############### exemple de conf pour iptables ##################### |
_____________________________________________________________ |
#!/bin/sh |
|
## Information sur le réseau. |
INTERNALIF="eth1" # Carte donnant sur le réseau interne. |
INTERNALNET="192.168.1.0/24" # IP Réseau Interne. |
INTERNALBCAST="192.168.1.255" # IP Broadcast. |
EXTERNALIF="eth0" # Carte donnant sur l'extérieur. |
EXTERNALIP="1.2.3.4"# Adresse IP externe nécessaire en cas de DNAT. |
|
_____________________________________________________________ |
## Suppression de toutes les règles: |
iptables -F INPUT # règles sur les paquets entrants |
iptables -F OUTPUT # règles sur les paquets sortants |
iptables -F FORWARD # règles sur le Forwarding/masquerading |
iptables -t nat -F # règles sur le Nat |
|
_____________________________________________________________ |
##Modification des règles tcp/ip du noyau. |
#Disabling IP Spoofing attacks. |
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter |
# Ne pas répondre aux pings broadcast |
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
# autorisation du forwarding |
echo 1 >/proc/sys/net/ipv4/ip_forward |
# Blockage routage |
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route |
# Suppression des timestamps. |
echo 0 > /proc/sys/net/ipv4/tcp_timestamps |
# autorisation des SYN Cookies |
echo 1 > /proc/sys/net/ipv4/tcp_syncookies |
# empêche les redirections |
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects |
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses |
# autorise les adresses IP dynamiques |
echo "1" > /proc/sys/net/ipv4/ip_dynaddr |
# Log pacquets avec des adresses impossibles. |
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians |
#Set out local port range |
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range |
|
|
_____________________________________________________________ |
# Réduit les DoS en réduisant les timeouts |
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout |
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time |
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling |
echo 0 > /proc/sys/net/ipv4/tcp_sack |
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog |
|
_____________________________________________________________ |
## Mise en place des règles de base. |
# rejet des mauvais paquets: trop courts, les paquets |
# TCP et UDP ayant zéro comme source ou comme destination, |
# taille nulle ou trop grande, paquets fragmentés |
# pour plus dinfo http://www.linux-mag.com/2000-01/bestdefense_02.php |
|
iptables -A INPUT -m unclean -j DROP |
iptables -A FORWARD -m unclean -j DROP |
iptables -A INPUT -m state -state INVALID -j DROP |
iptables -A FORWARD -m state -state INVALID -j DROP |
|
_____________________________________________________________ |
# autorise toutes les connections sur l'interface interne |
iptables -A INPUT -i lo -j ACCEPT |
|
_____________________________________________________________ |
# Refuse les connections depuis l'interface interne vers l'extérieur. |
iptables -A INPUT -d 127.0.0.0/8 -j REJECT |
|
_____________________________________________________________ |
# traffic illimité depuis le réseau interne. |
iptables -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT |
|
_____________________________________________________________ |
# autorise tunnel IPV6. |
#iptables -A INPUT -p ipv6 -j ACCEPT |
|
_____________________________________________________________ |
# autorise tunnel IPSEC. |
#iptables -A INPUT -p 50 -j ACCEPT |
# autorise tous paquets depuis le serveur ipsec vers le réseau interne. |
#iptables -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT |
|
