Salut à tous, je viens de finir la config de ma CCBox 2 pour qu'elle supporte 2 connections Internet simultannées.
<BR>
<BR>J'ai eu beaucoup de soucis pour faire fonctionner mon serveur de manière optimale donc j'espere que ce modeste tutorial permetra a certains de moins galérer <IMG SRC="images/smiles/icon_biggrin.gif">
<BR>Ce tutorial est basé sur la distrib CC en version 2 mais peut sans probléme être adapté sur toute machine linux.
<BR>
<BR>Petit historique :
<BR>------------------
<BR>Etant abonné à Free dégroupé je suis souvent victime de probléme techniques plus ou moins long <IMG SRC="images/smiles/icon_cussing.gif"> c'est pourquoi j'ai decidé de rajouter une deuxiéme ligne téléphonique chez moi ainsi qu'un abonnement ADSL 1024 à Club Internet <IMG SRC="images/smiles/icon_smile.gif"> J'ai donc desormais 2 connexiosn ADSL qu'il s'agisait d'exploiter à fond...
<BR>
<BR>Solution matérielle alternative :
<BR>-----------------------------------
<BR>Pour ceux qui ne veulent pas se fatiquer à configurer une machine Linux il y a un routeur chez Nexland qui permet de gérer 2 accès WAN le ISB 800 Pro Turbo. Mais d'une part ca vaut + de 400€ et d'autre part Nexland a été racheté par Symantec et il n'est pas sur qu'ils continuent à produire ce routeur. (
http://www.materiel.net/details_ISB-PRO800T.html)
<BR>
<BR>Matériel minimum nécessaire :
<BR>---------------------------------
<BR>- Un PC qui permet de faire tourner Linux (c pas beaucoup demandé)
<BR>- 3 cartes réseaux reconnues par le penguin
<BR>- 2 modems ADSL Ethernet (ou routeur/modem)
<BR>(PS : la config peut être adaptée aux PPPoE/A via modem USB avec un peut de travail)
<BR>
<BR>Pour info voici ma config :
<BR>- Athlon 1700Xp / 256Mo / 40Go
<BR>- 1 port réseau sur CM
<BR>- 2 cartes réseaux PCI "noname" à 10€
<BR>- Un modem/routeur SMC Bra 7401
<BR>- Un modem Alcatel STH patché en 510v3
<BR>Le SMC est configuré pour ClubInternet et le Alcatel pour Free
<BR>
<BR>Interfaces :
<BR>------------
<BR>On suppose que l'on a 2 interfaces externes : eth1 et eth2
<BR>Le réseau local (LAN) est sur
<BR>
<BR>WORLD WORLD
<BR> | |
<BR>Free Club Internet
<BR>192.168.2.1 192.168.1.1
<BR> eth1 eth2/
<BR> 192.168.2.100 192.168.1.100
<BR> NAT ROUTER
<BR> |192.168.0.100
<BR> ----+-------------------+---
<BR> Internal Boxes 192.168.0.XXX
<BR>
<BR>Merci a Julian pour le shéma
<BR>
<BR>Donc :
<BR>-192.168.2.100 est l'adresse IP de la carte réseau connecté au modem STH
<BR>-192.168.2.1 est l'adresse IP du modem STH
<BR>Pareil du côté de SMC
<BR>
<BR>Mise en place :
<BR>---------------
<BR>
<BR>1- Modification du Kernel :
<BR>------------------------------
<BR>
<BR>Avant toutes choses il faut patché et recompiler le Kernel de Linux.
<BR>
<BR>Le but de ce tutorial n'est pas d'apprendre à recompiler un Kernel pour cela allez sur :
<BR><!-- BBCode auto-link start --><a href="http://lea-linux.org/kernel/" target="_blank">http://lea-linux.org/kernel/</a><!-- BBCode auto-link end -->
<BR>
<BR>Sous CC vous devez installer l'environnement de developpement ainsi que les sources du kernel. Il y a plein d'explication sur le forum officiel. (de mémoire il faut utiliser apt-get)
<BR>
<BR>Vous devez donc patcher votre Kernel avec le diff de Julian Anastasov sur <!-- BBCode auto-link start --><a href="http://www.ssi.bg/~ja/#routes" target="_blank">http://www.ssi.bg/~ja/#routes</a><!-- BBCode auto-link end --> (ClarkConnect utilise un Kernel 2.4.X)
<BR>
<BR>Pour rappel la commande pour patcher :
<BR>#/usr/src/linux patch -p1 < file.diff
<BR>
<BR>Dans le noyau vous devez activer toutes les options réseaux avancées en particulier le MULTIPATH.
<BR>
<BR>On compile et on intstall.
