Firewall pour station : IpTables

IpTables (firewall à filtrage de paquet à état)

IpTables est l'interface utilisateur permettant d'administrer les règles de Firewall implémentées au niveau d'un noyau Linux supportant NetFilter.

Quelques rappels :

• Fonctionnement d'IpTables :
• La première règle rencontrée qui correspond au trafic stoppe le parcours des règles.
• Si aucune règle ne correspond au trafic analysé, c'est la politique par défaut qui est appliquée.


• Utilisation des commandes IpTables :
• iptables -t [Table] -L [Chaine] -n --line-numbers => Affiche les politiques et règles activées (de la chaîne concernée dans la table concernée).
• iptables -t [Table] -D Chaine Numero_de_regle => Efface la règle Numero_de_regle dans la chaîne Chaine de la table Table.
• iptables-save > iptables_rules.txt => Sauvegarde les règles dans au format IpTables dans le fichier iptables_rules.txt.
• iptables-restore < iptables_rules.txt => Charge en mémoire (en ajout et non en remplacement) le fichier de règles au format Iptables iptables_rules.txt.

Scripts présentés :

Les trois scripts présentés ont les caractéristiques suivantes :

• iptables_rules_up.sh : Active le firewall.
• iptables_rules_down.sh : Désactive le firewall.
• custom_net.sh : Configure le comportement de la pile IP.

Ils pourraient par exemple être utilisés sur la distribution Debian Woody avec l'interface IpTables et le support noyau NetFilter.

Exemples de logs :

!!!

custom_net.sh :

#!/bin/sh

### NETWORK CUSTOMIZATION

echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "60" > /proc/sys/net/ipv4/ip_default_ttl
echo "0" > /proc/sys/net/ipv4/ip_forward

ZERO_FLAGS="accept_redirects accept_source_route forwarding proxy_arp send_redirects";
ONE_FLAGS="rp_filter log_martians";
CHEMIN="/proc/sys/net/ipv4/conf";

for repert in `ls "$CHEMIN"` ; do
  for fichier in `echo "$ZERO_FLAGS"`; do
    if [ -e "$CHEMIN/$repert/$fichier" ]
      then echo "0" > "$CHEMIN/$repert/$fichier"; fi
  done
  for fichier in `echo "$ONE_FLAGS"`; do
    if [ -e "$CHEMIN/$repert/$fichier" ]
      then echo "1" > "$CHEMIN/$repert/$fichier"; fi
  done
done

Iptables_rules_down.sh :

#!/bin/sh

IPT=/sbin/iptables

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
  then
    echo "$0 : Not with this kernel"
    exit 0
fi

### VARIABLES

DEFAULT_POL="INPUT OUTPUT FORWARD" # Default policies

### BEGIN

# Flush and remove all chains then default the policies to ACCEPT
$IPT -F
$IPT -X
for i in $DEFAULT_POL
  do
    $IPT -P $i ACCEPT
done

echo "$0 done"

Iptables_rules_up.sh :

#!/bin/sh

IPT=/sbin/iptables

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPT ] && [ ! -x $IPT ] ; then exit 0 ; fi
CHECK=`$IPT -L -n 2>&1 > /dev/null || echo "bad"`
if [ "$CHECK" ]
  then
    echo "$0 : Not with this kernel"
    exit 0
fi

### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk

### NETWORK CUSTOMIZATION

test -f /home/system/fw/custom_net.sh && test -x /home/system/fw/custom_net.sh && /home/system/fw/custom_net.sh

### VARIABLES

INT=eth0

# Addresses
LOCAL_IP=`ifconfig $INT | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address

ADM_IP="10.1.1.77" # Ip Address of the remote allowed administration stations

DNS_IP="10.1.1.10 10.1.1.11"
PROXY_IP="10.1.1.20 10.1.1.21"
MAIL_IP="10.1.1.30 10.1.1.31"

# Uncomment here and in the script to allow that kind of functionality
#NTP_IP="@IP_NTPSERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"

# Personal Chains and default policie
DEFAULT_POL="INPUT OUTPUT FORWARD"
LOG_ACCEPT="LogAccept"
LOG_DROP="LogDrop"
LOOPBACK="DLoopBack"
CHECK_TCP="DCheckTcp"

# Various
RPORTS=":1024"
NRPORTS="1024:"

### BEGIN

# Flush and remove all chains then default the policies to DROP
$IPT -F
$IPT -X
for i in $DEFAULT_POL
  do
    $IPT -P $i DROP
done