_____________________________________________________________ |
# Refuse tous paquets depuis l'extérieur prétendant être du réseau interne. |
iptables -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT |
|
_____________________________________________________________ |
## ICMP |
# ne pas faire suivre les pings de l'extérieur vers le réseau interne. |
iptables -A FORWARD -p icmp -icmp-type echo-request -o |
$INTERNALIF -j REJECT |
|
_____________________________________________________________ |
#protection contre le ping flood. |
iptables -A INPUT -p icmp -icmp-type echo-request -m limit |
-limit 1/s -j ACCEPT |
iptables -A INPUT -p icmp -icmp-type echo-request -j DROP |
|
|
_____________________________________________________________ |
# Refuse l'icmp vers une adresse de broadcast. |
iptables -A INPUT -p icmp -d $INTERNALBCAST -j DROP |
|
_____________________________________________________________ |
# autorise tout autre icmp. |
iptables -A INPUT -p icmp -j ACCEPT |
|
_____________________________________________________________ |
# autorise les connections établies. |
iptables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT |
|
_____________________________________________________________ |
# Refuse de rediriger les paquets samba |
iptables -A FORWARD -o $EXTERNALIF -p tcp -dport 137 -j REJECT |
iptables -A FORWARD -o $EXTERNALIF -p tcp -dport 138 -j REJECT |
iptables -A FORWARD -o $EXTERNALIF -p tcp -dport 139 -j REJECT |
iptables -A FORWARD -o $EXTERNALIF -p udp -dport 137 -j REJECT |
iptables -A FORWARD -o $EXTERNALIF -p udp -dport 138 -j REJECT |
iptables -A FORWARD -o $EXTERNALIF -p udp -dport 139 -j REJECT |
iptables -A INPUT -i $EXTERNALIF -p udp -dport 137 -j REJECT |
|
_____________________________________________________________ |
# Autorise tous les autres paquets à être forwardé |
iptables -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT |
|
iptables -A FORWARD -i $EXTERNALIF -m state |
-state ESTABLISHED,RELATED -j ACCEPT |
|
_____________________________________________________________ |
# autorise les requêtes DHCP en tant que client. |
#iptables -A INPUT -p udp -d 255.255.255.255 -dport 68 -j ACCEPT |
|
_____________________________________________________________ |
# autorise les requêtes DHCP en tant que serveur. |
#iptables -A INPUT -i $INTERNALIF -p tcp -sport 68 -dport 67 -j ACCEPT |
#iptables -A INPUT -i $INTERNALIF -p udp -sport 68 -dport 67 -j ACCEPT |
|
_____________________________________________________________ |
# autorise les requêtes vers les serveur DNS contenus |
# dans /etc/resolv.conf: |
#cat /etc/resolv.conf | |
#awk '/nameserver/ {print $2}' | |
#xargs -n1 iptables -A INPUT -p udp -sport 53 -j ACCEPT -s |
|
_____________________________________________________________ |
# autorise les paquets entrant pour les différents services listés: |
iptables -A INPUT -p tcp -dport 20 -j ACCEPT # ftp-data |
iptables -A INPUT -p tcp -dport 21 -j ACCEPT # ftp |
iptables -A INPUT -p tcp -dport 22 -j ACCEPT # ssh |
#iptables -A INPUT -p tcp -dport 23 -j ACCEPT #telnet |
|
_____________________________________________________________ |
# autorise les paquets à destination du serveur de mail mais les limitent |
# à 1 par seconde pour éviter les attaques de type DoS. |
iptables -A INPUT -p tcp -dport 25 -syn -m limit -limit 1/s |
-limit-burst 10 -j ACCEPT |
iptables -A INPUT -p tcp -dport 25 -syn -j DROP |
iptables -A INPUT -p tcp -dport 25 -j ACCEPT |
# DNS |
iptables -A INPUT -p tcp -dport 53 -j ACCEPT |
iptables -A INPUT -p udp -dport 53 -j ACCEPT |
# http |
iptables -A INPUT -p tcp -dport 80 -j ACCEPT |
# POP3 |
#iptables -A INPUT -p tcp -dport 110 -j ACCEPT |
_____________________________________________________________ |
# Imaps |
iptables -A INPUT -p tcp -dport 993 -j ACCEPT |