<BR>
<BR>2- Création d'un fichier de configuration des interfaces réseaux :
<BR>-------------------------------------------------------------------------
<BR>
<BR>Afin de facilier toutes modifs ultérieures et autres changement de configuration on va créer un fichier de paramétre du réseau. Je sais ca existe déjà notament dans /etc/sysconfig/networking-sripts mais bon je trouve ces fichiers compliqués et difficiles d'accés.
<BR>
<BR>on appel le fichier network-settings
<BR>
<BR>A oui désolé pour les non anglophones mais en général je fait tous mes scripts en Anglais...
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>
<BR># Network settings for iproute.sh and iptables.sh
<BR># Author: Cyrille
<BR>
<BR>########################################################
<BR># LAN / INTERNAL
<BR>########################################################
<BR>
<BR>LANIF="eth0" # Interface
<BR>LANIP="192.168.0.100" # IP Address
<BR>NMI="24" # Network Mask
<BR>NWI="192.168.0.0" # Network Address
<BR>
<BR>#########################################################
<BR># EXTERNAL 1 : FREE (with STH)
<BR>#########################################################
<BR>EXTIF1="eth1" # Interface
<BR>EXTIP1="192.168.2.100"# IP Address
<BR>GWE1="192.168.2.1" # Gateway
<BR>NME1="24" # Network mask in number of bits
<BR>BRD1="192.168.2.255" # Broadcast Address
<BR>NWE1="192.168.2.0" # Network Address
<BR>
<BR>########################################################
<BR># EXTERNAL 2 : CLUB INTERNET
<BR>########################################################
<BR>
<BR>EXTIF2="eth2" # Interface
<BR>EXTIP2="192.168.1.100"# IP Address
<BR>GWE2="192.168.1.1" # Gateway
<BR>NME2="24" # Network mask in number of bits
<BR>BRD2="192.168.1.255" # Broadcast Address
<BR>NWE2="192.168.1.0" # Network Address
<BR>
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>Ce fichier sert juste à récapituler vos paramétres réseaux. Remplacez les valeurs par les votres. N'oubliez pas que les adresses de chaque interface doivent être dans le même subnet.
<BR>
<BR>3- Mise en place du fichier iproute.sh :
<BR>------------------------------------------
<BR>Ce fichier sert a regénérer les interfaces réseaux ainsi que la table de routage au démarage de l'ordinateur.
<BR>Ce fichier se place dans /etc/rc.d et on fait un chmod +x dessus.
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>#!/bin/sh
<BR>#
<BR># Network and routing table script
<BR># Author: Cyrille Stepanyk
<BR>#
<BR>
<BR>##########################################################
<BR># SETTINGS
<BR>##########################################################
<BR>
<BR># Read Network Settings File
<BR>[ -f /etc/rc.d/network-settings ] && . /etc/rc.d/network-settings
<BR>
<BR>##########################################################
<BR># NICS SETTINGS
<BR>##########################################################
<BR>
<BR># local loopback
<BR>ip link set lo up
<BR>ip addr add 127.0.0.1/8 brd + dev lo
<BR>
<BR># eth0
<BR>ip link set $LANIF up
<BR>ip addr add $LANIP/$NMI brd + dev $LANIF
<BR>
<BR># eth1
<BR>ip link set $EXTIF1 up
<BR>ip addr add $EXTIP1/$NME1 brd $BRD1 dev $EXTIF1
<BR>ifconfig $EXTIF1 mtu 1472
<BR>
<BR># eth2
<BR>ip link set $EXTIF2 up
<BR>ip addr add $EXTIP2/$NME2 brd $BRD2 dev $EXTIF2
<BR>ifconfig $EXTIF2 mtu 1472
<BR>
<BR>##########################################################
<BR># ROUTING TABLE
<BR>##########################################################
<BR>
<BR># table main
<BR>ip rule add prio 10 table main
<BR>
<BR># table 20
<BR>ip rule add prio 20 from $NWE1/$NME1 table 20
<BR>ip route append default via $GWE1 dev $EXTIF1 src $EXTIP1 table 20
<BR>
<BR># table 30
<BR>ip rule add prio 30 from $NWE2/$NME2 table 30
<BR>ip route append default via $GWE2 dev $EXTIF2 src $EXTIP2 table 30
<BR>
<BR># table 100
<BR>ip rule add prio 100 from $NWI/$NMI table 100
<BR>ip route add default table 100 nexthop via $GWE1 dev $EXTIF1 weight 2 nexthop via $GWE2 dev $EXTIF2 weight 1
<BR>
<BR># table 200
<BR>ip rule add prio 200 table 200
<BR>ip route append default via $GWE1 dev $EXTIF1 src $EXTIP1 table 200
<BR>ip route append default via $GWE2 dev $EXTIF2 src $EXTIP2 table 200
<BR>
<BR># Flush existing cache
<BR>echo 1 >/proc/sys/net/ipv4/route/flush
<BR>
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>3- Modification des régles de firewall de CC :
<BR>--------------------------------------------------
<BR>
<BR>Je me suis permis de modifier un peu le scipt rc.firewall (/etc/rc.d) afin de prendre en compte les 2 interfaces internet.
