#!/bin/bash # 2003-06-09 Arnaud Fontaine ## Pare-Feu sur un poste faisant office de passerelle ## et ne proposant aucun service à l'extérieur # Affiche les commandes du script lors de son lancement # pour le déboguage # set -x # Réglages du chemin et des interfaces nécessaires à iptables IPT="/sbin/iptables" ext="eth1" local0="eth0" lo="lo" # Adresses IP des DNS du FAI Free et CI #dns_ip=`cat /etc/resolv.conf | grep nameserver | awk -F" " '{print $2}'` dns_ip="212.27.32.176 212.27.32.177 212.27.39.1 212.27.39.2 213.228.0.212 213.228.0.168" portBT="6880 6881 6882 6883 6884 6885 6886 6887 6888 6889" function clean_table () { # On vide toutes les règles préexistantes $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # On remet les polices par défaut $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT } function start_fw () { ## Pour loguer tout ce qui a été rejeté $IPT -N LOG_DROP $IPT -A LOG_DROP -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level 1 --log-prefix '[IPTABLES DROP] : ' $IPT -A LOG_DROP -j DROP ## On autorise tout ce qui sort et venant d'une connexion déjà existante $IPT -A INPUT -i $ext -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $ext -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT ## Par défaut on droppe tous les paquets $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD ACCEPT ##On autorise tout ce qui est dans le réseau local #$IPT -A INPUT -i $local0 -s ! 192.168.0.4 -j ACCEPT #$IPT -A OUTPUT -o $local0 -d ! 192.168.0.7 -j ACCEPT $IPT -A INPUT -i $local0 -j ACCEPT $IPT -A OUTPUT -o $local0 -j ACCEPT ## Les adresses provenant de classes d'adresses réservées #$IPT -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP #$IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP ## On autorise le traffic en localhost $IPT -A INPUT -i $lo -j ACCEPT $IPT -A OUTPUT -o $lo -j ACCEPT ## Pour le DHCP $IPT -A INPUT -p udp --sport 67 -i $ext -j ACCEPT $IPT -A OUTPUT -p udp --dport 67 -o $ext -j ACCEPT ## On droppe les paquets ICMP timestamp (replies|requests) $IPT -I INPUT -p icmp --icmp-type 13 -j DROP $IPT -I OUTPUT -p icmp --icmp-type 14 -j DROP ## On autorise le forward via le réseau local #$IPT -A FORWARD -i $local0 -o $ext -p tcp --dport ! 5222 -j ACCEPT #$IPT -A FORWARD -i $local0 -o $ext -s ! 192.168.0.4 -j ACCEPT $IPT -A FORWARD -i $local0 -o $ext -j ACCEPT $IPT -A FORWARD -o $local0 -i $ext -j ACCEPT ## On autorise les requêtes provenant des DNS du FAI ## Obligatoire pour le resolving for i in $dns_ip; do $IPT -A INPUT -i $ext -p udp --sport 53 -s $i -j ACCEPT $IPT -A OUTPUT -o $ext -p udp --dport 53 -d $i -j ACCEPT done ## On autorise différents services référencés dans /etc/services $IPT -A OUTPUT -o $ext -p tcp -m multiport --dports ntp,ircd,www,pop3,smtp,ssh,gpg,nntp,aim,jabber,finger -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $ext -p tcp -m multiport --sports ntp,ircd,www,pop3,smtp,ssh,gpg,nntp,aim,jabber,finger -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT # Pour NTP $IPT -A OUTPUT -o $ext -p udp --dport ntp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $ext -p udp --sport ntp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ## Pour le FTP #$IPT -A INPUT -i $ext -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise le service jabber #$IPT -A OUTPUT -p tcp --dport 5222 -m state --state NEW,ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -p tcp --dport 5223 -m state --state NEW,ESTABLISHED -j ACCEPT # Serveur IRC sur 6668 $IPT -A OUTPUT -p tcp --dport 6668 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --sport 6668 -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise SSH #$IPT -A INPUT -i $ext -p tcp --dport ssh -s 213.41.162.37 -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport ssh -d 213.41.162.37 -j ACCEPT $IPT -A INPUT -i $ext -p tcp --dport ssh -j ACCEPT $IPT -A OUTPUT -o $ext -p tcp --sport ssh -j ACCEPT $IPT -A INPUT -i $ext -p tcp --dport 8888 -j ACCEPT $IPT -A OUTPUT -o $ext -p tcp --sport 8888 -j ACCEPT ## On autorise Squid #$IPT -A INPUT -i $ext -p tcp --dport squid -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport squid -j ACCEPT ## On autorise le ftp passif et actif #$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -p tcp --sport 1: --dport 1: -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --sport 1: --dport 1: -m state --state ESTABLISHED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 1: --dport 1: -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise le serveur smtp depuis l'extérieur (postfix) $IPT -A INPUT -i $ext -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $ext -p tcp --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise le serveur pop depuis l'extérieur (ipopd-ssl) #$IPT -A INPUT -i $ext -p tcp --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 995 -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPT -A INPUT -i $ext -p tcp --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 110 -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise le serveur web vers l'extérieur $IPT -A INPUT -i $ext -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o $ext -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT ## On autorise la connexion sur MySQL seulement depuis duckcorp #$IPT -A INPUT -i $ext -p tcp --dport 3306 -s 62.4.21.229 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o $ext -p tcp --sport 3306 -d 62.4.21.229 -m state --state ESTABLISHED,RELATED -j ACCEPT ## Gestion de la BP # Apache est important ! $IPT -A PREROUTING -t mangle -p tcp --sport www -j TOS --set-tos Maximize-Throughput # Et ssh aussi ! $IPT -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay ## On autorise les requetes vers le serveur NTP #source /etc/default/ntp-servers #ip_ntp=`cat /etc/hosts | grep $NTPSERVERS | awk '{print $1}'` #$IPT -A OUTPUT -o $ext -p udp --dport 123 -d $ip_ntp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # On active certains pings $IPT -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -m limit --limit 5/min -j ACCEPT $IPT -A INPUT -p icmp -m state --state NEW -m limit --limit 5/min -j ACCEPT ## On active la passerelle ssi les autres règles sont bien passées $IPT -t nat -A POSTROUTING -o $ext -j MASQUERADE #for i in $portBT; do # $IPT -t nat -A PREROUTING -i $ext -p tcp --dport $i -j DNAT --to 192.168.0.5:$i # #$IPT -A INPUT -i $ext -p tcp --dport $i -j ACCEPT #done ## Pour Bittorrent :) $IPT -t nat -I PREROUTING -p tcp --dport 6880:6889 -j DNAT --to-destination 192.168.0.5 $IPT -A FORWARD -s 192.168.0.5 -p tcp --dport 6880:6889 -j ACCEPT ## Pour amule #$IPT -t nat -I PREROUTING -p tcp --dport 4660:4669 -j DNAT --to-destination 192.168.0.6 #$IPT -A FORWARD -s 192.168.0.6 -p tcp --dport 4660:4669 -j ACCEPT #$IPT -t nat -I PREROUTING -p udp --dport 4660:4669 -j DNAT --to-destination 192.168.0.6 #$IPT -A FORWARD -s 192.168.0.6 -p udp --dport 4660:4669 -j ACCEPT #$IPT -t nat -I PREROUTING -p tcp --dport 4200:4300 -j DNAT --to-destination 192.168.0.6 ## Pour Korova #$IPT -t nat -I PREROUTING -p tcp --dport 8000 -j DNAT --to-destination 192.168.0.5:80 #$IPT -A FORWARD -s 192.168.0.6 -p tcp --dport 4200:4300 -j ACCEPT #$IPT -t nat -I PREROUTING -p udp --dport 4200:4300 -j DNAT --to-destination 192.168.0.6 #$IPT -A FORWARD -s 192.168.0.6 -p udp --dport 4200:4300 -j ACCEPT ## Pour le serveur sous GNU Hurd (ssh et web) $IPT -t nat -A PREROUTING -i $ext -p tcp --dport 42 -j DNAT --to 192.168.0.7:22 $IPT -t nat -A PREROUTING -i $ext -p tcp --dport 8080 -j DNAT --to 192.168.0.7:80 ## Pour Samy $IPT -t nat -A PREROUTING -i $ext -p tcp --dport 52 -j DNAT --to 192.168.0.5:22 #$IPT -t nat -A PREROUTING -i $ext -p udp --dport 27960 -j DNAT --to 192.168.0.5:27960 #$IPT -t nat -A PREROUTING -i $ext -p tcp --dport 6969 -j DNAT --to 192.168.0.6:6969 #$IPT -t nat -A PREROUTING -s 62.212.118.231 -i $ext -p tcp --dport 20 -j DNAT --to 192.168.0.6:20 #$IPT -t nat -A PREROUTING -i $ext -p udp --dport 4242 -j DNAT --to 192.168.0.5:4242 #$IPT -t nat -A PREROUTING -i $ext -p tcp --dport 4242 -j DNAT --to 192.168.0.5:4242 #$IPT -t nat -A PREROUTING -i $ext -p udp --dport 4662 -j DNAT --to 192.168.0.5:4662 #$IPT -t nat -A PREROUTING -i $ext -p tcp --dport 4662 -j DNAT --to 192.168.0.5:4662 #$IPT -t nat -A PREROUTING -i $ext -p udp --dport 4661 -j DNAT --to 192.168.0.5:4661 #$IPT -t nat -A PREROUTING -i $ext -p tcp --dport 4661 -j DNAT --to 192.168.0.5:4661 #$IPT -t nat -A PREROUTING -s 62.212.118.231 -i $ext -p tcp --dport 21 -j DNAT --to 192.168.0.6:21 #$IPT -A INPUT -i $ext -p udp --dport 137 -j DROP #$IPT -A INPUT -i $ext -p icmp -j DROP $IPT -A FORWARD -j LOG_DROP $IPT -A INPUT -j LOG_DROP $IPT -A OUTPUT -j LOG_DROP #$IPT -A FORWARD -p tcp --dport 5222 -j DROP #$IPT -A INPUT -j DROP #$IPT -A OUTPUT -j DROP } function kernel_start () { # Quelques options pour le noyau echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done } function kernel_stop () { # Quelques options pour le noyau echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 0 > $f done } case $1 in start) echo -n "Starting Firewall rules" clean_table && start_fw && kernel_start # On vérfie que la connexion fonctionne #/usr/bin/adsl-check > /dev/null 2>&1 & #/usr/bin/pon dsl-provider > /dev/null 2>&1 echo "." ;; stop) echo -n "Cleaning Firewall table" clean_table && kernel_stop # On arrete de vérifier la connexion internet # kill -9 `cat /var/run/adsl-check.pid` > /dev/null 2>&1 # /usr/bin/poff -a > /dev/null 2>&1 echo "." ;; restart) echo -n "Restarting Firewall rules" clean_table && start_fw && kernel_start echo "." ;; *) echo "Usage: /etc/init.d/iptables.sh {start|stop|restart}" exit 1 ;; esac