# identd |
#iptables -A INPUT -p tcp -dport 113 -j ACCEPT |
# https |
iptables -A INPUT -p tcp -dport 443 -j ACCEPT |
#pserser |
iptables -A INPUT -p tcp -dport 2401 -j ACCEPT |
# autorise les paquets à destination du serveur VNC ce qui |
# n'est pas forcément une bonne idée. |
#iptables -A INPUT -p tcp -dport 5801 -j ACCEPT |
#iptables -A INPUT -p tcp -dport 5901 -j ACCEPT |
#iptables -A INPUT -p tcp -dport 6001 -j ACCEPT |
|
_____________________________________________________________ |
## DNAT |
#iptables -A PREROUTING -t nat -i $EXTERNALIF -p tcp |
# -d $EXTERNALIP -dport 80 -j DNAT -to 192.168.0.10:80 |
#iptables -A FORWARD -i $EXTERNALIF -p tcp |
# -d 192.168.0.10 -dport 80 -j ACCEPT |
#iptables -A PREROUTING -t nat -i $EXTERNALIF -p tcp |
# -d $EXTERNALIP -dport 25 -j DNAT -to 192.168.0.10:25 |
#iptables -A FORWARD -i $EXTERNALIF -p tcp |
# -d 192.168.0.10 -dport 25 -j ACCEPT |
|
_____________________________________________________________ |
# Certains services doivent être ``loggés'' et refusés |
#iptables -A INPUT -p tcp -dport 1433 -m limit -j LOG |
# -log-prefix "Firewalled packet: MSSQL " |
#iptables -A INPUT -p tcp -dport 1433 -j DROP |
#iptables -A INPUT -p tcp -dport 6670 -m limit -j LOG |
# -log-prefix "Firewalled packet: Deepthrt " |
#iptables -A INPUT -p tcp -dport 6670 -j DROP |
#iptables -A INPUT -p tcp -dport 6711 -m limit -j LOG |
# -log-prefix "Firewalled packet: Sub7 " |
#iptables -A INPUT -p tcp -dport 6711 -j DROP |
# -log-prefix "Firewalled packet: BO " |
#iptables -A INPUT -p tcp -dport 31337 -j DROP |
iptables -A INPUT -p tcp -dport 6000 -m limit -j LOG |
-log-prefix "Firewalled packet: XWin " |
iptables -A INPUT -p tcp -dport 6000 -j DROP |
|
_____________________________________________________________ |
# traceroutes |
iptables -A INPUT -p udp -dport 33434:33523 -j DROP |
|
iptables -A INPUT -p tcp -dport 113 -j REJECT |
|
_____________________________________________________________ |
# Ne pas ``logger'' les paquets igmp |
iptables -A INPUT -p igmp -j REJECT |
|
_____________________________________________________________ |
# Ne pas ``logger'' les requêtes http{s} |
iptables -A INPUT -p tcp -dport 80 -j REJECT |
iptables -A INPUT -p tcp -dport 443 -j REJECT |
|
_____________________________________________________________ |
# Si les paquets ne correspondent à aucune des règles, on les |
# ``log'' et on les rejettes |
iptables -A INPUT -p tcp -syn -m limit -limit 5/minute -j LOG |
-log-prefix "Firewalled packet:" |
iptables -A FORWARD -p tcp -syn -m limit -limit 5/minute -j LOG |
-log-prefix "Firewalled packet:" |
_____________________________________________________________ |
# Rejet |
iptables -A INPUT -p tcp -j REJECT -reject-with tcp-reset |
iptables -A INPUT -p all -j DROP |
iptables -A FORWARD -p tcp -j REJECT -reject-with tcp-reset |
iptables -A FORWARD -p all -j DROP |
|
_____________________________________________________________ |
# autorise tout de même si elles se dirigent vers l'extérieur |
iptables -A OUTPUT -j ACCEPT |
|
_____________________________________________________________ |
# Masquerage des connections internes vers l'extérieur |
iptables -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE |
|
exit 0
|
############### exemple d'un fichier /etc/pf.conf ##################### |
_____________________________________________________________ |
ext_if="xl0" |
int_if="vr0" |
unroutable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, |
192.168.0.0/16, 255.255.255.255/32 }" |
services_tcp="{ smtp, submission, domain, auth, www, https, > 1024 }" |
services_udp="{ domain }" |
ipv6_net="{ 2001:470:1f00:ffff::245, 2001:470:1f00:390:0:0:0:0/64 }" |
|