<BR>Au lieu d'écraser ce fichier j'en ai crée un nouveau appelé iptables.sh et stocké dans /etc/rc.d/
<BR>Pour que le firewall le prenne en compte il faut modifier le fichier /etc/rc.d/init.d/firewall :
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>IPTABLES_CONFIG=/etc/rc.d/iptables.sh
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>Le fichier iptables.sh contient :
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>
<BR>#!/bin/sh
<BR>#
<BR># Firewall Script
<BR># Author : Cyrille
<BR>#
<BR>
<BR>##########################################################
<BR># SETTINGS
<BR>##########################################################
<BR>
<BR># Path
<BR>PATH=/sbin:/bin:/usr/bin
<BR>
<BR># Binaries
<BR>IPTABLES="/sbin/iptables"
<BR>LOGGER="/usr/bin/logger -p local6.notice -t firewall"
<BR>SYSCTL="/sbin/sysctl"
<BR>MODPROBE="/sbin/modprobe"
<BR>IPCALC="/bin/ipcalc"
<BR>
<BR># Set to blank for no debug. Default to on for now.
<BR>DEBUG="1"
<BR>
<BR># Shorthand
<BR>ALLIP="0.0.0.0/0"
<BR>
<BR># Read Network Settings File
<BR>[ -f /etc/rc.d/network-settings ] && . /etc/rc.d/network-settings
<BR>
<BR>##########################################################
<BR># FUNCTIONS
<BR>##########################################################
<BR>
<BR># Kernet security settings
<BR>
<BR>SetKernelSettings() {
<BR> [ $DEBUG ] && $LOGGER "Setting kernel parameters"
<BR> echo " [Setting kernel parameters]"
<BR> # Enable IP Forwarding, not really required for standalone mode
<BR> $SYSCTL -w net.ipv4.ip_forward=1 >/dev/null
<BR>
<BR> # Enable TCP SYN Cookie protection:
<BR> $SYSCTL -w net.ipv4.tcp_syncookies=1 >/dev/null
<BR>
<BR> # Enabling dynamic TCP/IP address hacking.
<BR> $SYSCTL -w net.ipv4.ip_dynaddr=1 >/dev/null
<BR>
<BR> # Log spoofed, source-routed, and redirect packets
<BR> $SYSCTL -w net.ipv4.conf.all.log_martians=0 >/dev/null
<BR>
<BR> # Disable ICMP Re-directs
<BR> $SYSCTL -w net.ipv4.conf.all.accept_redirects=0 >/dev/null
<BR> $SYSCTL -w net.ipv4.conf.all.send_redirects=0 >/dev/null
<BR>
<BR> # Ensure that source-routed packets are dropped
<BR> $SYSCTL -w net.ipv4.conf.all.accept_source_route=0 >/dev/null
<BR>
<BR> # Disable ICMP broadcast echo protection
<BR> $SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null
<BR>
<BR> # Enable bad error message protection
<BR> $SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 >/dev/null
<BR>}
<BR>
<BR># Default policy to accept
<BR>
<BR>SetPolicyToAccept() {
<BR> $LOGGER "Setting default policy to accept"
<BR> echo " [Setting default policy to accept]"
<BR> for TABLE in filter nat mangle; do
<BR> $IPTABLES -t $TABLE -F # Flush all previous rules.
<BR> $IPTABLES -t $TABLE -X # Delete user-defined chains.
<BR> done
<BR>
<BR> $IPTABLES -P INPUT ACCEPT
<BR> $IPTABLES -P OUTPUT ACCEPT
<BR> $IPTABLES -P FORWARD ACCEPT
<BR>}
<BR>
<BR># Default policy to drop
<BR>
<BR>SetPolicyToDrop() {
<BR> $LOGGER "Setting default policy to drop"
<BR> echo " [Setting default policy to drop]"
<BR> for TABLE in filter nat mangle; do
<BR> $IPTABLES -t $TABLE -F # Flush all previous rules.
<BR> $IPTABLES -t $TABLE -X # Delete user-defined chains.
