Pages : 1
#1 Le 06/01/2009, à 12:03
- beepix
Avis sur mon firewall.
Bonjour a tous,
J'ai créer un petit firewall, est j'aurais souhaité votre avis dessus !
- est-ce que les régles sont bien créer ?
- y'a t-il une incohérence au niveau iptables ?
est-ce que les régles d'ouverture de port concernant le DNS, HTTP, HTTPS, MSN et logique, ou y a t-il une methode bien meilleur a suivre ???
enfin bon, votre avis quoi
----------------------------------------------------------------
NAME="Wall Fire Client v1.2.9"
VERT="\033[32m"
JAUNE="\033[33m"
GRAS="\033[1m"
NORMAL="\033[m"
ROUGE="\033[31m"
VIOLET="\033[35m"
CYAN="\033[36m"
BLANC="\033[37m"
BLEU="\033[34m"
IPTABLES="/sbin/iptables"
#--------------------------------------------------------------------------------------------#
LAN_ETH="wlan0" # Interface reseau interne
LAN_LO="lo" # Loopback
LAN_IP="192.168.60.20" # Adresse reseau interne
LAN_NETWORK="192.168.60.0/24" # Reseau interne
LAN_BROADCAST="192.168.60.255" # Adresse de broadcast interne
#--------------------------------------------------------------------------------------------#
DNS_PRIMAIRE="212.27.40.240"
DNS_SECONDAIRE="212.27.40.241"
#--------------------------------------------------------------------------------------------#
LOOPBACK_NETWORK="127.0.0.0/8" # Reserved Loopback Address Range
ANYWHERE="0.0.0.0/0" # Tous le monde
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address
BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address
#--------------------------------------------------------------------------------------------#
SSH_PORT=22 # Port SSH -
DNS_PORT=53 # Port DNS -
HTTP_PORT=80 # Port HTTP -
HTTPS_PORT=443 # Port HTTPS -
MSN_PORT=1863 # Port MSN -
FTP_PORT=21 # Port FTP -
POP_PORT=110 # Port POP -
SMTP_PORT=25 # Port SMTP -
IMAP_PORT=145 # Port IMAP -
NTP_PORT=123 # Port NTP -
echo "$CYAN Initialisation de $NAME Mode : $ROUGE Sécurité $NORMAL"
echo " "
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Initialisation de la table Filter."
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU FILTER $VERT: Flush les tables $NORMAL"
$IPTABLES -t filter -F
$IPTABLES -t filter -X
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU FILTER $VERT: Drop tous le traffic $NORMAL"
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT DROP
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Initialisation de la table NAT."
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU NAT $VERT: Flush les tables $NORMAL"
$IPTABLES -t nat -F
$IPTABLES -t nat -X
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU NAT $VERT: DROP tous le traffic $NORMAL"
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Initialisation de la table Mangle."
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU MANGLE $VERT: Flush les tables $NORMAL"
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL $BLEU MANGLE $VERT: DROP tous le traffic $NORMAL"
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Autorisation de la loopback."
$IPTABLES -t filter -A INPUT -i $LAN_LO -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LAN_LO -j ACCEPT
echo " "
echo "$CYAN Initialisation des modules de sécurités. $NORMAL"
echo " "
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Spoofing IP."
if [ -e /proc/sys/net/ipv4/conf/all/rpfilter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rpfilter
do
echo 1 > $filtre
done
fi
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Forwarding."
echo 0 > /proc/sys/net/ipv4/ip_forward
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure dynamic IP hacking."
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Anti-SYN Flood."
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Martians Attack."
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Source Routing."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure ICMP Bogus Response."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure ICMP Redirects."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure ICMP Echo Request."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure DDOS Kernel."
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_fin_timeout."
if [ -f /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default=180
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_timestamps."
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # suppression des timestamps
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_keepalive_time."
if [ -f /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default=7200
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - ip_ct_generic_timeout."
if [ -f /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_sack."
if [ -f /proc/sys/net/ipv4/tcp_sack ]; then
echo 0 > /proc/sys/net/ipv4/tcp_sack
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_fack."
if [ -f /proc/sys/net/ipv4/tcp_fack ]; then
echo 0 > /proc/sys/net/ipv4/tcp_fack
fi
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Module - tcp_dsack."
if [ -f /proc/sys/net/ipv4/tcp_dsack ]; then
echo 0 > /proc/sys/net/ipv4/tcp_dsack
fi
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure Private IP."
