From c699ff9c4d6665abc60043189a4122abe9c87cf1 Mon Sep 17 00:00:00 2001 From: Gardouille Date: Wed, 16 Sep 2015 22:04:12 +0200 Subject: [PATCH] firewall: set OUTPUT Policy to DROP and translate some comments. --- firewall | 57 ++++++++++--------- {dynmotd_scripts => update-motd.d}/01system | 0 {dynmotd_scripts => update-motd.d}/02user | 0 {dynmotd_scripts => update-motd.d}/03auth | 0 .../04filesystem | 0 {dynmotd_scripts => update-motd.d}/05ceph | 0 {dynmotd_scripts => update-motd.d}/06service | 0 .../static_motd | 0 8 files changed, 29 insertions(+), 28 deletions(-) rename {dynmotd_scripts => update-motd.d}/01system (100%) rename {dynmotd_scripts => update-motd.d}/02user (100%) rename {dynmotd_scripts => update-motd.d}/03auth (100%) rename {dynmotd_scripts => update-motd.d}/04filesystem (100%) rename {dynmotd_scripts => update-motd.d}/05ceph (100%) rename {dynmotd_scripts => update-motd.d}/06service (100%) rename {dynmotd_scripts => update-motd.d}/static_motd (100%) diff --git a/firewall b/firewall index f8ffb97..047205e 100755 --- a/firewall +++ b/firewall @@ -6,8 +6,9 @@ # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Firewall initscript -# Description: Script de parefeu avec iptables -# Pour tester ce script avant de l'appliquer, on peut utiliser la commande: +# Description: Firewall script for iptables +# To test the script you can just use 'test' arg: +# ./firewall test # service firewall test # Doc: * http://openvz.org/Using_NAT_for_container_with_private_IPs # * ... @@ -17,12 +18,12 @@ # ********************************************************************************************** # -# Variables globales +# Global var # # ----------------------------------------------------------- -# Emplacement de iptables +# iptables path IPT="/sbin/iptables" -# Durée en secondes pour le cas de test des règles du pare-feu +# testing for XX seconds TIME=42 #### Colors definition @@ -37,48 +38,50 @@ fw_init() { ############# ## KERNEL ## ############# - # active la protection Cookie TCP SYN + # Enable Cookie TCP SYN protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies - # Active la protection IP Spoofing - # Effectue une verification de l'adresse source + # Enable IP spoofing protection + # Check the ip source for SYS in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > ${SYS} done - # Desactive l'ICMP Redirect + # Disable ICMP redirect for SYS in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > ${SYS} done - # Desactive les paquets Source-Routed + # Disable source-route packages for SYS in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > ${SYS} done - # Active l'ip forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward + # Enable ip forwarding + #echo 1 > /proc/sys/net/ipv4/ip_forward ############# ## POLICY ## ############# - ## drop tout le traffic entrant, sortant et forwardé + + # drop all traffic $IPT -P INPUT DROP $IPT -P FORWARD DROP - #$IPT -P OUTPUT DROP -# $IPT -P INPUT ACCEPT -# $IPT -P FORWARD ACCEPT - $IPT -P OUTPUT ACCEPT + $IPT -P OUTPUT DROP + #$IPT -P INPUT ACCEPT + #$IPT -P FORWARD ACCEPT + #$IPT -P OUTPUT ACCEPT ############ ## BASE ## ############ - #### Dropper les nouvelles connections qui n'ont pas le flag syn + + # Drop all new connections without a syn flag $IPT -t filter -A INPUT -j DROP -p tcp ! --syn -m state --state NEW - # Interdire les connections locales qui ne viennent pas de locale + # Forbid local connections that doesn't come from localhost $IPT -A INPUT -j REJECT ! -i lo -d 127.0.0.1/8 -m comment --comment "Reject lo not from lo" - # Autoriser loopback + # Allow loopback $IPT -A INPUT -j ACCEPT -i lo -m comment --comment "Loopback in" $IPT -A OUTPUT -j ACCEPT -o lo -m comment --comment "Loopback out" @@ -88,8 +91,8 @@ fw_init() { #### ICMP request (Ping) $IPT -A OUTPUT -j ACCEPT -p icmp -m state --state NEW -m comment --comment "ICMP out" -} +} fw_start() { @@ -264,7 +267,6 @@ fw_start() { } - # Règles pour de log fw_log() { @@ -280,11 +282,11 @@ fw_log() { $IPT -A INPLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-IN [icmp]: " # LOG OUTPUT DROP PAQUET - #$IPT -N OUTLOG - #$IPT -A OUTPUT -j OUTLOG - #$IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: " - #$IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: " - #$IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: " + $IPT -N OUTLOG + $IPT -A OUTPUT -j OUTLOG + $IPT -A OUTLOG -p tcp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [tcp]: " + $IPT -A OUTLOG -p udp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [udp]: " + $IPT -A OUTLOG -p icmp -m limit --limit 5/min -j LOG --log-prefix "Drop-OUT [icmp]: " # LOG FORWARD DROP PAQUET $IPT -N FORLOG @@ -410,4 +412,3 @@ exit 0 # Fin de la boucle principale # ----------------------------------------------------------- - diff --git a/dynmotd_scripts/01system b/update-motd.d/01system similarity index 100% rename from dynmotd_scripts/01system rename to update-motd.d/01system diff --git a/dynmotd_scripts/02user b/update-motd.d/02user similarity index 100% rename from dynmotd_scripts/02user rename to update-motd.d/02user diff --git a/dynmotd_scripts/03auth b/update-motd.d/03auth similarity index 100% rename from dynmotd_scripts/03auth rename to update-motd.d/03auth diff --git a/dynmotd_scripts/04filesystem b/update-motd.d/04filesystem similarity index 100% rename from dynmotd_scripts/04filesystem rename to update-motd.d/04filesystem diff --git a/dynmotd_scripts/05ceph b/update-motd.d/05ceph similarity index 100% rename from dynmotd_scripts/05ceph rename to update-motd.d/05ceph diff --git a/dynmotd_scripts/06service b/update-motd.d/06service similarity index 100% rename from dynmotd_scripts/06service rename to update-motd.d/06service diff --git a/dynmotd_scripts/static_motd b/update-motd.d/static_motd similarity index 100% rename from dynmotd_scripts/static_motd rename to update-motd.d/static_motd