|
|
# installation : firewall
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
## commun
|
|
|
|
|
|
*[sur Debian iptables est installé par défaut]*
|
|
|
|
|
|
# apt-get install iptables iptables-persistent
|
|
|
iptables-persistent iptables-persistent/autosave_v4 boolean false
|
|
|
iptables-persistent iptables-persistent/autosave_v6 boolean false
|
|
|
|
|
|
*[- règles de base: tout bloqué sauf SSH, trafique interne et vers l'extérieur]*
|
|
|
|
|
|
# export IF_WAN=$EXT
|
|
|
# export IF_LAN=$INT
|
|
|
# cat <<EOF >/etc/iptables/rules.v4
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# For an introduction to iptabes see
|
|
|
# <https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html>
|
|
|
# For the meaning of TCP/UDP ports look at
|
|
|
# <https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers>
|
|
|
# Based on "§ 5.14.3.2 Manual init.d configuration" at
|
|
|
# <file:///usr/share/doc/harden-doc/html/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup>
|
|
|
# <http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup>
|
|
|
# Also based on "§ 14 Linux Firewalls Using iptables" at
|
|
|
# <http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables>
|
|
|
#
|
|
|
## iptables Packet Flow Diagram:
|
|
|
##
|
|
|
## [in]
|
|
|
## |
|
|
|
## v
|
|
|
## raw PREROUTING
|
|
|
## |
|
|
|
## nat PREROUTING (DNAT)
|
|
|
## | |
|
|
|
## [firewall] [internal network]
|
|
|
## | |
|
|
|
## v v
|
|
|
## filter INPUT filter FORWARD
|
|
|
## | |
|
|
|
## v v
|
|
|
## filter OUTPUT--->nat POSTROUTING (SNAT)
|
|
|
## |
|
|
|
## v
|
|
|
## [out]
|
|
|
|
|
|
|
|
|
### module:iptable_nat needed for *NAT
|
|
|
*nat
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
:POSTROUTING ACCEPT [0:0]
|
|
|
|
|
|
## DNAT
|
|
|
|
|
|
# $SERVICE_$HOSTNAME
|
|
|
### module:$MODULE for $SERVICE
|
|
|
#-A PREROUTING -p \$PROTOCOLE -i $IF_WAN -d \$IP_WAN --dport \$PORT_WAN -j DNAT --to-destination \$IP_LAN[:\$PORT_LAN]
|
|
|
|
|
|
## SNAT
|
|
|
|
|
|
## NAPT (many-to-one NAT)
|
|
|
|
|
|
# Forward local traffic to the Internet
|
|
|
### module:ipt_MASQUERADE needed for MASQUERADE
|
|
|
-A POSTROUTING -o $IF_WAN -s $(ip r s | grep $IF_LAN | awk '{print $1}') -j MASQUERADE
|
|
|
|
|
|
COMMIT
|
|
|
|
|
|
|
|
|
*filter
|
|
|
:INPUT DROP [0:0]
|
|
|
:FORWARD DROP [0:0]
|
|
|
:OUTPUT DROP [0:0]
|
|
|
|
|
|
## localhost: INPUT
|
|
|
|
|
|
# Accept all loopback traffic
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
# Accept already-working connections
|
|
|
### module:ip_conntrack is needed for --state
|
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
# Accept ICMP ping requests (0 = echo-reply, 8 = echo-request)
|
|
|
-A INPUT -p icmp -m icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
|
|
|
# Allow remote management via SSH from any location
|
|
|
-A INPUT -p tcp --dport 22001 -m state --state NEW -j ACCEPT
|
|
|
# All other connections are registered in syslog and returned an
|
|
|
# error message to the host sending the packet that the packet was
|
|
|
# blocked (thus better than DROP)
|
|
|
## <http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/>
|
|
|
## <http://linuxgazette.net/126/cherian.html>
|
|
|
-A INPUT -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j LOG --log-prefix "INPUT4: "
|
|
|
### module:ipt_REJECT needed for REJECT
|
|
|
-A INPUT -j REJECT
|
|
|
|
|
|
## internal traffic
|
|
|
|
|
|
# DNAT
|
|
|
#-A FORWARD -p \$PROTOCOLE -i $IF_WAN -d \$IP_LAN --dport \$PORT_LAN -j ACCEPT
|
|
|
|
|
|
# Allow any internal traffic
|
|
|
-A FORWARD -i $IF_LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
# Allow already-working external traffic
|
|
|
-A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
# Allow any outbound external traffic
|
|
|
-A FORWARD -o $IF_WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
# All other connections logged and rejected
|
|
|
-A FORWARD -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j LOG --log-prefix "FORWARD4: "
|
|
|
-A FORWARD -j REJECT
|
|
|
|
|
|
## localhost: OUTPUT
|
|
|
|
|
|
# Allow all loopback traffic
|
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
|
# Allow any internal traffic
|
|
|
-A OUTPUT -o $IF_LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
# Allow already-working external traffic
|
|
|
-A OUTPUT -o $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
# Allow ICMP traffic
|
|
|
-A OUTPUT -p icmp -m state --state NEW -j ACCEPT
|
|
|
# Allow external WHOIS requests
|
|
|
-A OUTPUT -p tcp -o $IF_WAN --sport 1024:65535 --dport 43 -m state --state NEW -j ACCEPT
|
|
|
# Allow external DNS requests
|
|
|
-A OUTPUT -p udp -o $IF_WAN --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
# Allow external NTP requests
|
|
|
-A OUTPUT -p udp -o $IF_WAN --sport 123 --dport 123 -m state --state NEW -j ACCEPT
|
|
|
# Allow external HTTP browsing (hint: apt-get)
|
|
|
-A OUTPUT -p tcp -o $IF_WAN --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
|
|
|
# Allow external traceroute traffic
|
|
|
-A OUTPUT -p udp -o $IF_WAN --sport 1024:65535 --dport 33434:33534 -m state --state NEW -j ACCEPT
|
|
|
# All other connections logged and rejected
|
|
|
-A OUTPUT -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j LOG --log-prefix "OUTPUT4: "
|
|
|
-A OUTPUT -j REJECT
|
|
|
|
|
|
COMMIT
|
|
|
EOF
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# service iptables-persistent restart
|
|
|
[test]
|
|
|
# etckeeper commit 'iptables/rules.v4: new file'
|
|
|
# unset IF_LAN
|
|
|
# unset IF_WAN |