<BR> done
<BR>
<BR> $IPTABLES -P INPUT DROP
<BR> $IPTABLES -P OUTPUT DROP
<BR> $IPTABLES -P FORWARD DROP
<BR>}
<BR>
<BR># Statefull firewall mode
<BR>
<BR>SetConfigurationStatefull() {
<BR> $LOGGER "Setting firewall to statefull"
<BR> echo " [Setting firewall to statefull]"
<BR>
<BR> $IPTABLES -t filter -N keep_state
<BR> $IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
<BR> $IPTABLES -t filter -A keep_state -j RETURN
<BR>
<BR> $IPTABLES -t nat -N keep_state
<BR> $IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
<BR> $IPTABLES -t nat -A keep_state -j RETURN
<BR>
<BR> $IPTABLES -t nat -A PREROUTING -j keep_state
<BR> $IPTABLES -t nat -A POSTROUTING -j keep_state
<BR> $IPTABLES -t nat -A OUTPUT -j keep_state
<BR>
<BR> $IPTABLES -t filter -A INPUT -j keep_state
<BR> $IPTABLES -t filter -A FORWARD -j keep_state
<BR> $IPTABLES -t filter -A OUTPUT -j keep_state
<BR>}
<BR>
<BR>##########################################################
<BR># CHAINS DEFINITION
<BR>##########################################################
<BR>
<BR>DefineChains() {
<BR> [ $DEBUG ] && $LOGGER "Defining custom chains"
<BR> echo " [Defining custom chains]"
<BR>
<BR> # Create a chain for dropping reserved network IPs
<BR> #-------------------------------------------------
<BR> $IPTABLES -N drop-reserved
<BR> $IPTABLES -t filter -A drop-reserved -j LOG --log-prefix "Drop - reserved network: "
<BR> $IPTABLES -t filter -A drop-reserved -j DROP
<BR>
<BR> # Create a chain for dropping services that shouldn't leave the LAN
<BR> #------------------------------------------------------------------
<BR> $IPTABLES -N drop-lan
<BR> $IPTABLES -t filter -A drop-lan -j LOG --log-prefix "Drop - LAN only: "
<BR> $IPTABLES -t filter -A drop-lan -j DROP
<BR>
<BR> # Create chains for testing
<BR> #--------------------------
<BR> $IPTABLES -N drop-log
<BR> $IPTABLES -t filter -A drop-log -j LOG --log-prefix "Drop with log: "
<BR> $IPTABLES -t filter -A drop-log -j DROP
<BR> $IPTABLES -N accept-log
<BR> $IPTABLES -t filter -A accept-log -j LOG --log-prefix "Accept with log: "
<BR> $IPTABLES -t filter -A accept-log -j ACCEPT
<BR>}
<BR>
<BR>##########################################################
<BR># KERNEL MODULES
<BR>##########################################################
<BR>
<BR>LoadKernelModules() {
<BR> [ $DEBUG ] && $LOGGER "Loading kernel modules"
<BR> echo " [Loading kernel modules]"
<BR>
<BR> $MODPROBE ipt_LOG # Add LOG target.
<BR> $MODPROBE ipt_REJECT # Add REJECT target.
<BR> $MODPROBE ipt_MASQUERADE # Add MASQUERADE target.
<BR> $MODPROBE ipt_owner # Allows you to match for the owner.
<BR> $MODPROBE ip_conntrack_ftp # Connection tracking for FTP.
<BR> $MODPROBE ip_conntrack_irc # Connection tracking for IRC.
<BR> $MODPROBE ip_nat_ftp # Active FTP
<BR> $MODPROBE ip_nat_irc # IRC stuff
<BR>
<BR> # PPTP and dependencies don't always auto-load...
<BR> # Office Edition only.
<BR> $MODPROBE ppp_generic > /dev/null 2>&1
<BR> $MODPROBE ppp_mppe > /dev/null 2>&1
<BR> $MODPROBE ip_conntrack_proto_gre > /dev/null 2>&1
<BR> $MODPROBE ip_conntrack_pptp > /dev/null 2>&1
<BR> $MODPROBE ip_nat_proto_gre > /dev/null 2>&1
<BR>}
<BR>
<BR>##########################################################
<BR># COMMON RULES (All firewall)
<BR>##########################################################
<BR>
<BR>RunCommonRules() {
<BR> [ $DEBUG ] && $LOGGER "Running common rules"
<BR> echo " [Running common rules]"
<BR>
<BR> # Allow everything on the loopback
<BR> #---------------------------------
<BR>
<BR> $IPTABLES -A INPUT -i lo -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o lo -j ACCEPT
<BR>
<BR> # Allow everything on LAN network
<BR> #--------------------------------
<BR>
<BR> $IPTABLES -A INPUT -i $LANIF -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $LANIF -j ACCEPT
<BR> $IPTABLES -A FORWARD -i $LANIF -j ACCEPT
<BR>
<BR> # Block IPs that should never show up on our external interface
<BR> #--------------------------------------------------------------
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 127.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 1.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 23.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 31.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 96.0.0.0/3 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 128.0.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 128.9.64.26/32 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 128.66.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 191.255.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 197.0.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 201.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 223.255.255.0/24 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 240.0.0.0/5 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 248.0.0.0/5 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 192.168.0.0/16 -j DROP
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s 172.16.0.0/12 -j DROP
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 127.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 1.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 23.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 31.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 96.0.0.0/3 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 128.0.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 128.9.64.26/32 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 128.66.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 191.255.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 197.0.0.0/16 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 201.0.0.0/8 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 223.255.255.0/24 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 240.0.0.0/5 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 248.0.0.0/5 -j drop-reserved
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s 172.16.0.0/12 -j DROP
<BR>
<BR> # Allow some ICMP (ping)
<BR> #-----------------------
<BR> # ICMP can be used for attacks.. we allow as little as possible.