# See pf.conf(5) for syntax and examples |
# My external interface is kue0 (62.65.145.30, my only routable address) and |
# the private network is 10.0.0.0/8, for which i'm doing NAT. There's an |
# IPv6 tunnel, too. |
|
# normalize all packets |
scrub out all |
scrub in all |
|
# nat private network to single routable address |
nat on $ext_if inet from 192.168.1.0/24 to any -> $ext_if |
|
# redirect https connections from work to sshd |
#rdr on $ext_if inet proto tcp from 0.0.0.0 |
# to $ext_if port 443 -> $ext_if port 22 |
#rdr on $int_if inet proto tcp from 0.0.0.0 |
# to $int_if port 443 -> $ext_if port 22 |
|
# block and log everything by default |
block out log all |
block in log all |
block return-rst out log inet proto tcp all |
block return-rst in log inet proto tcp all |
block return-icmp out log inet proto udp all |
block return-icmp in log inet proto udp all |
|
# unfiltered interfaces |
pass out quick on { lo0, enc0, $int_if } all |
pass in quick on { lo0, enc0, $int_if } all |
|
# ============================================== |
# common rules for all filtered interfaces |
# ============================================== |
|
# silently drop noise |
block return-rst in quick proto tcp from any to any |
port { 111, 6000, 6667 } |
block return-icmp in quick proto udp from any to any |
port { 137 } |
|
# silently drop TCP non-SYN packets (only SYNs create state) |
block out quick proto tcp all flags /S |
block in quick proto tcp all flags /S |
|
# ============================================== |
# external interface (all external IPv4 traffic) |
# ============================================== |
|
# block and log outgoing packets that don't have my address as source, they are |
# either spoofed or something is misconfigured (NAT disabled, for instance), |
# we want to be nice and don't send out garbage. |
block out log quick on $ext_if inet from !$ext_if to any |
|
# silently drop broadcasts (ADSL noise) |
block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 } |
|
# block and log incoming packets from reserved address space and invalid |
# addresses, they are either spoofed or misconfigured, we can't reply to |
# them anyway (hence, no return-rst). |
block in log quick on $ext_if inet from $unroutable to any |
|
# ICMP |
pass out on $ext_if inet proto icmp from $ext_if to any |
icmp-type 8 code 0 keep state |
pass in on $ext_if inet proto icmp from any to $ext_if |
icmp-type 8 code 0 keep state |
|
# UDP |
pass out on $ext_if inet proto udp from $ext_if to any |
keep state |
pass in on $ext_if inet proto udp from any to $ext_if |
port $services_udp keep state |
|
# TCP |
pass out on $ext_if inet proto tcp from $ext_if to any |
flags S/SA keep state |
pass in on $ext_if inet proto tcp from any to $ext_if |
port $services_tcp flags S/SA keep state |
|
# other protocols (IPv6 tunnel) |
pass out on $ext_if inet proto ipv6 from $ext_if to 64.71.128.82 keep state |
pass in on $ext_if inet proto ipv6 from 64.71.128.82 to $ext_if keep state |
|
# ============================================== |
# tunnel interface (all external IPv6 traffic) |
# ============================================== |
|
# ICMP |
pass out on gif0 inet6 proto ipv6-icmp from $ipv6_net to any |
ipv6-icmp-type echoreq keep state |
pass in on gif0 inet6 proto ipv6-icmp from any to $ipv6_net |
ipv6-icmp-type echoreq keep state |
|
# UDP |
pass out on gif0 inet6 proto udp from $ipv6_net to any keep state |
pass in on gif0 inet6 proto udp from any to $ipv6_net |
port $services_udp keep state |
|
# TCP |
pass out on gif0 inet6 proto tcp from $ipv6_net to any flags S/SA keep state |
pass in on gif0 inet6 proto tcp from any to $ipv6_net |
port $services_tcp flags S/SA keep state |