Iptables script.
This commit is contained in:
parent
18224ba566
commit
8432e37c93
|
|
@ -0,0 +1,381 @@
|
|||
#!/bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: firewall
|
||||
# Required-Start: $remote_fs $rsyslog
|
||||
# Required-Stop: $remote_fs $rsyslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Firewall initscript
|
||||
# Description: Script de parefeu avec iptables
|
||||
# Pour tester ce script avant de l'appliquer, on peut utiliser la commande:
|
||||
# service firewall test
|
||||
# Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs
|
||||
# * ...
|
||||
### END INIT INFO
|
||||
|
||||
# Author: Gardouille
|
||||
|
||||
# **********************************************************************************************
|
||||
#
|
||||
# Variables globales
|
||||
#
|
||||
# -----------------------------------------------------------
|
||||
# Emplacement de iptables
|
||||
IPT="/sbin/iptables"
|
||||
# Durée en secondes pour le cas de test des règles du pare-feu
|
||||
TIME=42
|
||||
|
||||
#### Colors definition
|
||||
export REDB='\033[1;31m'
|
||||
export GREEN='\033[1;32m'
|
||||
export WHITEB='\033[1;37m'
|
||||
export RESET='\033[0m'
|
||||
|
||||
|
||||
fw_init() {
|
||||
|
||||
#############
|
||||
## KERNEL ##
|
||||
#############
|
||||
# active la protection Cookie TCP SYN
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||||
# Active la protection IP Spoofing
|
||||
# Effectue une verification de l'adresse source
|
||||
for SYS in /proc/sys/net/ipv4/conf/*/rp_filter
|
||||
do
|
||||
echo 1 > ${SYS}
|
||||
done
|
||||
# Desactive l'ICMP Redirect
|
||||
for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects
|
||||
do
|
||||
echo 0 > ${SYS}
|
||||
done
|
||||
# Desactive les paquets Source-Routed
|
||||
for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route
|
||||
do
|
||||
echo 0 > ${SYS}
|
||||
done
|
||||
# Active l'ip forwarding
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
|
||||
#############
|
||||
## POLICY ##
|
||||
#############
|
||||
## drop tout le traffic entrant, sortant et forwardé
|
||||
$IPT -P INPUT DROP
|
||||
$IPT -P FORWARD DROP
|
||||
#$IPT -P OUTPUT DROP
|
||||
# $IPT -P INPUT ACCEPT
|
||||
# $IPT -P FORWARD ACCEPT
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
|
||||
############
|
||||
## BASE ##
|
||||
############
|
||||
#### Dropper les nouvelles connections qui n'ont pas le flag syn
|
||||
$IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW
|
||||
|
||||
# Interdire les connections locales qui ne viennent pas de locale
|
||||
$IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo"
|
||||
# Autoriser loopback
|
||||
$IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in"
|
||||
$IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out"
|
||||
|
||||
##############
|
||||
## OUTPUT ##
|
||||
##############
|
||||
|
||||
#### ICMP request (Ping)
|
||||
$IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out"
|
||||
}
|
||||
|
||||
|
||||
fw_start() {
|
||||
|
||||
#############
|
||||
## INPUT ##
|
||||
#############
|
||||
#### Pour tenter de s'y retrouver avec l'affichage des règles iptables, pour l'écriture des règles,
|
||||
# respecter cet ordre:
|
||||
# -t TABLE -A CHAINE -j TARGET -p PROTOCOLE -i ETH_IN -o ETH_OUT -s SOURCE -d DESTINATION --sport PORT_SRC --dport PORT_DST -m state --state <20>TAT -m comment --comment "COMMENTAIRE"
|
||||
####
|
||||
|
||||
#### Ne pas casser les connexions etablies
|
||||
$IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -d "${IPLAN}" -m state --state RELATED,ESTABLISHED
|
||||
# $IPT -A FORWARD -j ACCEPT -p all -o "${IVM}" -d "${LANVM}" -m state --state RELATED,ESTABLISHED
|
||||
|
||||
#####
|
||||
# $IPT -A INPUT -j ACCEPT -s 192.168.42.166 -d 192.168.42.1 -m comment --comment "TEST Rules"
|
||||
# $IPT -A OUTPUT -j ACCEPT -s 192.168.42.1 -d 192.168.42.166 -m comment --comment "TEST Rules"
|
||||
#
|
||||
# $IPT -A INPUT -j ACCEPT -p icmp -s ${LANVM} -d "${IPLAN}" -m comment --comment "ICMP req LANVM"
|
||||
|
||||
|
||||
#### ICMP (Ping)
|
||||
# Accept all ping
|
||||
#$IPT -A INPUT -p icmp -j ACCEPT
|
||||
# Accept icmp ping from LAN
|
||||
#$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s ${LAN} -d "${IPLAN}" -m comment --comment "ICMP req LAN"
|
||||
|
||||
|
||||
|
||||
#### SSHD
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH in"
|
||||
|
||||
## BackupPC
|
||||
