IdentifiantMot de passe
Loading...
Mot de passe oublié ?Je m'inscris ! (gratuit)

Installation et sécurisation d'une station Debian 3.0 stable


Installation et sécurisation d'une station Debian 3.0 stable

15/05/2004




ANNEXE 7. Paramètrage du firewall NetFilter


ANNEXE 7. Paramètrage du firewall NetFilter


/home/system/scripts/fw/custom_net.sh : voir ANNEXE 1 - Paramètrage du firewall Ipchains

/etc/init.d/init_iptables.sh :

#!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter # Simon Castro # RULES_UP=/home/system/scripts/fw/rules_up_iptables.sh RULES_DOWN=/home/system/scripts/fw/rules_down_iptables.sh case "$1" in start) if [ -f $RULES_UP ] && [ -x $RULES_UP ] then $RULES_UP else echo "$0 : Cannot execute $RULES_UP !!!" exit 0 fi ;; stop) if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ] then $RULES_DOWN else echo "$0 : Cannot execute $RULES_DOWN !!!" exit 0 fi ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0
/home/system/scripts/fw/rules_down_iptables.sh :

#!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter # Simon Castro # IPT=/sbin/iptables ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### VARIABLES DEFAULT_POL="INPUT OUTPUT FORWARD" # Default policies ### BEGIN # Flush and remove all chains then default the policies to ACCEPT $IPT -F $IPT -X for i in $DEFAULT_POL do $IPT -P $i ACCEPT done echo "$0 done"
/home/system/scripts/fw/rules_up_iptables.sh :

#!/bin/sh # # Debian-secinst v0.1.4 : ANNEXE 7 - Paramètrage du firewall NetFilter # Simon Castro # IPT=/sbin/iptables ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### Set OUR value to the printk variable echo "6 4 1 7" > /proc/sys/kernel/printk ### NETWORK CUSTOMIZATION test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh ### VARIABLES INT=eth0 # Addresses LOCAL_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address ADM_IP="@IP_ADM1 @IP_ADMx" # Ip Address of the remote allowed administration stations DNS_IP="@IP_DNS1 @IP_DNSx" PROXY_IP="@IP_PROXY1 @IP_PROXYx" #NTP_IP="@IP_NTPSERVERS" #ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS" #WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS" #NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS" # Personal Chains and default policie DEFAULT_POL="INPUT OUTPUT FORWARD" LOG_ACCEPT="LogAccept" LOG_DROP="LogDrop" LOOPBACK="DLoopBack" CHECK_TCP="DCheckTcp" # Various RPORTS=":1024" NRPORTS="1024:" ### BEGIN # Flush and remove all chains then default the policies to DROP $IPT -F $IPT -X for i in $DEFAULT_POL do $IPT -P $i DROP done ### Create and set personnal chains # # NDR : (the log-prefix is used in the syslog.conf) # # Log and accept chain $IPT -N $LOG_ACCEPT # Create a new one $IPT -A $LOG_ACCEPT -j LOG --log-prefix 'Packet log '$LOG_ACCEPT' ' --log-tcp-options --log-ip-options --log-level 7 # Log and accept $IPT -A $LOG_ACCEPT -j ACCEPT # Log and drop chain $IPT -N $LOG_DROP # Create a new one $IPT -A $LOG_DROP -j LOG --log-prefix 'Packet log '$LOG_DROP' ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop $IPT -A $LOG_DROP -j DROP # Check valid tcp connections chain $IPT -N $CHECK_TCP $IPT -A $CHECK_TCP -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m state --state NEW -j RETURN $IPT -A $CHECK_TCP -p tcp ! --syn -m state --state ESTABLISHED -j RETURN $IPT -A $CHECK_TCP -j LOG --log-prefix 'Packet log '$LOG_DROP'/Invalid ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop $IPT -A $CHECK_TCP -j DROP # Accept chain on loopback (to get a cleaver 'iptables -L -n') $IPT -N $LOOPBACK $IPT -A $LOOPBACK -j ACCEPT ### LOOPBACK, TCP DEFAULT CHECK AND REMOTE MANAGEMENT # Allow whatever on loopback $IPT -A INPUT -i lo -j $LOOPBACK $IPT -A OUTPUT -o lo -j $LOOPBACK # Check TCP flags on related connections $IPT -A INPUT -i eth0 -p tcp -j $CHECK_TCP $IPT -A OUTPUT -o eth0 -p tcp -j $CHECK_TCP # Allow SSH remote management and log Syn connections for i in $ADM_IP do $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state NEW -j $LOG_ACCEPT $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o $INT -p tcp -s $LOCAL_IP --sport 22 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### ALLOW THESE TCP CONNECTIONS # Allow HTTP/HTTPS to HTTP proxy servers for i in $PROXY_IP do $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p tcp -s $i --sport 8080 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### Uncomment if you want to use Prelude communications. ## Allow Prelude communications to Prelude server # $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} --dport 5553:5554 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p tcp -s {PRELUDE_SRV_IP} --sport 5553:5554 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT ### ALLOW THESE UDP CONNECTIONS # Allow DNS Protocol to DNS Servers for i in $DNS_IP do $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p udp -s $i --sport 53 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### Uncomment if you want to allow communications to NTP servers ### => Also uncomment and set NTP_IP at the beginning of the script. ## Allow NTP Protocol to NTP Servers # for i in $NTP_IP # do # $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p udp -s $i --sport 123 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT # done ### ALLOW THESE ICMP REQUESTS AND RESPONSES ### Uncomment if you want to certain hosts to send us icmp requests ### => Also uncomment and set ICMP_IP at the beginning of the script # Allow some host's icmp requests #for i in $ICMP_IP # do # $IPT -A INPUT -i $INT -p icmp --icmp-type echo-request -s $i -m state --state NEW -j ACCEPT # $IPT -A INPUT -i $INT -p icmp --fragment -j DROP # $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT # $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT # $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-reply -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT #done ### ALLOW SPECIFIC PROTOCOLS ### Uncomment if you want to allow NetBios networks streams ### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script ## Allow NetBios protocol with certains hosts #$IPT -A OUTPUT -o $INT -p udp --sport 137:138 -d $BROADCAST_IP --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT #for i in $WINS_IP # do # $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state ESTABLISHED -j ACCEPT #done ## Allow but log incoming syn connections on the 139 port number. #for i in $NETBIOS_IP # do # $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state NEW -j $LOG_ACCEPT # $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state ESTABLISHED -j ACCEPT # $IPT -A OUTPUT -o $INT -p tcp --sport 139 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT #done ### AND LAST : LOG AND DENY for i in $DEFAULT_POL do $IPT -A $i -j $LOG_DROP ; done echo "$0 done"


Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.