AU SECOURS !!! squid, vpn, iptables

Forum traitant de la distribution sécurisée montante nommée IP cop et basée sur la distribution Smoothwall. C'est à l'heure actuelle le forum le plus actif du site.

Modérateur: modos Ixus

AU SECOURS !!! squid, vpn, iptables

Messagepar SecureMan » 26 Mars 2004 16:48

Bonjour,

J'ai differents problemes et je soupconne qu'ils soient lies a mes regles de firewall :
* Il m'est impossible en activant le proxy de surfer lors du premier acces a une page (le cache n'a pas reussi a resoudre le nom : voir mon precedent poste). en revanche, en relancant l'acces une url, parfois, cela fontionne...
* Mon VPN IPSec ne monte pas.

Mon architecture :
<--> WAN <--> routeur <--> IPCop (1.3.0 + 8fixes) <--> Routeur Serveur VPN <--> LAN

Mon rc.firewall :
#!/bin/sh

. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`

iptables_init() {
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog

# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X

# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT


#je decommente la regle suivante pour tester mon proxy
#/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -p tcp --dport 80 -j REDIRECT --to-port 800
#/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 800 -j DROP
#/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 3128 -j DROP
#/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 8000 -j DROP
#/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 8001 -j DROP

# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP

# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}

iptables_red() {
/sbin/iptables -F RED
/sbin/iptables -t nat -F RED

# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A RED -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A RED -i $RED_DEV -j ACCEPT
fi
fi
fi

if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi

# Allow IPSec
/sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT

# Outgoing masquerading
/sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
fi
}

# See how we were called.
case "$1" in
start)
iptables_init

# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec

# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING

# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
#/sbin/iptables -A FORWARD -i $GREEN_DEV -p tcp -m multiport --dport 80,800,8080,110,20,21,23,25,443,445,222,53,123,81 -j ACCEPT

#/sbin/iptables -A FORWARD -i $GREEN_DEV -p udp -m multiport --dport 80,800,8080,53,123,500 -j ACCEPT
#/sbin/iptables -A FORWARD -p icmp -j ACCEPT
#/sbin/iptables -A FORWARD -i $GREEN_DEV -p 50 -j ACCEPT
#/sbin/iptables -A FORWARD -i $GREEN_DEV -p 51 -j ACCEPT

# Mises a jour NORTON
/sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT


# accept all traffic from ipsec interfaces
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT

# Port forwarding
if [ "$ORANGE_DEV" != "" ]; then
# This rule enables a host on ORANGE network to connect to the outside
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o ipsec+ -j DROP
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp \
-o ! $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp \
-o ! $GREEN_DEV -j ACCEPT
fi

# RED chain, used for the red interface
/sbin/iptables -N RED
/sbin/iptables -A INPUT -j RED
/sbin/iptables -t nat -N RED
/sbin/iptables -t nat -A POSTROUTING -j RED

iptables_red

# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -j XTACCESS

# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -j PORTFWACCESS

# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -N DMZHOLES
/sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES

# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW

# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
stop)
iptables_init

# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi

/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac

exit 0

/var/ipcop/xtaccess/config
tcp,0.0.0.0/0,113,on,0.0.0.0
udp,0.0.0.0,500,on,0.0.0.0
tcp,0.0.0.0,53,on,0.0.0.0
udp,0.0.0.0,53,on,0.0.0.0
tcp,0.0.0.0,25,on,0.0.0.0
tcp,0.0.0.0,110,on,0.0.0.0


/var/ipcop/portfw/config
1,0,tcp,25,RED,25,on,0.0.0.0,0.0.0.0/0,
2,0,tcp,110,RED,110,on,0.0.0.0,0.0.0.0/0,
3,0,tcp,500,RED,500,on,0.0.0.0,0.0.0.0/0,
4,0,tcp,53,RED,53,on,0.0.0.0,0.0.0.0/0,
5,0,udp,53,RED,53,on,0.0.0.0,0.0.0.0/0,



Y a t il des erreurs dans ma config ? Que faire ?
Je commence a desesperer.
Avatar de l’utilisateur
SecureMan
Capitaine de vaisseau
Capitaine de vaisseau
 
Messages: 271
Inscrit le: 08 Mars 2004 01:00

Retour vers IPCop

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité