Non me taper pas! j'ai encore une question sur le bloquage de port...vous jure j'ai lu les posts, j'ai fais les modifs conseillées par Antolien...ça marche pas...MSN passe encore...
Ma config : un IPcop1.3 avec proxy non transparent qui partage la connexion pour 40 clients ...
Je me suis aperçu tout à l'heure q'un utilisateur avait MSN qui tournait sur son poste et j'aimerai bien limité l'utlisation de ses logiciels. Donc j'ai mis dans mon rc.firewall les modifs que conseillait Antolien, et apparement ça passe toujours.
Pour ceux qui veulent pénetrer la matrice, en voici le code, après un iptables -v -L j'ai :
Chain INPUT (policy DROP 32155 packets, 2370K bytes)
pkts bytes target prot opt in out source destination
5835K 3498M ipac~o all -- any any anywhere anywhere
0 0 PSCAN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 PSCAN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
105K 5031K tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5
5835K 3498M CUSTOMINPUT all -- any any anywhere anywhere
5571K 3471M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3181 194K ACCEPT all -- lo any anywhere anywhere
269 57147 ACCEPT icmp -- any any anywhere anywhere
229K 24M ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- ipsec+ any anywhere anywhere
32159 2370K RED all -- any any anywhere anywhere
32159 2370K XTACCESS all -- any any anywhere anywhere
29645 2181K LOG all -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
911K 527M ipac~fi all -- any any anywhere anywhere
911K 527M ipac~fo all -- any any anywhere anywhere
0 0 PSCAN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 PSCAN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
911K 527M CUSTOMFORWARD all -- any any anywhere anywhere
844K 522M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
11354 544K ACCEPT tcp -- eth0 any anywhere anywhere multiport dports domain,pop3,smtp,ftp,ftp-data
1908 125K ACCEPT udp -- eth0 any anywhere anywhere multiport dports domain
92 5680 ACCEPT icmp -- eth0 any anywhere anywhere
53988 4905K DROP all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- ipsec+ any anywhere anywhere
15 720 PORTFWACCESS all -- any any anywhere anywhere
0 0 DMZHOLES all -- any eth0 anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `OUTPUT '
Chain OUTPUT (policy ACCEPT 6501K packets, 3621M bytes)
pkts bytes target prot opt in out source destination
6501K 3621M ipac~i all -- any any anywhere anywhere
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain DMZHOLES (1 references)
pkts bytes target prot opt in out source destination
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source destination
15 720 ACCEPT tcp -- eth1 any anywhere 192.168.4.1 tcp dpt:3389
Chain PSCAN (4 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
0 0 LOG udp -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
0 0 LOG icmp -- any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
0 0 LOG all -f any any anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
0 0 DROP all -- any any anywhere anywhere
Chain RED (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT gre -- eth1 any anywhere anywhere
0 0 ACCEPT ipv6-crypt-- eth1 any anywhere anywhere
0 0 ACCEPT ipv6-auth-- eth1 any anywhere anywhere
0 0 ACCEPT udp -- eth1 any anywhere anywhere udp spt:isakmp dpt:isakmp
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source destination
4 204 ACCEPT tcp -- eth1 any anywhere host.michaelpaetzold.comtcp dpt:auth
Chain ipac~fi (1 references)
pkts bytes target prot opt in out source destination
8 387 all -- eth0 any anywhere anywhere
8 573 all -- eth1 any anywhere anywhere
Chain ipac~fo (1 references)
pkts bytes target prot opt in out source destination
8 573 all -- any eth0 anywhere anywhere
8 387 all -- any eth1 anywhere anywhere
Chain ipac~i (1 references)
pkts bytes target prot opt in out source destination
380 36828 all -- any eth0 anywhere anywhere
28 1539 all -- any eth1 anywhere anywhere
Chain ipac~o (1 references)
pkts bytes target prot opt in out source destination
277 25687 all -- eth0 any anywhere anywhere
32 11089 all -- eth1 any anywhere anywhere
/////
Et voici mon /etc/rc.d/rc.firewall
#!/bin/sh
. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`
iptables_init() {
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}
iptables_red() {
/sbin/iptables -F RED
/sbin/iptables -t nat -F RED
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A RED -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A RED -i $RED_DEV -j ACCEPT
fi
fi
fi
if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Allow IPSec
/sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT
# Outgoing masquerading
/sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
fi
}
# See how we were called.
case "$1" in
start)
iptables_init
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -p tcp -m multiport --dport 53,110,25,21,20 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -p udp -m multiport --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -p icmp -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -j DROP
# accept all traffic from ipsec interfaces
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Port forwarding
if [ "$ORANGE_DEV" != "" ]; then
# This rule enables a host on ORANGE network to connect to the outside
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o ipsec+ -j DROP
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp \
-o ! $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp \
-o ! $GREEN_DEV -j ACCEPT
fi
# RED chain, used for the red interface
/sbin/iptables -N RED
/sbin/iptables -A INPUT -j RED
/sbin/iptables -t nat -N RED
/sbin/iptables -t nat -A POSTROUTING -j RED
iptables_red
# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -j XTACCESS
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -j PORTFWACCESS
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -N DMZHOLES
/sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac
exit 0
///
Désolé pour la question qui doit revenir assez souvent...
Merci pour votre aide..
Steve
, après qq minutes de recherche j'ai retrouvé un post qui disait que Messenger utilisait lui aussi le port 80...donc c normal si il fonctionne...mais ce flux MSN passe aussi par le proxy alors ?