<BR> # The following are necessary ports we *can't* do without:
<BR> # 0 Needed to ping hosts outside the network.
<BR> # 3 Needed by all networks.
<BR> # 11 Needed by the traceroute program.
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p icmp --icmp-type 0 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p icmp --icmp-type 3 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p icmp --icmp-type 11 -j ACCEPT
<BR> # This allows other hosts to ping you. You should keep this rule.
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p icmp --icmp-type 8 -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -p icmp -j ACCEPT
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p icmp --icmp-type 0 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p icmp --icmp-type 3 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p icmp --icmp-type 11 -j ACCEPT
<BR> # This allows other hosts to ping you. You should keep this rule.
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p icmp --icmp-type 8 -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -p icmp -j ACCEPT
<BR>}
<BR>
<BR>##########################################################
<BR># INCOMING ALLOWED DEFAULT
<BR>##########################################################
<BR>
<BR>RunIncomingAllowedDefaults() {
<BR> [ $DEBUG ] && $LOGGER "Running default incoming rules"
<BR> echo " [Running default incoming rules]"
<BR>
<BR> # Allow high ports
<BR> #-----------------
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -p tcp --sport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -p udp --sport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p udp --dport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p tcp --dport 1024:65535
<BR> -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -p tcp --sport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -p udp --sport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p udp --dport 1024:65535 -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p tcp --dport 1024:65535
<BR> -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>}
<BR>
<BR>##########################################################
<BR># INCOMING ALLOWED USER
<BR>##########################################################
<BR>
<BR>RunIncomingAllowed() {
<BR> [ $DEBUG ] && $LOGGER "Running user-defined incoming rules"
<BR> echo " [Running user-defined incoming rules]"
<BR>
<BR> # Standard ports and port ranges
<BR> #-------------------------------
<BR> for RULE in $INCOMING_ALLOW; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> PORT=`echo $RULE | cut -d '|' -f2`
<BR> $LOGGER "Allowing incoming $PROTOCOL port $PORT"
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p $PROTOCOL --dport $PORT -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -p $PROTOCOL --sport $PORT -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p $PROTOCOL --dport $PORT -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -p $PROTOCOL --sport $PORT -j ACCEPT
<BR> done
<BR> for RULE in $INCOMING_ALLOW_RANGE; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> RANGE=`echo $RULE | cut -d '|' -f2`
<BR> $LOGGER "Allowing incoming $PROTOCOL port $RANGE"
<BR> $IPTABLES -A INPUT -i $EXTIF1 -d $EXTIP1 -p $PROTOCOL --dport $RANGE -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -p $PROTOCOL --sport $RANGE -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -d $EXTIP2 -p $PROTOCOL --dport $RANGE -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP2 -p $PROTOCOL --sport $RANGE -j ACCEPT
<BR> done
<BR>}
<BR>
<BR>##########################################################
<BR># INCOMING DENIED DEFAULT
<BR>##########################################################
<BR>
<BR>RunIncomingDeniedDefaults() {
<BR> echo " [RunIncomingDeniedDefaults]"
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF1 -s $ALLIP -d $ALLIP -j DROP
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -s $ALLIP -d $ALLIP -j DROP
<BR> $IPTABLES -A INPUT -i $EXTIF2 -s $ALLIP -d $ALLIP -j DROP
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -s $ALLIP -d $ALLIP -j DROP
<BR>}
<BR>
<BR>##########################################################
<BR># OUTGOING ALLOWED DEFAULT (LAN Network to Internet)
<BR>##########################################################
<BR>
<BR>RunOutgoingAllowed() {
<BR>
<BR> echo " [RunOutgoingAllowed]"
<BR>
<BR> #TCP Ports
<BR> $IPTABLES -A INPUT -i $EXTIF1 -p tcp -m multiport --sport 20,21,53,80,110,25,443,143,123,119,220 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -p tcp -m multiport --dport 20,21,53,80,110,25,443,143,123,119,220 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -p tcp -m multiport --sport 20,21,53,80,110,25,443,143,123,119,220 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -p tcp -m multiport --dport 20,21,53,80,110,25,443,143,123,119,220 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> #UDP Ports
<BR> $IPTABLES -A INPUT -i $EXTIF1 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> #Emule / EDonkey
