\begin{longtable}{|l|}
\hline
\multicolumn{1}{|c|}{\bf Fichier /etc/init.d/iptables.sh}\\\hline
\endfirsthead
\hline
\multicolumn{1}{|c|}{\bf Fichier de configuration du pare-feu (suite)}\\\hline
\endhead
\hline
\multicolumn{1}{|c|}{\bf Suite $\ldots$}\\
\hline
\endfoot
\hline
\multicolumn{1}{|c|}{\bf Fin de /etc/init.d/iptables.sh}\\
\hline
\endlastfoot
\#!/bin/sh\\
\textit{\textcolor{PineGreen}{\#\# Script de pare-feu pour une
passerelle proposant un serveur web et}}\\ 
\textit{\textcolor{PineGreen}{\#\# ssh accessible depuis
l'ext\'erieur}}\\
\textit{\textcolor{PineGreen}{\# Quelques variables \`a d\'efinir
avant de pouvoir lancer le script}}\\
IPT="/sbin/iptables"\\
ext="ppp0"\\
local0="eth0"\\
local1="eth1"\\
lo="lo"\\
\textit{\textcolor{PineGreen}{\# On r\'ecup\`ere les adresses IP des
DNS du FAI}}\\
dns\_ip=`cat /etc/resolv.conf | grep nameserver | awk -F" " '\{print \$2\}'`\\
\textit{\textcolor{PineGreen}{\#\# Fonctions de `nettoyage'}}\\
function clean\_table ()\\
\{\\
\qquad \textit{\textcolor{PineGreen}{\# On vide toutes les règles
préexistantes}}\\
\qquad \$IPT -F\\
\qquad \$IPT -X\\
\qquad \$IPT -t nat -F\\
\qquad \$IPT -t nat -X\\
\qquad \textit{\textcolor{PineGreen}{\# On remet les polices par défaut}}\\
\qquad \$IPT -P INPUT ACCEPT\\
\qquad \$IPT -P OUTPUT ACCEPT\\
\qquad \$IPT -P FORWARD ACCEPT\\
\}\\
\textit{\textcolor{PineGreen}{\#\" Fonction principal d\'efinissant les
r\`egles \`a appliqu\'ees lors du}}\\
\textit{\textcolor{PineGreen}{\#\# lancement du pare-feu}}\\
function start\_fw ()\\
\{\\
\qquad \textit{\textcolor{PineGreen}{\# Pour loguer tout ce qui a été
rejeté}}\\
\qquad \$IPT -N LOG\_DROP\\
\qquad \$IPT -A LOG\_DROP -m limit --limit 1/minute --limit-burst 5 -j\verb+\+ \\
\qquad LOG --log-level 1 --log-prefix '[IPTABLES DROP] : '\\
\qquad \$IPT -A LOG\_DROP -j DROP\\	
\qquad \textit{\textcolor{PineGreen}{\# On autorise tout ce qui sort
et venant d'une connexion déjà existante}}\\  
\qquad \$IPT -A INPUT -i \$ext -p tcp -m state --state\verb+\+ \\
\qquad ESTABLISHED,RELATED -j ACCEPT\\
\qquad \$IPT -A OUTPUT -o \$ext -p tcp -m state --state\verb+\+ \\
\qquad ESTABLISHED,RELATED -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# Par défaut on rejette tous les paquets}}\\
\qquad \$IPT -P INPUT DROP\\
\qquad \$IPT -P OUTPUT DROP\\
\qquad \$IPT -P FORWARD DROP\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise tout ce qui est dans le réseau local}}\\
\qquad \$IPT -A INPUT -i \$local0 -j ACCEPT\\
\qquad \$IPT -A OUTPUT -o \$local0 -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# Les adresses provenant de
classes d'adresses réservées}}\\
\qquad \$IPT -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP\\
\qquad \$IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP\\
\qquad \textit{\textcolor{PineGreen}{\# On
autorise le traffic en localhost}}\\
\qquad \$IPT -A INPUT -i \$lo -j ACCEPT\\
\qquad \$IPT -A OUTPUT -o \$lo -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise le forward via le
réseau local}}\\
