ANNEXE 7 - Parametrage du firewall NetFilter ============================================ /home/system/scripts/fw/custom_net.sh : voir ANNEXE 1 - Parametrage du firewall Ipchains --------------------------------------- /etc/init.d/init_iptables.sh : ------------------------------ #!/bin/sh # # Debian-secinst v0.2.1 : ANNEXE 7 - Parametrage du firewall NetFilter # Simon Castro # RULES_UP=/home/system/scripts/fw/rules_up_iptables.sh RULES_DOWN=/home/system/scripts/fw/rules_down_iptables.sh case "$1" in start) if [ -f $RULES_UP ] && [ -x $RULES_UP ] then $RULES_UP else echo "$0 : Cannot execute $RULES_UP !!!" exit 0 fi ;; stop) if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ] then $RULES_DOWN else echo "$0 : Cannot execute $RULES_DOWN !!!" exit 0 fi ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 /home/system/scripts/fw/rules_down_iptables.sh : ------------------------------------------------ #!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 7 - Parametrage du firewall NetFilter # Simon Castro # IPT=/sbin/iptables ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### VARIABLES DEFAULT_POL="INPUT OUTPUT FORWARD" # Default policies ### BEGIN # Flush and remove all chains then default the policies to ACCEPT $IPT -F $IPT -X for i in $DEFAULT_POL do $IPT -P $i ACCEPT done echo "$0 done" /home/system/scripts/fw/rules_up_iptables.sh : ---------------------------------------------- #!/bin/sh # # Debian-secinst v0.1.4 : ANNEXE 7 - Parametrage du firewall NetFilter # Simon Castro # IPT=/sbin/iptables ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### Set OUR value to the printk variable echo "6 4 1 7" > /proc/sys/kernel/printk ### NETWORK CUSTOMIZATION CUSTOM_NET=/home/system/scripts/fw/custom_net.sh test -f $CUSTOM_NET && test -x $CUSTOM_NET && $CUSTOM_NET ### VARIABLES INT=eth0 # Addresses LOCAL_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local $INT IP Address BROADCAST_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local $INT Broadcast IP Address ADM_IP="@IP_ADM1 @IP_ADMx" # Ip Address of the remote allowed administration stations DNS_IP="@IP_DNS1 @IP_DNSx" PROXY_IP="@IP_PROXY1 @IP_PROXYx" #NTP_IP="@IP_NTPSERVERS" #ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS" #WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS" #NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS" # Personal Chains and default policie DEFAULT_POL="INPUT OUTPUT FORWARD" LOG_ACCEPT="LogAccept" LOG_DROP="LogDrop" LOOPBACK="DLoopBack" CHECK_TCP="DCheckTcp" # Various RPORTS=":1024" NRPORTS="1024:" ### BEGIN # Flush and remove all chains then default the policies to DROP $IPT -F $IPT -X for i in $DEFAULT_POL do $IPT -P $i DROP done ### Create and set personnal chains # # NDR : (the log-prefix is used in the syslog.conf) # # Log and accept chain $IPT -N $LOG_ACCEPT # Create a new one $IPT -A $LOG_ACCEPT -j LOG --log-prefix 'Packet log '$LOG_ACCEPT' ' --log-tcp-options --log-ip-options --log-level 7 # Log and accept $IPT -A $LOG_ACCEPT -j ACCEPT # Log and drop chain $IPT -N $LOG_DROP # Create a new one $IPT -A $LOG_DROP -j LOG --log-prefix 'Packet log '$LOG_DROP' ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop $IPT -A $LOG_DROP -j DROP # Check valid tcp connections chain $IPT -N $CHECK_TCP $IPT -A $CHECK_TCP -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m state --state NEW -j RETURN $IPT -A $CHECK_TCP -p tcp ! --syn -m state --state ESTABLISHED -j RETURN $IPT -A $CHECK_TCP -j LOG --log-prefix 'Packet log '$LOG_DROP'/Invalid ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop $IPT -A $CHECK_TCP -j DROP # Accept chain on loopback (to get a cleaver 'iptables -L -n') $IPT -N $LOOPBACK $IPT -A $LOOPBACK -j ACCEPT ### LOOPBACK, TCP DEFAULT CHECK AND REMOTE MANAGEMENT # Allow whatever on loopback $IPT -A INPUT -i lo -j $LOOPBACK $IPT -A OUTPUT -o lo -j $LOOPBACK # Check TCP flags on related connections $IPT -A INPUT -i $INT -p tcp -j $CHECK_TCP $IPT -A OUTPUT -o $INT -p tcp -j $CHECK_TCP # Allow SSH remote management and log Syn connections for i in $ADM_IP do $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state NEW -j $LOG_ACCEPT $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o $INT -p tcp -s $LOCAL_IP --sport 22 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### ALLOW THESE TCP CONNECTIONS # Allow HTTP/HTTPS to HTTP proxy servers for i in $PROXY_IP do $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p tcp -s $i --sport 8080 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### Uncomment if you want to use Prelude communications. ## Allow Prelude communications to Prelude server # $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} --dport 5553:5554 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p tcp -s {PRELUDE_SRV_IP} --sport 5553:5554 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT ### ALLOW THESE UDP CONNECTIONS # Allow DNS Protocol to DNS Servers for i in $DNS_IP do $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT $IPT -A INPUT -i $INT -p udp -s $i --sport 53 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT done ### Uncomment if you want to allow communications to NTP servers ### => Also uncomment and set NTP_IP at the beginning of the script. ## Allow NTP Protocol to NTP Servers # for i in $NTP_IP # do # $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p udp -s $i --sport 123 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT # done ### ALLOW THESE ICMP REQUESTS AND RESPONSES ### Uncomment if you want to certain hosts to send us icmp requests ### => Also uncomment and set ICMP_IP at the beginning of the script # Allow some host's icmp requests #for i in $ICMP_IP # do # $IPT -A INPUT -i $INT -p icmp --icmp-type echo-request -s $i -m state --state NEW -j ACCEPT # $IPT -A INPUT -i $INT -p icmp --fragment -j DROP # $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT # $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT # $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-reply -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT #done ### ALLOW SPECIFIC PROTOCOLS ### Uncomment if you want to allow NetBios networks streams ### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script ## Allow NetBios protocol with certains hosts #$IPT -A OUTPUT -o $INT -p udp --sport 137:138 -d $BROADCAST_IP --dport 137:138 -m state --state NEW,ESTABLISHED -j ACCEPT #for i in $WINS_IP # do # $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state ESTABLISHED -j ACCEPT #done ## Allow but log incoming syn connections on the 139 port number. #for i in $NETBIOS_IP # do # $IPT -A INPUT -i $INT -p udp -s $i --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT # $IPT -A OUTPUT -o $INT -p udp --sport 137 -d $i --dport 137 -m state --state ESTABLISHED -j ACCEPT # $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state NEW -j $LOG_ACCEPT # $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS --dport 139 -m state --state ESTABLISHED -j ACCEPT # $IPT -A OUTPUT -o $INT -p tcp --sport 139 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT #done ### AND LAST : LOG AND DENY for i in $DEFAULT_POL do $IPT -A $i -j $LOG_DROP ; done echo "$0 done"