<BR> $IPTABLES -A INPUT -i $EXTIF1 -p tcp --sport 4662 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -p tcp --sport 4662 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> $IPTABLES -A INPUT -i $EXTIF1 -p udp --sport 4672 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF1 -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A INPUT -i $EXTIF2 -p udp --sport 4672 -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> $IPTABLES -A OUTPUT -o $EXTIF2 -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR>}
<BR>
<BR>##########################################################
<BR># OUTGOING DENIED DEFAULT
<BR>##########################################################
<BR>
<BR>RunOutgoingDeniedDefaults() {
<BR> [ $DEBUG ] && $LOGGER "Running default block outgoing rules"
<BR> echo " [Running default block outgoing rules]"
<BR>
<BR> # Block services from leaving the LAN (low port numbers)
<BR> # Snort will log suspicious traffic in high port ranges
<BR> #-------------------------------------------------------
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p tcp --dport 111 # RPC stuff
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p udp --dport 111 # RPC stuff
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p tcp --dport 137:139 # Samba
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p udp --dport 137:139 # Samba
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p tcp --dport 635 # Mountd
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF1 -p udp --dport 635 # Mountd
<BR>
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p tcp --dport 111 # RPC stuff
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p udp --dport 111 # RPC stuff
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p tcp --dport 137:139 # Samba
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p udp --dport 137:139 # Samba
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p tcp --dport 635 # Mountd
<BR> $IPTABLES -A FORWARD -j drop-lan -o $EXTIF2 -p udp --dport 635 # Mountd
<BR>}
<BR>
<BR>##########################################################
<BR># OUTGOING DENIED USER RULES
<BR>##########################################################
<BR>
<BR>RunOutgoingDenied() {
<BR> [ $DEBUG ] && $LOGGER "Running user-defined block outgoing rules"
<BR> echo " [Running user-defined block outgoing rules]"
<BR>
<BR> for RULE in $OUTGOING_BLOCK; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> PORT=`echo $RULE | cut -d '|' -f2`
<BR> $LOGGER "Blocking outgoing $PROTOCOL port $PORT"
<BR> $IPTABLES -A FORWARD -s $NWI/$NMI -d 0/0 -p $PROTOCOL --dport $PORT -j DROP
<BR> done
<BR> for RULE in $OUTGOING_BLOCK_RANGE; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> RANGE=`echo $RULE | cut -d '|' -f2`
<BR> $LOGGER "Blocking outgoing $PROTOCOL port $PORT"
<BR> $IPTABLES -A FORWARD -s $NWI/$NMI -d 0/0 -p $PROTOCOL --dport $PORT -j DROP
<BR> done
<BR> for HOST in $OUTGOING_BLOCK_DESTS; do
<BR> $LOGGER "Blocking traffic to $HOST"
<BR> $IPTABLES -A FORWARD -s $NWI/$NMI -d $HOST -j DROP
<BR> done
<BR>}
<BR>
<BR>##########################################################
<BR># PORT FORWARD USER RULES
<BR>##########################################################
<BR>
<BR>RunPortForwardRules() {
<BR> [ $DEBUG ] && $LOGGER "Running user-defined port forward rules"
<BR> echo " [Running user-defined port forward rules]"
<BR>
<BR> for RULE in $FORWARD; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> SOURCE=`echo $RULE | cut -d '|' -f3`
<BR> DEST=`echo $RULE | cut -d '|' -f4`
<BR> NATTRICK=`echo $DEST | cut -d ':' -f1`
<BR> $LOGGER "Port forwarding TCP $SOURCE to $DEST"
<BR> $IPTABLES -t nat -A PREROUTING -d $EXTIP1 -p $PROTOCOL --dport $SOURCE -j DNAT --to $DEST
<BR> $IPTABLES -t nat -A PREROUTING -d $EXTIP2 -p $PROTOCOL --dport $SOURCE -j DNAT --to $DEST
<BR> $IPTABLES -t nat -A POSTROUTING -d $NATTRICK -p $PROTOCOL -s $NWI/$NMI --dport $SOURCE -j SNAT --to $LANIP
<BR> done
<BR> for RULE in $FORWARD_RANGE; do
<BR> PROTOCOL=`echo $RULE | cut -d '|' -f1`
<BR> RANGE=`echo $RULE | cut -d '|' -f3`
<BR> DEST=`echo $RULE | cut -d '|' -f4`
<BR> $LOGGER "Port forwarding range $PROTOCOL $RANGE to $DEST"
<BR> $IPTABLES -t nat -A PREROUTING -d $EXTIP1 -p $PROTOCOL --dport $RANGE -j DNAT --to $DEST
<BR> $IPTABLES -t nat -A PREROUTING -d $EXTIP2 -p $PROTOCOL --dport $RANGE -j DNAT --to $DEST
<BR> $IPTABLES -t nat -A POSTROUTING -d $DEST -p $PROTOCOL -s $NWI/$NMI --dport $RANGE -j SNAT --to $LANIP
<BR> done
<BR>}
<BR>
<BR>##########################################################
<BR># REMAP PORTS USER DEFINED IF SQUID TRANSPARENT
<BR>##########################################################
<BR>
<BR>RunRemapPorts() {
<BR> [ $DEBUG ] && $LOGGER "Running user-defined port re-map rules"
<BR>echo " [Running user-defined port re-map rules]"
<BR>
<BR> if [ "$SQUID_TRANSPARENT" == "on" ]; then
<BR> # Is a content filter in transparent mode too?