\qquad \$IPT -A FORWARD -i \$local0 -o \$ext -j ACCEPT\\
\qquad \$IPT -A FORWARD -o \$local0 -i \$ext -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise les requêtes
provenant des DNS du FAI}}\\
\qquad for i in \$dns\_ip; do\\
\qquad \qquad \$IPT -A INPUT  -i \$ext  -p udp --sport 53 -s \$i -j ACCEPT\\ 
\qquad \qquad \$IPT -A OUTPUT -o \$ext  -p udp --dport 53 -d \$i -j ACCEPT\\
\qquad done\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise différents
services référencés dans /etc/services}}\\
\qquad \$IPT -A OUTPUT -o \$ext -p tcp -m multiport --dports \verb+\+ \\
\qquad ircd,www,pop3,smtp,ssh -m state --state NEW,ESTABLISHED,RELATED -j \verb+\+ \\
\qquad ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise le serveur ssh
vers l'ext\'erieur}}\\
\qquad \$IPT -A INPUT -i \$ext -p tcp --dport ssh -j ACCEPT\\
\qquad \$IPT -A OUTPUT -o \$ext -p tcp --sport ssh -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise le ftp passif
et actif}}\\
\qquad \$IPT -A OUTPUT -p tcp --dport 21 -m state --state \verb+\+ \\
\qquad NEW,ESTABLISHED  -j ACCEPT\\
\qquad \$IPT -A OUTPUT -p tcp --sport 1: --dport 1:  -m state --state \verb+\+ \\
\qquad ESTABLISHED,RELATED -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On autorise le serveur
web vers l'extérieur}}\\
\qquad \$IPT -A INPUT -i \$ext -p tcp --dport 80 -m state --state \verb+\+ \\
\qquad NEW,ESTABLISHED,RELATED -j ACCEPT\\
\qquad \$IPT -A OUTPUT -o \$ext -p tcp --sport 80 -m state --state \verb+\+ \\
\qquad ESTABLISHED,RELATED -j ACCEPT\\
\qquad \textit{\textcolor{PineGreen}{\# On active la passerelle
ssi les autres règles sont bien passées}}\\
\qquad \$IPT -t nat -A POSTROUTING -o \$ext -j MASQUERADE\\
\qquad \textit{\textcolor{PineGreen}{\# Si on dispose d'un serveur web
dans le r\'eseau local}}\\
\qquad \$IPT -t nat -A PREROUTING -i \$ext -p udp --dport 8080 -j \verb+\+ \\
\qquad DNAT --to 192.168.0.6:8080\\
\qquad \textit{\textcolor{PineGreen}{\# Si des paquets ne
correspondent pas, on rejete et on journalise}}\\
\qquad \$IPT -A FORWARD -j LOG\_DROP\\
\qquad \$IPT -A INPUT -j LOG\_DROP\\
\qquad \$IPT -A OUTPUT -j LOG\_DROP\\
\}\\
\textit{\textcolor{PineGreen}{\#\# Fonction sp\'ecifique au noyau lors
du lancement du pare-feu}}\\
function kernel\_start ()\\
\{\\
\qquad \textit{\textcolor{PineGreen}{\# Quelques options pour le noyau}}\\
\qquad echo 1 \verb+>+ /proc/sys/net/ipv4/ip\_forward\\	
\qquad echo 1 \verb+>+ /proc/sys/net/ipv4/icmp\_echo\_ignore\_broadcasts\\
\qquad echo 1 \verb+>+ /proc/sys/net/ipv4/tcp\_syncookies\\
\qquad echo 1 \verb+>+ /proc/sys/net/ipv4/conf/all/log\_martians\\
\qquad echo 1 \verb+>+ /proc/sys/net/ipv4/icmp\_ignore\_bogus\_error\_responses\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/icmp\_echo\_ignore\_all\\
\qquad for f in /proc/sys/net/ipv4/conf/*/rp\_filter; do\\
\qquad \qquad echo 1 \verb+>+ \$f\\
\qquad done \\  
\qquad for f in /proc/sys/net/ipv4/conf/*/accept\_redirects; do\\
\qquad \qquad echo 0 \verb+>+ \$f\\
\qquad done\\  
