Annexe 7. Paramétrage du firewall NetFilter▲
/home/system/scripts/fw/custom_net.sh : voir Annexe 1 - Paramétrage du firewall Ipchains
/etc/init.d/init_iptables.sh :
Sélectionnez
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
RULES_UP=/home/system/scripts/fw/rules_up_iptables.sh
RULES_DOWN=/home/system/scripts/fw/rules_down_iptables.sh
case "$1" in
start)
if [ -f $RULES_UP ] && [ -x $RULES_UP ]
then
$RULES_UP
else
echo "$0 : Cannot execute $RULES_UP !!!"
exit 0
fi
;;
stop)
if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ]
then
$RULES_DOWN
else
echo "$0 : Cannot execute $RULES_DOWN !!!"
exit 0
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0/home/system/scripts/fw/rules_down_iptables.sh :
Sélectionnez
#!/bin/sh
#
# Debian-secinst v0.1.3 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
IPT=/sbin/iptables
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### VARIABLES
DEFAULT_POL="INPUT OUTPUT FORWARD" # Default policies
### BEGIN
# Flush and remove all chains then default the policies to ACCEPT
$IPT -F
$IPT -X
for i in $DEFAULT_POL
do
$IPT -P $i ACCEPT
done
echo "$0 done"/home/system/scripts/fw/rules_up_iptables.sh :
Sélectionnez
#!/bin/sh
#
# Debian-secinst v0.1.4 : ANNEXE 7 - Paramètrage du firewall NetFilter
# Simon Castro
#
IPT=/sbin/iptables
### CHECK KERNEL VERSION AND BINARY PRESENCE
if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
then
echo "$0 : Not with this kernel"
exit 0
fi
### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk
### NETWORK CUSTOMIZATION
test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh
### VARIABLES
INT=eth0
# Addresses
LOCAL_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address
ADM_IP="@IP_ADM1 @IP_ADMx" # Ip Address of the remote allowed administration stations
DNS_IP="@IP_DNS1 @IP_DNSx"
PROXY_IP="@IP_PROXY1 @IP_PROXYx"
#NTP_IP="@IP_NTPSERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"
#WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS"
#NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS"
# Personal Chains and default policie
DEFAULT_POL="INPUT OUTPUT FORWARD"
LOG_ACCEPT="LogAccept"
LOG_DROP="LogDrop"
LOOPBACK="DLoopBack"
CHECK_TCP="DCheckTcp"
# Various
RPORTS=":1024"
NRPORTS="1024:"
### BEGIN
# Flush and remove all chains then default the policies to DROP
$IPT -F
$IPT -X
for i in $DEFAULT_POL
do
$IPT -P $i DROP
done
### Create and set personnal chains
#
# NDR : (the log-prefix is used in the syslog.conf)
#
# Log and accept chain
$IPT -N $LOG_ACCEPT # Create a new one
$IPT -A $LOG_ACCEPT -j LOG --log-prefix 'Packet log '$LOG_ACCEPT' ' --log-tcp-options --log-ip-options --log-level 7 # Log and accept
$IPT -A $LOG_ACCEPT -j ACCEPT
# Log and drop chain
$IPT -N $LOG_DROP # Create a new one
$IPT -A $LOG_DROP -j LOG --log-prefix 'Packet log '$LOG_DROP' ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $LOG_DROP -j DROP
# Check valid tcp connections chain
$IPT -N $CHECK_TCP
$IPT -A $CHECK_TCP -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m state --state NEW -j RETURN
$IPT -A $CHECK_TCP -p tcp ! --syn -m state --state ESTABLISHED -j RETURN
$IPT -A $CHECK_TCP -j LOG --log-prefix 'Packet log '$LOG_DROP'/Invalid ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $CHECK_TCP -j DROP
# Accept chain on loopback (to get a cleaver 'iptables -L -n')
$IPT -N $LOOPBACK
$IPT -A $LOOPBACK -j ACCEPT
### LOOPBACK, TCP DEFAULT CHECK AND REMOTE MANAGEMENT
# Allow whatever on loopback
$IPT -A INPUT -i lo -j $LOOPBACK
$IPT -A OUTPUT -o lo -j $LOOPBACK
# Check TCP flags on related connections
$IPT -A INPUT -i eth0 -p tcp -j $CHECK_TCP
$IPT -A OUTPUT -o eth0 -p tcp -j $CHECK_TCP
# Allow SSH remote management and log Syn connections
for i in $ADM_IP
do
$IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state NEW -j $LOG_ACCEPT
$IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INT -p tcp -s $LOCAL_IP --sport 22 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### ALLOW THESE TCP CONNECTIONS
# Allow HTTP/HTTPS to HTTP proxy servers
for i in $PROXY_IP
do
$IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INT -p tcp -s $i --sport 8080 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### Uncomment if you want to use Prelude communications.
## Allow Prelude communications to Prelude server
# $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} --dport 5553:5554 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s {PRELUDE_SRV_IP} --sport 5553:5554 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
### ALLOW THESE UDP CONNECTIONS
# Allow DNS Protocol to DNS Servers
for i in $DNS_IP
do
$IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INT -p udp -s $i --sport 53 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done
### Uncomment if you want to allow communications to NTP servers
### => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
# for i in $NTP_IP
# do
# $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p udp -s $i --sport 123 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
# done
### ALLOW THESE ICMP REQUESTS AND RESPONSES
### Uncomment if you want to certain hosts to send us icmp requests
### => Also uncomment and set ICMP_IP at the beginning of the script
# Allow some host's icmp requests
#for i in $ICMP_IP
# do
# $IPT -A INPUT -i $INT -p icmp --icmp-type echo-request -s $i -m state --state NEW -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --fragment -j DROP
# $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-reply -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done
### ALLOW SPECIFIC PROTOCOLS
### Uncomment if you want to allow NetBios networks streams
### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script
## Allow NetBios protocol with certains hosts
#$IPT -A OUTPUT -o $INT -p udp --sport 137:138 -d $BROADCAST_IP --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT
#for i in $WINS_IP
# do
# $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state ESTABLISHED -j ACCEPT
#done
## Allow but log incoming syn connections on the 139 port number.
#for i in $NETBIOS_IP
# do
# $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state NEW -j $LOG_ACCEPT
# $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state ESTABLISHED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p tcp --sport 139 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
#done
### AND LAST : LOG AND DENY
for i in $DEFAULT_POL
do $IPT -A $i -j $LOG_DROP ; done
echo "$0 done"