GRRRRRRRRRRRRRRRRRRRRRRRRR
voila mon fichier rc.firewall
Et ca fonctionne pas ... j'ai redemarrer mon ipcop ...
snif snif
#!/bin/sh
. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`
iptables_init() {
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# DansGuardian Transparent Filtering Setup
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 800 -j DROP
/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 3128 -j DROP
/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 8000 -j DROP
/sbin/iptables -A INPUT -p tcp -i $GREEN_DEV --dport 8001 -j DROP
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}
iptables_red() {
/sbin/iptables -F RED
/sbin/iptables -t nat -F RED
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A RED -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A RED -i $RED_DEV -j ACCEPT
fi
fi
fi
if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Allow IPSec
/sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT
# Outgoing masquerading
/sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
fi
}
# See how we were called.
case "$1" in
start)
iptables_init
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT
# accept all traffic from ipsec interfaces
/sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Port forwarding
if [ "$ORANGE_DEV" != "" ]; then
# This rule enables a host on ORANGE network to connect to the outside
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o ipsec+ -j DROP
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp \
-o ! $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp \
-o ! $GREEN_DEV -j ACCEPT
fi
# RED chain, used for the red interface
/sbin/iptables -N RED
/sbin/iptables -A INPUT -j RED
/sbin/iptables -t nat -N RED
/sbin/iptables -t nat -A POSTROUTING -j RED
iptables_red
# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -j XTACCESS
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -j PORTFWACCESS
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -N DMZHOLES
/sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac
# bloque msn messenger
#/sbin/iptables -I FORWARD -p tcp -m string --string "TWN" -j REJECT --reject-with tcp-reset
/sbin/iptables -I FORWARD -p tcp -m string --hex-string "|20 54 57 4e 20|" -j REJECT --reject-with tcp-reset # bloque la chaine TWN et deux caractères non imprimables
# bloque AOL messenger
/sbin/iptables -I FORWARD -p tcp -m string --string "-AOL" -j REJECT --reject-with tcp-reset
#/sbin/iptables -I FORWARD -p tcp -m string --string "versi" -j REJECT --reject-with tcp-reset # risque de faux positifs
# bloque yahoo messenger
/sbin/iptables -I FORWARD -p tcp -m string --string "3sid" -j REJECT --reject-with tcp-reset
# bloque ICQ prob
/sbin/iptables -I FORWARD -p tcp -m string --string "3ICQ" -j REJECT --reject-with tcp-reset
/sbin/iptables -I FORWARD -p tcp -m string --string "cbHostIP" -j REJECT --reject-with tcp-reset
/sbin/iptables -I FORWARD -p tcp -m string --string "DisplayCL" -j REJECT --reject-with tcp-reset
# bloque ICQ light
/sbin/iptables -I FORWARD -p tcp -m string --string "ICQBasic" -j REJECT --reject-with tcp-reset
exit 0