$IPT -A INPUT -j ACCEPT -p icmp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" -m comment --comment "ICMP FURY req"
|
||||
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s 192.168.0.3 -d "${IPLAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH fury in"
|
||||
|
||||
#### Apache2 - Web server
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 80 -m state --state NEW -m comment --comment "New HTTP in"
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 443 -m state --state NEW -m comment --comment "New HTTPS in"
|
||||
|
||||
#### slapd
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "New LDAP in"
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "New LDAPS in"
|
||||
|
||||
#### dhcpd
|
||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "New DHCPD in"
|
||||
|
||||
#### PuppetMaster
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
|
||||
|
||||
#### NFS Server
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
|
||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
|
||||
## 32769: rpc.quotad
|
||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
||||
|
||||
#### tftp allowed
|
||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
|
||||
|
||||
#### Printers
|
||||
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --sport 161 -m state --state NEW -m comment --comment "SNMP IN"
|
||||
|
||||
#########################
|
||||
## {Multi,Broad}cast ##
|
||||
#########################
|
||||
#### DROP Multicast & broadcast
|
||||
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 255.255.255.255 -m comment --comment "DROP Broadcast1"
|
||||
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.27.255 -m comment --comment "DROP Broadcast2"
|
||||
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 129.20.255.255 -m comment --comment "DROP Broadcast3"
|
||||
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.1 -m comment --comment "DROP Multicast1"
|
||||
$IPT -t mangle -A PREROUTING -j DROP -p udp -i "${ILAN}" -d 224.0.0.251 -m comment --comment "DROP Multicast2"
|
||||
|
||||
|
||||
|
||||
##############
|
||||
## OUTPUT ##
|
||||
##############
|
||||
#### Ne pas casser les connexions etablies
|
||||
# $IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -s "${IPLAN}" -m state --state RELATED,ESTABLISHED,UNTRACKED
|
||||
#
|
||||
# #### ICMP reply (Ping)
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p icmp -o "${ILAN}" --icmp-type 0 -s "${IPLAN}" -d 0/0 -m state --state ESTABLISHED,RELATED -m comment --comment "ICMP reply"
|
||||
#
|
||||
# #### SSH
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 22 -m state --state NEW -m comment --comment "New SSH out"
|
||||
#
|
||||
# #### Mail (rapport d'erreur, ...)
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 25 -m state --state NEW -m comment --comment "SMTP out"
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 143 -m state --state NEW -m comment --comment "Imap"
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 993 -m state --state NEW -m comment --comment "Imaps"
|
||||
#
|
||||
# #### DNS (résolution de noms de domaines, ... ...)
|
||||
# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out udp"
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 53 -m state --state NEW -m comment --comment "DNS out tcp"
|
||||
#
|
||||
# #### DHCP
|
||||
# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} -s "${IPLAN}" --sport 68 -m comment --comment "DHCPREQUEST"
|
||||
#
|
||||
# #### HTTP (maj, ...)
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 80 -m state --state NEW -m comment --comment "HTTP out"
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 443 -m state --state NEW -m comment --comment "HTTPS out"
|
||||
#
|
||||
# #### NTP
|
||||
# $IPT -A OUTPUT -j ACCEPT -p udp -o ${ILAN} --dport 123 -m state --state NEW -m comment --comment "NTP"
|
||||
#
|
||||
# #### Puppet (connection, ... )
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" --dport 8140 -m state --state NEW -m comment --comment "Puppet out"
|
||||
#
|
||||
# #### OpenPGP HTTP key server (add key, maj, ...)
|
||||
# $IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --dport 11371 -m state --state NEW -m comment --comment "OpenPGP req"
|
||||
#
|
||||
# #### Apache2 - Web server
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 80 -m state --state NEW -m comment --comment "New HTTP out"
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPS out"