<BR> if [ ! -z "$SQUID_FILTER_TRANSPARENT" ]; then
<BR> $LOGGER "Squid+Filter transparent mode enabled for filter port $SQUID_FILTER_TRANSPARENT"
<BR> $IPTABLES -t nat -A PREROUTING -i ! $EXTIF1 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_FILTER_TRANSPARENT
<BR> $IPTABLES -t nat -A PREROUTING -i ! $EXTIF2 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_FILTER_TRANSPARENT
<BR>
<BR> $LOGGER "Squid+Filter transparent mode is now blocking the regular proxy port 3128"
<BR> $IPTABLES -t nat -I PREROUTING -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
<BR> else
<BR> $LOGGER "Squid transparent mode enabled"
<BR> $IPTABLES -t nat -A PREROUTING -i ! $EXTIF1 -p tcp --dport 80 -j REDIRECT --to-port 3128
<BR> $IPTABLES -t nat -A PREROUTING -i ! $EXTIF2 -p tcp --dport 80 -j REDIRECT --to-port 3128
<BR> fi
<BR> fi
<BR>}
<BR>
<BR>##########################################################
<BR># ENABLE MASQUERADING
<BR>##########################################################
<BR>
<BR>RunMasquerading() {
<BR>echo " [RunMasquerading]"
<BR>
<BR># $IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -s $NWI/$NMI -j SNAT --to $EXTIP1
<BR># $IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -s $NWI/$NMI -j SNAT --to $EXTIP2
<BR> $IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -s $NWI/$NMI -j MASQUERADE
<BR> $IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -s $NWI/$NMI -j MASQUERADE
<BR> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>}
<BR>
<BR>##########################################################
<BR># G A T E W A Y F I R E W A L L
<BR>##########################################################
<BR>
<BR>gateway() {
<BR> $LOGGER "Using gateway mode"
<BR> echo " [Run Gateway]"
<BR>
<BR> SetKernelSettings
<BR> SetPolicyToDrop
<BR> LoadKernelModules
<BR> DefineChains
<BR> RunCommonRules
<BR> SetConfigurationStatefull
<BR> RunRemapPorts
<BR> RunIncomingAllowed
<BR> RunIncomingAllowedDefaults
<BR> RunIncomingDeniedDefaults
<BR># RunOutgoingAllowed
<BR> RunPortForwardRules
<BR> RunOutgoingDenied
<BR> RunOutgoingDeniedDefaults
<BR> RunMasquerading
<BR>
<BR> # Log other forwarding
<BR> #---------------------
<BR> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3
<BR> -j LOG --log-level DEBUG --log-prefix "Stray FORWARD packet: "
<BR> $IPTABLES -A FORWARD -j ACCEPT
<BR>}
<BR>
<BR>#########################################################
<BR># M A I N
<BR>#########################################################
<BR>
<BR>$LOGGER "Starting firewall..."
