Installation et sécurisation d'une station Debian 3.0 stable15/05/2004
ANNEXE 1. Paramètrage du firewall Ipchains
ANNEXE 1. Paramètrage du firewall Ipchains
/home/system/scripts/fw/custom_net.sh :
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#
### NETWORK CUSTOMIZATION
echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "60" > /proc/sys/net/ipv4/ip_default_ttl
echo "0" > /proc/sys/net/ipv4/ip_forward
ZERO_FLAGS="accept_redirects accept_source_route forwarding proxy_arp send_redirects";
ONE_FLAGS="rp_filter log_martians";
CHEMIN="/proc/sys/net/ipv4/conf";
for repert in `ls "$CHEMIN"` ; do
for fichier in `echo "$ZERO_FLAGS"`; do
if [ -e "$CHEMIN/$repert/$fichier" ]
then echo "0" > "$CHEMIN/$repert/$fichier"; fi
done
for fichier in `echo "$ONE_FLAGS"`; do
if [ -e "$CHEMIN/$repert/$fichier" ]
then echo "1" > "$CHEMIN/$repert/$fichier"; fi
done
done
/etc/init.d/init_ipchains.sh :
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#
RULES_UP=/home/system/scripts/fw/rules_up_ipchains.sh
RULES_DOWN=/home/system/scripts/fw/rules_down_ipchains.sh
case "$1" in
start)
if [ -f $RULES_UP ] && [ -x $RULES_UP ]
then
$RULES_UP
else
echo "$0 : Cannot execute $RULES_UP !!!"
exit 0
fi
;;
stop)
if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ]
then
$RULES_DOWN
else
echo "$0 : Cannot execute $RULES_DOWN !!!"
exit 0
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
/home/system/scripts/fw/rules_down_ipchains.sh :
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#
IPCH=/sbin/ipchains # IpChains binary
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### VARIABLES
DEFAULT_POL="input output forward" # Default policies
### BEGIN
# Flush and remove all chains then default the policies to ACCEPT
$IPCH -F
$IPCH -X
for i in $DEFAULT_POL
do
$IPCH -P $i ACCEPT
done
echo "$0 done"
/home/system/scripts/fw/rules_up_ipchains.sh :
#!/bin/sh
#
# Debian-secinst v0.1.4 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#
IPCH=/sbin/ipchains # IpChains binary
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk
### NETWORK CUSTOMIZATION
test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh
### VARIABLES
# Addresses
LOCAL_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address
ADM_IP="@IPS_OF_ADMINISTRATION_HOSTS"
DNS_IP="@IP_OF_DNS_SERVERS""
PROXY_IP="@IPS_OF_HTTP_PROXYS"
#NTP_IP="@IPS_OF_NTP_SERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"
#WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS"
#NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS"
# Policies
DEFAULT_POL="input output forward"
LOG_ACCEPT="LogAcc"
LOG_DROP="LogDrop"
# Various
RPORTS=":1024"
NRPORTS="1024:"
### BEGIN
# Flush and remove all chains then default the policies to DROP
$IPCH -F
$IPCH -X
for i in $DEFAULT_POL
do
$IPCH -P $i DENY
done
### Create and set personnal chains
# Log and deny chain
$IPCH -N $LOG_DROP # Create a new one
$IPCH -A $LOG_DROP -j DENY -l # Log and deny
# Log and accept chain
$IPCH -N $LOG_ACCEPT # Create a new one
$IPCH -A $LOG_ACCEPT -j ACCEPT -l # Log and accept
### LOOPBACK AND REMOTE MANAGEMENT
# Allow whatever on loopback
$IPCH -A output -i lo -j ACCEPT
$IPCH -A input -i lo -j ACCEPT
# Allow SSH remote management and log connections
for i in $ADM_IP
do
$IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -y -j $LOG_ACCEPT
$IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -j ACCEPT
$IPCH -A output -p tcp -s $LOCAL_IP 22 -d $ADM_IP $NRPORTS -j ACCEPT
done
### ALLOW THESE TCP CONNECTIONS
# Allow HTTP/HTTPS to HTTP proxy servers and log Syn Scan profit port
for i in $PROXY_IP
do
$IPCH -A output -p tcp --sport $NRPORTS -d $i 8080 -j ACCEPT
$IPCH -A input -p tcp -s $i 8080 -y -j $LOG_DROP
$IPCH -A input -p tcp -s $i 8080 --dport $NRPORTS -j ACCEPT
done
### Uncomment if you want to use Prelude communications.
## Allow Prelude communications to Prelude server and log syn scan profit port
# $IPCH -A output -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} 5553:5554 -j ACCEPT
# $IPCH -A input -p tcp -s {PRELUDE_SRV_IP} 5553:5554 -y -j $LOG_DROP
# $IPCH -A input -p tcp -s {PRELUDE_SRV_IP} 5553:5554 --dport $NRPORTS -j ACCEPT
### ALLOW THESE UDP CONNECTIONS
# Allow DNS Protocol to DNS Servers
for i in $DNS_IP
do
$IPCH -A output -p udp --sport $NRPORTS -d $i 53 -j ACCEPT
$IPCH -A input -p udp -s $i 53 --dport $NRPORTS -j ACCEPT
done
### Uncomment if you want to use communications to NTP servers.
### => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
# for i in $NTP_IP
# do
# $IPCH -A output -p udp --sport $NRPORTS -d $i 123 -j ACCEPT
# $IPCH -A input -p udp -s $i 123 --dport $NRPORTS -j ACCEPT
# done
### ALLOW THESE ICMP REQUESTS AND RESPONSES
### Uncomment if you want to certain hosts to send us icmp requests
### => Also uncomment and set ICMP_IP at the beginning of the script
## Allow some host's icmp requests
#for i in $ICMP_IP
# do
# $IPCH -A input -p icmp --icmp-type echo-request -s $i -j ACCEPT
# $IPCH -A input -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
# $IPCH -A input -p icmp --icmp-type time-exceeded -s $i -j ACCEPT
# $IPCH -A output -p icmp --icmp-type echo-reply -d $i -j ACCEPT
#done
### ALLOW SPECIFIC PROTOCOLS
### Uncomment if you want to allow NetBios networks streams
### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script
## Allow NetBios protocol with certains hosts
#$IPCH -A output -p udp --sport 137:138 -d $BROADCAST_IP 137:138 -j ACCEPT
#for i in $WINS_IP
# do
# $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
# $IPCH -A input -p udp -s $i --dport 137 -j ACCEPT
#done
## Allow but log incoming syn connections on the 139 port number.
#for i in $NETBIOS_IP
# do
# $IPCH -A input -p udp -s $i 137 --dport 137 -j ACCEPT
# $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
# $IPCH -A input -p tcp -s $i $NRPORTS --dport 139 -y -j $LOG_ACCEPT
# $IPCH -A input -p tcp -s $i $NRPORTS --dport 139 -j ACCEPT
# $IPCH -A output -p tcp --sport 139 -d $i $NRPORTS -j ACCEPT
#done
### AND LAST : LOG AND DENY
for i in $DEFAULT_POL
do
$IPCH -A $i -j $LOG_DROP
done
echo "$0 done"
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with the Invariant Sections being
LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the
Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should
be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is
correct, have a look on the official http://www.fsf.org/licenses/fdl.txt
licence file.
|