#!/bin/sh # # Script iptables # # Ce script est fortement basé sur un amalgame de bonnes idées # dont la plupart proviennent de la mini-distribution FloppyFW # http://www.zelow.no/floppyfw/ et du site http://www.lea-linux.org/ # # -LE- site iptables et TCP/IP : http://www.netfilter.org/ # # General config # # outside network #OUTSIDE_IP= OUTSIDE_DEVICE=ppp0 # modifiez les valeurs ci-dessous, si z'êtes en ipéfix/eth #OUTSIDE_DEVICE=eth0 #OUTSIDE_NETWORK=0.0.0.0 #OUTSIDE_NETMASK=255.255.255.0 #OUTSIDE_BROADCAST=0.0.0.255 # inside network INSIDE_IP=192.168.0.1 INSIDE_DEVICE=eth1 INSIDE_NETWORK=192.168.0.0 INSIDE_NETMASK=255.255.255.0 INSIDE_BROADCAST=192.168.0.255 # general settings #DEFAULT_GATEWAY=192.168.1.1 NAME_SERVER_IP1=193.252.19.4 NAME_SERVER_IP2=193.252.19.3 HOSTNAME=host DOMAIN=domain.tld # # Do you want to do port forwaring to an internal server? # Set the server IP here and sort out the port stuff later in this file. # SERVER_IP0=192.168.0.4 SERVER_IP1=192.168.0.42 # # Setting up iptables # # Stopping forwarding (this script may be run during normal uptime because # for re-lease of HDCP or demand dialing / PPPoE. # echo "0" > /proc/sys/net/ipv4/ip_forward # # on accepte l'icmp, mais pas l'echo # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # Anti spoofing # if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for filtre in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $filtre done fi # On va utiliser iptables. Si on l'a compilé en module # dans le kernel, il faut charger le module ip_tables. modprobe ip_tables # on va charger quelques modules supplémentaires pour # gérer la translation d'adresse, l'IRC et le FTP modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe iptable_nat # # On affiche la config : # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " Device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo "IP Address: ${INSIDE_IP} [None Set]" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${DEFAULT_GATEWAY}" echo # # On nettoie tout. # iptables -F iptables -t nat -F iptables -X iptables -Z # zero all counters # # Politique par défaut : DROP # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # interface lo : # iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # Ce bon vieux masquerading : # iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE # # Transfert des ports extérieurs vers un serveur interne : # # SSH: iptables -A PREROUTING -t nat -p tcp -i ${OUTSIDE_DEVICE} --dport 22 -j DNAT --to ${SERVER_IP0}:22 iptables -A FORWARD -p tcp -d ${SERVER_IP0} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT # traffic ssh routeur/firewall <-> réseau interne iptables -A INPUT -p tcp -s ${INSIDE_NETWORK} --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -d ${INSIDE_NETWORK} --dport 22 -j ACCEPT # Web: #iptables -A PREROUTING -t nat -p tcp -i ${OUTSIDE_DEVICE} --dport 80 -j DNAT --to ${SERVER_IP1}:80 #iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 80 -o ${INSIDE_DEVICE} -m state --state NEW -j ACCEPT # ça, ça marche, mais c'est sale. #iptables -A INPUT -p tcp -i ${OUTSIDE_DEVICE} --dport 80 -j ACCEPT #iptables -A OUTPUT -p tcp -o ${OUTSIDE_DEVICE} --dport 80 -j ACCEPT # traffic web routeur/firewall <-> réseau interne iptables -A INPUT -p tcp -s ${INSIDE_NETWORK} --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -d ${INSIDE_NETWORK} --dport 80 -j ACCEPT # FTP: iptables -A PREROUTING -t nat -p tcp -i ${OUTSIDE_DEVICE} --dport 21 -j DNAT --to ${SERVER_IP1}:21 iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT # traffic ftp routeur/firewall <-> réseau interne iptables -A INPUT -p tcp -s ${INSIDE_NETWORK} --dport 21 -j ACCEPT iptables -A OUTPUT -p tcp -d ${INSIDE_NETWORK} --dport 21 -j ACCEPT # # On garde l'état (keep state). # iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP # # This is mainly for PPPoE usage but it won't hurt anyway so we'll just # keep it here. # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # # On n'aime pas voir du Netbios ou du CIFS se balader dehors... # iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 445 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 445 -j DROP # # We would like to ask for names from our box # iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED -j ACCEPT # Ping and friends. # là, pour bien faire, faudrait trier. # ne laisser passer que l'indispensable. iptables -A OUTPUT -p icmp -j ACCEPT # to both sides. iptables -A INPUT -p icmp -j ACCEPT # And also, DHCP, but we can basically accept anything from the inside. # je suis plus trés sûr de celle-là : # iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT # # And, some attempt to get interactive sessions a bit more interactive # under load: # # y'a moyen de faire mieux avec la QoS iptables -A PREROUTING -t mangle -p tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport 20 -j TOS --set-tos Maximize-Throughput # # Finally, list what we have # # iptables -L # If broken DNS: #iptables -L -n # # This enables dynamic IP address following # echo 7 > /proc/sys/net/ipv4/ip_dynaddr # # Rules set, we can enable forwarding in the kernel. # echo "Enabling IP forwarding." echo "1" > /proc/sys/net/ipv4/ip_forward # Pour faire zoli echo " [Termine]" # c'est enfin fini