### Create and set personnal chains

# Log and accept chain
$IPT -N $LOG_ACCEPT # Create a new one
$IPT -A $LOG_ACCEPT -j LOG --log-prefix 'Packet log '$LOG_ACCEPT' ' --log-tcp-options --log-ip-options --log-level 7 # Log and accept
$IPT -A $LOG_ACCEPT -j ACCEPT

# Log and drop chain
$IPT -N $LOG_DROP # Create a new one
$IPT -A $LOG_DROP -j LOG --log-prefix 'Packet log '$LOG_DROP' ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $LOG_DROP -j DROP

# Check valid tcp connections chain
$IPT -N $CHECK_TCP
$IPT -A $CHECK_TCP -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m state --state NEW -j RETURN
$IPT -A $CHECK_TCP -p tcp ! --syn -m state --state ESTABLISHED -j RETURN
$IPT -A $CHECK_TCP -j LOG --log-prefix 'Packet log '$LOG_DROP'/Invalid ' --log-tcp-options --log-ip-options --log-level 7 # Log and drop
$IPT -A $CHECK_TCP -j DROP

# Accept chain on loopback (to get a cleaver 'iptables -L -n')
$IPT -N $LOOPBACK
$IPT -A $LOOPBACK -j ACCEPT

### LOOPBACK, TCP DEFAULT CHECK AND REMOTE MANAGEMENT

# Allow whatever on loopback
$IPT -A INPUT -i lo -j $LOOPBACK
$IPT -A OUTPUT -o lo -j $LOOPBACK

# Check TCP flags on related connections
$IPT -A INPUT -i eth0 -p tcp -j $CHECK_TCP
$IPT -A OUTPUT -o eth0 -p tcp -j $CHECK_TCP

# Allow SSH remote management and log Syn connections
for i in $ADM_IP
  do
    $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state NEW -j $LOG_ACCEPT
    $IPT -A INPUT -i $INT -p tcp -s $i --sport $NRPORTS -d $LOCAL_IP --dport 22 -m state --state ESTABLISHED -j ACCEPT
    $IPT -A OUTPUT -o $INT -p tcp -s $LOCAL_IP --sport 22 -d $i --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done

### ALLOW THESE TCP CONNECTIONS

# Allow HTTP/HTTPS to HTTP proxy servers
for i in $PROXY_IP
  do
    $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A INPUT -i $INT -p tcp -s $i --sport 8080 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done

# Allow SMTP/POP to MailServers
for i in $MAIL_IP
  do
    for p in 25 110
      do
        $IPT -A OUTPUT -o $INT -p tcp --sport $NRPORTS -d $i --dport $p -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -A INPUT -i $INT -p tcp -s $i --sport $p --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
    done
done

### ALLOW THESE UDP CONNECTIONS

# Allow DNS Protocol to DNS Servers
for i in $DNS_IP
  do
    $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    $IPT -A INPUT -i $INT -p udp -s $i --sport 53 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
done

### Uncomment if you want to allow communications to NTP servers
### => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
# for i in $NTP_IP
# do
# $IPT -A OUTPUT -o $INT -p udp --sport $NRPORTS -d $i --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPT -A INPUT -i $INT -p udp -s $i --sport 123 --dport $NRPORTS -m state --state ESTABLISHED -j ACCEPT
# done

### ALLOW THESE ICMP REQUESTS AND RESPONSES

### Uncomment if you want to certain hosts to send us icmp requests
### => Also uncomment and set ICMP_IP at the beginning of the script
# Allow some host's icmp requests
#for i in $ICMP_IP
# do
# $IPT -A INPUT -i $INT -p icmp --icmp-type echo-request -s $i -m state --state NEW -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --fragment -j DROP
# $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT
# $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-reply -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done

### Uncomment if you allow this station to send certain kind of icmp requests
# Allow some icmp requests to be sent
# $IPT -A OUTPUT -o $INT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --fragment -j DROP
# $IPT -A INPUT -i $INT -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
# $IPT -A INPUT -i $INT -p icmp --icmp-type time-exceeded -s $i -m state --state RELATED -j ACCEPT

### AND LAST : LOG AND DENY

for i in $DEFAULT_POL
do $IPT -A $i -j $LOG_DROP ; done

echo "$0 done"

Simon Castro
Maj le 4 Mai 2003