$IPTABLES -N PrivateD # Création d'une nouvelle regle pour les port-scans
$IPTABLES -A PrivateD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Private]"
$IPTABLES -A PrivateD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Private]"
$IPTABLES -A PrivateD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Private]"
$IPTABLES -A PrivateD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Private]"
$IPTABLES -A PrivateD -j DROP
$IPTABLES -A INPUT -i $LAN_ETH -s 127.0.0.0/8 -j PrivateD
$IPTABLES -A INPUT -i $LAN_ETH -s 169.254.0.0/16 -j PrivateD
$IPTABLES -A INPUT -i $LAN_ETH -s 192.0.2.0/24 -j PrivateD
$IPTABLES -A INPUT -i $LAN_ETH -s 198.18.0.0/15 -j PrivateD
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure XMAS & Null SCAN."
$IPTABLES -N ScanD # Création d'une nouvelle regle pour les port-scans
$IPTABLES -A ScanD -p tcp -m limit --limit 3/s -j LOG --log-prefix "[TCP Scan]"
$IPTABLES -A ScanD -p udp -m limit --limit 10/s -j LOG --log-prefix "[UDP Scan]"
$IPTABLES -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan]"
$IPTABLES -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan]"
$IPTABLES -A ScanD -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
#--------------------------------------------------------------------------------------------#
echo " $ROUGE[$NORMAL$VERT Active $NORMAL$ROUGE]$NORMAL Secure DDos attacks."
$IPTABLES -N DDoS # Define custom chain for possible DDoS attacks
$IPTABLES -A DDoS -m limit --limit 12/s --limit-burst 24 -j RETURN
$IPTABLES -A DDoS -j LOG --log-prefix "[DDos Attack] "
$IPTABLES -A DDoS -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
#--------------------------------------------------------------------------------------------#
echo " "
echo "$CYAN Initialisation des Stratégies CLIENT's. $NORMAL"
echo " "
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion client DNS."
$IPTABLES -A OUTPUT -o $LAN_ETH -p udp --dport $DNS_PORT -s $LAN_IP -d $DNS_PRIMAIRE -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p udp -m state --state ESTABLISHED,RELATED --sport $DNS_PORT -s $DNS_PRIMAIRE -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_ETH -p tcp --dport $DNS_PORT -s $LAN_IP -d $DNS_PRIMAIRE -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p tcp -m state --state ESTABLISHED,RELATED --sport $DNS_PORT -s $DNS_PRIMAIRE -d $LAN_IP -j ACCEPT
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion client NTP."
$IPTABLES -A OUTPUT -o $LAN_ETH -p udp --dport $NTP_PORT -s $LAN_IP -d $ANYWHERE -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p udp --sport $NTP_PORT -s $ANYWHERE -d $LAN_IP -m state --state ESTABLISHED -j ACCEPT
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion client HTTP."
$IPTABLES -A OUTPUT -o $LAN_ETH -p tcp --dport $HTTP_PORT -s $LAN_IP -d $ANYWHERE -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p tcp --sport $HTTP_PORT -s $ANYWHERE -d $LAN_IP -m state --state ESTABLISHED -j ACCEPT
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion client HTTPS."
$IPTABLES -A OUTPUT -o $LAN_ETH -p tcp --dport $HTTPS_PORT -s $LAN_IP -d $ANYWHERE -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p tcp --sport $HTTPS_PORT -s $ANYWHERE -d $LAN_IP -m state --state ESTABLISHED -j ACCEPT
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion client reseaux MSN."
$IPTABLES -A OUTPUT -o $LAN_ETH -p tcp --dport $MSN_PORT -s $LAN_IP -d $ANYWHERE -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $LAN_ETH -p tcp --sport $MSN_PORT -s $ANYWHERE -d $LAN_IP -m state --state ESTABLISHED -j ACCEPT
echo " $ROUGE[$NORMAL$VERT Autorisation $NORMAL$ROUGE]$NORMAL Autorise Connexion Serveur web."
$IPTABLES -A INPUT -i $LAN_ETH -p tcp --dport $HTTP_PORT -s $ANYWHERE -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_ETH -p tcp -m state --state ESTABLISHED,RELATED --sport $HTTP_PORT -s $LAN_IP -d $ANYWHERE -j ACCEPT
voilà, merci d'avance !!!
Pages : 1