Installation et sécurisation d'une station Debian 3.0 stable15/05/2004
ANNEXE 7. Paramètrage du firewall NetFilter
ANNEXE 7. Paramètrage du firewall NetFilter
/home/system/scripts/fw/custom_net.sh : voir ANNEXE 1 - Paramètrage du firewall Ipchains
/etc/init.d/init_iptables.sh :
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
RULES_UP=/home/system/scripts/fw/rules_up_iptables.sh
RULES_DOWN=/home/system/scripts/fw/rules_down_iptables.sh
case "$1" in
start)
if [ -f $RULES_UP ] && [ -x $RULES_UP ]
then
$RULES_UP
else
echo "$0 : Cannot execute $RULES_UP !!!"
exit 0
fi
;;
stop)
if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ]
then
$RULES_DOWN
else
echo "$0 : Cannot execute $RULES_DOWN !!!"
exit 0
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
/home/system/scripts/fw/rules_down_iptables.sh :
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
IPT=/sbin/iptables
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### VARIABLES
DEFAULT_POL="INPUT OUTPUT FORWARD" # Default policies
### BEGIN
# Flush and remove all chains then default the policies to ACCEPT
$IPT -F
$IPT -X
for i in $DEFAULT_POL
do
$IPT -P $i ACCEPT
done
echo "$0 done"
/home/system/scripts/fw/rules_up_iptables.sh :
#!/bin/sh
#
# Debian-secinst v0.1.4 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
IPT=/sbin/iptables
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk
### NETWORK CUSTOMIZATION
test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh
### VARIABLES
INT=eth0
# Addresses
LOCAL_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address
ADM_IP="@IP_ADM1 @IP_ADMx" # Ip Address of the remote allowed administration stations
DNS_IP="@IP_DNS1 @IP_DNSx"
PROXY_IP="@IP_PROXY1 @IP_PROXYx"
#NTP_IP="@IP_NTPSERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"
#WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS"
#NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS"
# Personal Chains and default policie
DEFAULT_POL="INPUT OUTPUT FORWARD"
LOG_ACCEPT="LogAccept"
LOG_DROP="LogDrop"
LOOPBACK="DLoopBack"
CHECK_TCP="DCheckTcp"
# Various
RPORTS=":1024"
NRPORTS="1024:"
### BEGIN
# Flush and remove all chains then default the policies to DROP
$IPT -F
$IPT -X
for i in $DEFAULT_POL
do
$IPT -P $i DROP
done
### Create and set personnal chains
#
# NDR : (the log-prefix is used in the syslog.conf)
#
# Log and accept chain
$IPT -N $LOG_ACCEPT # Create a new one
$IPT -A $LOG_ACCEPT -j LOG --log-prefix 'Packet log '$LOG_ACCEPT' ' --log-tcp-options --log-ip-options --log-level 7 # Log and accept
$IPT -A $LOG_ACCEPT -j ACCEPT
# Log and drop chain
$IPT -N $LOG_DROP # Create a new one
$IPT -A $LOG_DROP -j LOG --log-prefix 'Packet log '$LOG_DROP' ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $LOG_DROP -j DROP
# Check valid tcp connections chain
$IPT -N $CHECK_TCP
$IPT -A $CHECK_TCP -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m state --state NEW -j RETURN
$IPT -A $CHECK_TCP -p tcp ! --syn -m state --state ESTABLISHED -j RETURN
$IPT -A $CHECK_TCP -j LOG --log-prefix 'Packet log '$LOG_DROP'/Invalid ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $CHECK_TCP -j DROP
# Accept chain on loopback (to get a cleaver 'iptables -L -n')
$IPT -N $LOOPBACK
$IPT -A $LOOPBACK -j ACCEPT
### LOOPBACK, TCP DEFAULT CHECK AND REMOTE MANAGEMENT
# Allow whatever on loopback
$IPT -A INPUT -i lo -j $LOOPBACK
$IPT -A OUTPUT -o lo -j $LOOPBACK
# Check TCP flags on related connections
$IPT -A INPUT -i eth0 -p tcp -j $CHECK_TCP
$IPT -A OUTPUT -o eth0 -p tcp -j $CHECK_TCP
# Allow SSH remote management and log Syn connections
for i in $ADM_IP
do
$IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state NEW -j $LOG_ACCEPT
$IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INT -p tcp -s $LOCAL_IP --sport 22 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### ALLOW THESE TCP CONNECTIONS
# Allow HTTP/HTTPS to HTTP proxy servers
for i in $PROXY_IP
do
$IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INT -p tcp -s $i --sport 8080 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### Uncomment if you want to use Prelude communications.
## Allow Prelude communications to Prelude server
# $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} --dport 5553:5554 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s {PRELUDE_SRV_IP} --sport 5553:5554 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
### ALLOW THESE UDP CONNECTIONS
# Allow DNS Protocol to DNS Servers
for i in $DNS_IP
do
$IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INT -p udp -s $i --sport 53 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### Uncomment if you want to allow communications to NTP servers
### => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
# for i in $NTP_IP
# do
# $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p udp -s $i --sport 123 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
# done
### ALLOW THESE ICMP REQUESTS AND RESPONSES
### Uncomment if you want to certain hosts to send us icmp requests
### => Also uncomment and set ICMP_IP at the beginning of the script
# Allow some host's icmp requests
#for i in $ICMP_IP
# do
# $IPT -A INPUT -i $INT -p icmp --icmp-type echo-request -s $i -m state --state NEW -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --fragment -j DROP
# $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-reply -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done
### ALLOW SPECIFIC PROTOCOLS
### Uncomment if you want to allow NetBios networks streams
### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script
## Allow NetBios protocol with certains hosts
#$IPT -A OUTPUT -o $INT -p udp --sport 137:138 -d $BROADCAST_IP --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT
#for i in $WINS_IP
# do
# $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state ESTABLISHED -j ACCEPT
#done
## Allow but log incoming syn connections on the 139 port number.
#for i in $NETBIOS_IP
# do
# $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state NEW -j $LOG_ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state ESTABLISHED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p tcp --sport 139 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
#done
### AND LAST : LOG AND DENY
for i in $DEFAULT_POL
do $IPT -A $i -j $LOG_DROP ; done
echo "$0 done"
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with the Invariant Sections being
LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the
Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should
be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is
correct, have a look on the official http://www.fsf.org/licenses/fdl.txt
licence file.
|