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP $IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP ## ICMP (in) $IPT -N pki_icmp $IPT -A pki_icmp -p icmp --icmp-type source-quench -j ACCEPT $IPT -A pki_icmp -p icmp --icmp-type parameter-problem -j ACCEPT $IPT -A pki_icmp -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A pki_icmp -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A pki_icmp -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A pki_icmp -p icmp --icmp-type echo-request \ -m limit --limit 5/min -j ACCEPT # Other packets $IPT -A pki_icmp -j pk_log ## ICMP (out) $IPT -N pko_icmp $IPT -A pko_icmp -p icmp --icmp-type source-quench -j ACCEPT $IPT -A pko_icmp -p icmp --icmp-type parameter-problem -j ACCEPT $IPT -A pko_icmp -p icmp --icmp-type fragmentation-needed -j ACCEPT $IPT -A pko_icmp -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A pko_icmp -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A pko_icmp -p icmp --icmp-type echo-request -j ACCEPT # Other packets $IPT -A pko_icmp -j pk_log ## UDP/TCP (in) $IPT -N pki_utcp # Daemon $IPT -A pki_utcp -p tcp -m multiport --dports $DAEMON_TCP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A pki_utcp -p tcp --dport ssh -j ACCEPT $IPT -A pki_utcp -p udp -m multiport --dports $DAEMON_UDP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT # Other $IPT -A pki_utcp -p tcp -m multiport --sports $OTHER_TCP -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPT -A pki_utcp -p udp -m multiport --sports $OTHER_UDP -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPT -A pki_utcp -p tcp --sport 1024:65535 --dport 1024:65535 -m \ state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A pki_utcp -p tcp -s 152.77.18.42 --dport 8888 -j ACCEPT # SYN flood #$IPT -A pki_utcp -p tcp --syn -j DROP # Other packets $IPT -A pki_utcp -j pk_log ## UDP/TCP (out) $IPT -N pko_utcp # Daemon $IPT -A pko_utcp -p tcp -m multiport --sports $DAEMON_TCP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A pko_utcp -p tcp -m owner --gid-owner 109 --sport ssh \ # -j ACCEPT $IPT -A pko_utcp -p udp -m multiport --sports $DAEMON_UDP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT # Other $IPT -A pko_utcp -p tcp -m multiport --dports $OTHER_TCP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A pko_utcp -p udp -m multiport --dports $OTHER_UDP -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A pko_utcp -p tcp --sport 1024:65535 --dport \ 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Other packets $IPT -A pko_utcp -p tcp --dport 6880:6889 -j ACCEPT $IPT -A pko_utcp -j pk_log ## Blocks asians IP for i in 58 59 60 61 124 125 126 202 203 210 211 218 219 220 221 222 do $IPT -A INPUT -i $IFNET -p tcp -s $i.0.0.0/8 --dport ssh -j DROP done ## Prerouting $IPT -t mangle -N pk_pre # BP options $IPT -t mangle -A pk_pre -p tcp --sport www -j TOS --set-tos Maximize-Throughput $IPT -t mangle -A pk_pre -p tcp --sport ssh -j TOS --set-tos Minimize-Delay ## NAT $IPT -t nat -N pk_nat # Redirect to some host $IPT -t nat -A pk_nat -p tcp --dport 6880:6889 -j DNAT --to-destination 192.168.0.5 $IPT -t nat -A pk_nat -p tcp --dport 4660:4680 -j DNAT --to-destination 192.168.0.5 $IPT -t nat -A pk_nat -p udp --dport 4660:4680 -j DNAT --to-destination 192.168.0.5 $IPT -t nat -A pk_nat -p tcp --dport 4200:4300 -j DNAT --to-destination 192.168.0.5 $IPT -t nat -A pk_nat -p udp --dport 4200:4300 -j DNAT --to-destination 192.168.0.5 $IPT -t nat -A pk_nat -p tcp --dport 42 -j DNAT --to 192.168.0.7:22 $IPT -t nat -A pk_nat -p tcp --dport 8080 -j DNAT --to 192.168.0.7:80 $IPT -t nat -A pk_nat -p tcp --dport 32 -j DNAT --to 192.168.0.5:32 ## Gateway $IPT -t nat -A POSTROUTING -o $IFNET -j MASQUERADE ## Activate ICMP $IPT -A INPUT -p icmp -j pki_icmp $IPT -A OUTPUT -p icmp -j pko_icmp ## Services and other programs $IPT -A INPUT -j pki_utcp $IPT -A OUTPUT -j pko_utcp ## PreRouting $IPT -t nat -A PREROUTING -j pk_nat $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 42 -j DNAT --to 192.168.0.7:22 $IPT -t mangle -A PREROUTING -j pk_pre } function kernel_start () { # Quelques options pour le noyau echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done } function kernel_stop () { # Quelques options pour le noyau echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $f done } case $1 in start) echo -n "Starting Firewall rules" clean_table && start_fw && kernel_start echo "." ;; stop) echo -n "Cleaning Firewall table" clean_table && kernel_stop echo "." ;; restart) echo -n "Restarting Firewall rules" clean_table && start_fw && kernel_start echo "." ;; *) echo "Usage: /etc/init.d/iptables.sh {start|stop|restart}" exit 1 ;; esac