|
||||
#
|
||||
# #### dhcpd
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
|
||||
#
|
||||
# #### ldap connection//synchronisation (only the server is allowed to connect without SSL)
|
||||
## $IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
|
||||
# #### ldap connection (should be an LDAPS connection when it will be available!)
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
|
||||
#
|
||||
# #### NFS Client
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
||||
# ## Port spécifié par le serveur NFS contacté
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
||||
#
|
||||
# #### Printers
|
||||
# $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
|
||||
#
|
||||
|
||||
}
|
||||
|
||||
|
||||
# Règles pour de log
|
||||
fw_log() {
|
||||
|
||||
#############
|
||||
## LOG ##
|
||||
#############
|
||||
|
||||
# LOG INPUT DROP PAQUET
|
||||
$IPT -N INPLOG
|
||||
$IPT -A INPUT -j INPLOG
|
||||
$IPT -A INPLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [tcp]: "
|
||||
$IPT -A INPLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [udp]: "
|
||||
$IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: "
|
||||
|
||||
# LOG OUTPUT DROP PAQUET
|
||||
#$IPT -N OUTLOG
|
||||
#$IPT -A OUTPUT -j OUTLOG
|
||||
#$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: "
|
||||
#$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: "
|
||||
#$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: "
|
||||
|
||||
# LOG FORWARD DROP PAQUET
|
||||
$IPT -N FORLOG
|
||||
$IPT -A FORWARD -j FORLOG
|
||||
$IPT -A FORLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [tcp]: "
|
||||
$IPT -A FORLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [udp]: "
|
||||
$IPT -A FORLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-FOR [icmp]: "
|
||||
|
||||
}
|
||||
|
||||
|
||||
# Arrêt du firewall
|
||||
fw_stop() {
|
||||
# Supprimer une route ajouter automatiquement
|
||||
ip route del 169.254.0.0/16
|
||||
# Vider les tables actuelles
|
||||
$IPT -t filter -F
|
||||
# Vider les règles personnelles
|
||||
$IPT -t filter -X
|
||||
$IPT -t nat -F
|
||||
$IPT -t nat -X
|
||||
$IPT -t mangle -F
|
||||
$IPT -t mangle -X
|
||||
$IPT -P INPUT ACCEPT
|
||||
$IPT -P FORWARD ACCEPT
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
$IPT -t nat -P PREROUTING ACCEPT
|
||||
$IPT -t nat -P OUTPUT ACCEPT
|
||||
$IPT -t nat -P POSTROUTING ACCEPT
|
||||
$IPT -t mangle -P PREROUTING ACCEPT
|
||||
$IPT -t mangle -P INPUT ACCEPT
|
||||
$IPT -t mangle -P FORWARD ACCEPT
|
||||
$IPT -t mangle -P OUTPUT ACCEPT
|
||||
$IPT -t mangle -P POSTROUTING ACCEPT
|
||||
|
||||
}
|
||||
|
||||
# VPN
|
||||
fw_vpn() {
|
||||
# Allow all traffic throught VPN
|
||||
$IPT -A INPUT -j ACCEPT -p all -i "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "VPN in"
|
||||
$IPT -A OUTPUT -j ACCEPT -p all -o "${ILAN}" -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -m comment --comment "VPN out"
|
||||
}
|
||||
|
||||
# **********************************************************************************************
|
||||
#
|
||||
# Programme principale
|
||||
#
|
||||
# -----------------------------------------------------------
|
||||
|
||||
case "${1}" in
|
||||
start|restart)
|
||||
printf '%s\n' "Start firewall …"
|
||||
fw_stop
|
||||
fw_init
|
||||
# List all available interface except localhost
|
||||
for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do
|
||||
# Interface name
|
||||
ILAN=$(basename ${PATH_ILAN})
|
||||
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
|
||||
|
||||
# Test if interface is connected
|
||||
if [ ${IS_UP} ]; then
|
||||
# Interface IP
|
||||
IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
|
||||
# IP/MASK
|
||||
#IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
|
||||
# Interface LAN
|
||||
LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
|
||||
|
||||
printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
|
||||
|
||||
# Load rules for this interface
|
||||
fw_start
|
||||
else
|
||||
printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
|
||||
fi
|
||||
done
|
||||
|
||||
fw_log
|
||||
;;
|
||||
stop)
|
||||
printf '%s\n' "Clean all firewall rules"
|
||||
fw_stop
|
||||
;;
|
||||
test)
|
||||
printf '%b' "Load firewall rules for ${TIME} secondes …\n"
|
||||
|
||||
$0 start
|
||||
sleep ${TIME}
|
||||
fw_stop
|
||||
;;
|
||||
vpn)
|
||||
printf '%s\n' "Special rules for VPN interfaces (TUN or TAP)"
|
||||
for PATH_ILAN in $(find /sys/class/net/ \( -iname "*tun*" -o -iname "*tap*" \) -type l ); do
|
||||
ILAN=$(basename ${PATH_ILAN})
|
||||
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
|
||||
|
||||
if [ ${IS_UP} ]; then
|
||||
# IP
|
||||
IPLAN=$(ip route|grep -v "default"|grep ${ILAN}|grep src|awk '{print $NF}')
|
||||
# IP/MASK
|
||||
#IPLAN=$(ip a s "${ILAN}"|grep "inet "|awk '{print $2}')
|
||||
LAN=$(ip route|grep -v "default"|grep "${IPLAN}"|awk '{print $1}')
|
||||
|
||||
printf '%b' "${WHITEB}${ILAN} ${GREEN}connected${RESET}: \t${IPLAN} \ton ${LAN}\n"
|
||||
|
||||
# Load special rules for this interface
|
||||
fw_vpn
|
||||
else
|
||||
printf '%b' "${WHITEB}${ILAN} ${REDB}disconnected${RESET}\n"
|
||||
fi
|
||||
done
|
||||
;;
|
||||
*)
|
||||
echo "Usage: firewall ({start|stop|restart|test})"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
# Fin du script
|
||||
exit 0
|
||||
|
||||
# Fin de la boucle principale
|
||||
# -----------------------------------------------------------
|
||||
|
||||
Loading…
Reference in New Issue