PUTAIN DE MMMMMMMMMMMMMMMMM ........ !!!!
je suis le seul a ne pas pouvoir aller soit sur mon FTP soit sur mon site pour tester !!!!
..bon j'avoue mon firewall c ALESIA !!!
LAN - EXT - DMZ .... avec du DNAT SNAT MASQUERADE ..y'a tout quoi !!!
voila le bouillon :
#!/bin/sh
#
# Ceci est un fichier généré automatiquement, NE PAS MODIFIER !
#
# Firewall Builder fwb_ipt v1.0.5
#
# Généré Tue Mar 25 08:22:09 2003 CET par admin
#
#
#
#
check() {
if test ! -x "$1"; then
echo "$1 non trouvé ou non executable"
exit 1
fi
}
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
check $IPTABLES
check $IP
cd /etc || exit 1
log "Activation du script de firewall généré Tue Mar 25 08:22:09 2003 CET par admin"
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc ip_nat_irc"
for module in $(echo $MODULES); do
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then
modprobe -k ${module} || exit 1
fi
done
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
#
# Rule 0(NAT)
#
# SNAT pour le MASQUERADING
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
#
# Rule 1(NAT)
#
# Acces HTTP redirige vers louis-866
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 80 -j DNAT --to-destination 192.168.1.1
#
# Rule 2(NAT)
#
# Acces FTP redirige vers louis-866
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 21 -j DNAT --to-destination 192.168.1.1
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
# Traitement diffusions requetes DHCP (DhcpRelay)
#
$IPTABLES -A INPUT -i eth0 -p udp -m multiport --destination-ports 68,67 -m state --state NEW -j ACCEPT
#
# Rule 1(eth0)
#
# Traitement des requetes retour DHCP (DHCP Relay)
#
$IPTABLES -A OUTPUT -o eth0 -p udp -m multiport --destination-ports 68,67 -m state --state NEW -j ACCEPT
#
# Rule 0(eth1)
#
# Traitement diffusions requetes DHCP (DhcpRelay)
#
$IPTABLES -A INPUT -i eth1 -p udp -m multiport --destination-ports 68,67 -m state --state NEW -j ACCEPT
#
# Rule 1(eth1)
#
# Traitement retour requetes DHCP (DHCP Relay)
#
$IPTABLES -A OUTPUT -o eth1 -p udp -m multiport --destination-ports 68,67 -m state --state NEW -j ACCEPT
#
# Rule 0(ppp0)
#
# 'anti spoof'
#
$IPTABLES -N ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.1.253 -j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.0.253 -j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.0.0/24 -j ppp0_In_RULE_0
$IPTABLES -A INPUT -i ppp0 -s 192.168.1.0/24 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.1.253 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.0.253 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.0.0/24 -j ppp0_In_RULE_0
$IPTABLES -A FORWARD -i ppp0 -s 192.168.1.0/24 -j ppp0_In_RULE_0
$IPTABLES -A ppp0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DROP "
$IPTABLES -A ppp0_In_RULE_0 -j DROP
#
# Rule 0(lo)
#
# tout autoriser sur loopback
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A FORWARD -o lo -j ACCEPT
#
# Rule 0(global)
#
# Le LAN et la DMZ peuvent sortir
# via 'masquerading'
#
$IPTABLES -A INPUT -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
# Acces HTTP autorise depuis 'Any'
#
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p tcp -d 192.168.1.1 --destination-port 80 -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p tcp -d 192.168.1.1 --destination-port 80 -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
#
# Rule 2(global)
#
# Acces FTP autorise depuis 'Any'
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -p tcp -d 192.168.1.1 --destination-port 21 -m state --state NEW -j RULE_2
$IPTABLES -A FORWARD -p tcp -d 192.168.1.1 --destination-port 21 -m state --state NEW -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2 -j ACCEPT
#
# Rule 3(global)
#
# IP fragments 'shorts' and ' long'
# 'Christmas Tree' Protection
#
$IPTABLES -A OUTPUT -p ip -f -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -p ip -f -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
$IPTABLES -A FORWARD -p ip -f -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
#
# Rule 4(global)
#
# Verrouillage du Firewall 'catch all'
#
$IPTABLES -N RULE_4
$IPTABLES -A OUTPUT -j RULE_4
$IPTABLES -A INPUT -j RULE_4
$IPTABLES -A FORWARD -j RULE_4
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DROP "
$IPTABLES -A RULE_4 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
---------------
FFFF