<BR>
<BR># Read configuration file
<BR>#------------------------
<BR>
<BR>[ -f /etc/firewall ] && . /etc/firewall
<BR>
<BR>DEFAULTMODE="gateway"
<BR>
<BR>if [ "$MODE" == "gateway" ]; then
<BR> gateway
<BR>elif [ "$MODE" == "trustedgateway" ]; then
<BR> gateway
<BR>elif [ "$MODE" == "standalone" ]; then
<BR> gateway
<BR>elif [ "$MODE" == "trustedstandalone" ]; then
<BR> gateway
<BR>else
<BR> $LOGGER "Invalid mode in /etc/firewall... using standalone mode"
<BR> gateway
<BR>fi
<BR>
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>Ce fichier est loin d'être parfait et il peut être amélioré. J'attends vos suggestions. <IMG SRC="images/smiles/icon_biggrin.gif">
<BR>
<BR>On redemare le firewall : service firewall restart
<BR>
<BR>4- Nettoyage
<BR>---------------
<BR>
<BR>Afin que le fichier iproute.sh s'execute dans les meilleurs conditions on va nettoyer un peu avec le fichier flush-iproute.sh
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>#!/bin/sh
<BR>#
<BR># Network and routing table flush script
<BR># Author: Cyrille
<BR>#
<BR>
<BR>##########################################################
<BR># SETTINGS
<BR>##########################################################
<BR>
<BR># Read Network Settings File
<BR>[ -f /etc/rc.d/network-settings ] && . /etc/rc.d/network-settings
<BR>
<BR>##########################################################
<BR># FUNCTIONS
<BR>##########################################################
<BR>
<BR># Cleaning NICs
<BR>
<BR>ip addr flush dev lo
<BR>ip addr flush dev eth0
<BR>ip addr flush dev eth1
<BR>ip addr flush dev eth2
<BR>
<BR># Routing table cleaning
<BR>
<BR>ip route del default table main
<BR>ip route flush table main
<BR>ip route flush table 10
<BR>ip route flush table 20
<BR>ip route flush table 30
<BR>ip route flush table 100
<BR>ip route flush table 200
<BR>ip route flush table 201
<BR>ip route flush table 202
<BR>ip route flush table 222
<BR>
<BR># Rules cleaning
<BR>
<BR>ip rule del prio 50 table main
<BR>ip rule del prio 10 table main
<BR>ip rule del prio 200
<BR>ip rule del from $NWE1/$NME1 table 201
<BR>ip rule del from $NWE2/$NME2 table 202
<BR>ip rule del from $NWE1/$NME1 table 20
<BR>ip rule del from $NWE2/$NME2 table 30
<BR>ip rule del from $NWI/$NMI table 100
<BR>ip rule del prio 222
<BR>
<BR># Cache cleaning
<BR>ip route flush cache
<BR>
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>On place ce fichier dans /etc/rc.d et on le rend executable
<BR>
<BR>5- Mise en place de la nouvelle table de routage dans le démarage :
<BR>---------------------------------------------------------------------------
<BR>
<BR>Pour que les modifs apparaissent des le démarage on rajoute a la fin du script /etc/rc.d/rc.local
<BR>
<BR><!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-2>En réponse à:</font><HR></TD></TR><TR><TD><FONT SIZE=-2><BLOCKQUOTE>
<BR>. /etc/rc.d/flush-iproute.sh
<BR>. /etc/rc.d/iproute.sh
<BR></BLOCKQUOTE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE><!-- BBCode Quote End -->
<BR>
<BR>6- Fin:
<BR>------
<BR>
<BR>Normalement tout devrai fonctionner proprement.
<BR>On peut vérifier que les deux connections fonctionent avec la commande tcpdump -i ethX où X est le n° d'interface.
<BR>Sinon bien lire le fichier nano.txt surtout la fin pour faire les tests.
<BR>
<BR>J'espere que cela vous aura aidé. Ce n'est qu'un premier jet pouvant (devant) être améliorer.
<BR>
<BR>Liens
<BR>------
<BR>
<BR>Voici les sites sur lesquels je me suis appuyés pour faire ce HOWTO
<BR><!-- BBCode auto-link start --><a href="http://www.docum.org/" target="_blank">http://www.docum.org/</a><!-- BBCode auto-link end -->
<BR><!-- BBCode auto-link start --><a href="http://www.lartc.org/" target="_blank">http://www.lartc.org/</a><!-- BBCode auto-link end -->
<BR><!-- BBCode auto-link start --><a href="http://www.ssi.bg/~ja/" target="_blank">http://www.ssi.bg/~ja/</a><!-- BBCode auto-link end -->
<BR>Et notament
<BR><!-- BBCode auto-link start --><a href="http://www.ssi.bg/~ja/nano.txt" target="_blank">http://www.ssi.bg/~ja/nano.txt</a><!-- BBCode auto-link end -->
<BR><!-- BBCode auto-link start --><a href="http://www.ssi.bg/~ja/dgd-usage.txt" target="_blank">http://www.ssi.bg/~ja/dgd-usage.txt</a><!-- BBCode auto-link end -->
<BR><!-- BBCode auto-link start --><a href="http://www.linux-france.org/prj/inetdoc/guides/lartc/" target="_blank">http://www.linux-france.org/prj/inetdoc/guides/lartc/</a><!-- BBCode auto-link end -->
<BR>
<BR>A+
<BR>Cyrille