\qquad for f in /proc/sys/net/ipv4/conf/*/send\_redirects; do\\
\qquad \qquad echo 0 \verb+>+ \$f\\
\qquad done\\
\qquad for f in /proc/sys/net/ipv4/conf/*/accept\_source\_route; do\\
\qquad \qquad echo 0 \verb+>+ \$f\\
\qquad done\\
\qquad for f in /proc/sys/net/ipv4/conf/*/log\_martians; do\\
\qquad \qquad echo 1 \verb+>+ \$f\\
\qquad done\\
\}\\
\textit{\textcolor{PineGreen}{\#\# Fonction sp\'ecifique au noyau lors
de l'arr\^et du pare-feu}}\\
function kernel\_stop ()\\
\{\\	
\qquad \textit{\textcolor{PineGreen}{\# Quelques options pour le noyau}}\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/ip\_forward\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/icmp\_echo\_ignore\_broadcasts\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/tcp\_syncookies\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/conf/all/log\_martians\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/icmp\_ignore\_bogus\_error\_responses\\
\qquad echo 0 \verb+>+ /proc/sys/net/ipv4/icmp\_echo\_ignore\_all\\
\qquad for f in /proc/sys/net/ipv4/conf/*/rp\_filter; do\\
\qquad \qquad echo 0 \verb+>+ \$f\\
\qquad done\\
\qquad for f in /proc/sys/net/ipv4/conf/*/accept\_redirects; do\\
\qquad \qquad echo 1 \verb+>+ \$f\\
\qquad done\\
\qquad for f in /proc/sys/net/ipv4/conf/*/send\_redirects; do\\
\qquad \qquad echo 1 \verb+>+ \$f\\
\qquad done\\  
\qquad for f in /proc/sys/net/ipv4/conf/*/accept\_source\_route; do\\
\qquad \qquad echo 1 \verb+>+ \$f\\
\qquad done\\
\qquad for f in /proc/sys/net/ipv4/conf/*/log\_martians; do\\
\qquad \qquad echo 0 \verb+>+ \$f\\
\qquad done\\		
\}\\
\textit{\textcolor{PineGreen}{\#\# Enfin le d\'emarrage du script
proprement dit}}\\
case \$1 in\\
\qquad \textit{\textcolor{PineGreen}{\# Lancement du pare-feu !}}\\
\qquad start)\\
\qquad \qquad echo -n "Starting Firewall rules"\\
\qquad \qquad clean\_table \&\&\\
\qquad \qquad start\_fw \&\&\\
\qquad \qquad kernel\_start\\
\qquad \qquad \textit{\textcolor{PineGreen}{\# Lancement de la
connexion aussi}}\\
\qquad \qquad /usr/bin/pon dsl-provider > /dev/null 2\verb+>+\&1\\
\qquad \qquad echo "."\\
\qquad \qquad ;;\\
\qquad \textit{\textcolor{PineGreen}{\# Arr\^et du pare-feu !}}\\
\qquad stop)\\
\qquad \qquad echo -n "Cleaning Firewall table"\\
\qquad \qquad clean\_table \&\&\\
\qquad \qquad kernel\_stop\\
\qquad \qquad \textit{\textcolor{PineGreen}{\# On arr\^ete aussi la
connexion internet}}\\
\qquad \qquad /usr/bin/poff -a \verb+>+ /dev/null 2\verb+>+y\&1\\
\qquad \qquad echo "."\\
\qquad \qquad ;;\\
\qquad \textit{\textcolor{PineGreen}{\# Si on relances la
configuration, \`a utiliser lors de toute modification de ce
fichier !}}\\
\qquad restart)\\
\qquad \qquad echo -n "Restarting Firewall rules"\\
\qquad \qquad clean\_table \&\&\\
\qquad \qquad start\_fw \&\&\\
\qquad \qquad kernel\_start\\
\qquad \qquad echo "."\\
\qquad \qquad ;;\\
\qquad \*)\\
\qquad \qquad echo "Usage: /etc/init.d/iptables.sh \{start|stop|restart\}"\\
\qquad \qquad exit 1\\
\qquad\qquad ;;\\
esac
\end{longtable}