blocage ping

[blackbird]

Bonjour à tous, <BR> <BR>Via des infos prises sur le site d'Antolien j'ai essayé d'empêcher mon <BR>gateway ipcop de répondre aux pings sur l"interface rouge. <BR>J'ai donc ajouté dans /etc/rc.d/firewall.rc <BR> <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 0 -i $RED_DEV -j DROP <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 5 -i $RED_DEV -j DROP <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 8 -i $RED_DEV -j DROP <BR> <BR> <BR>Après <BR> # localhost and ethernet. <BR>/sbin/iptables -A INPUT -i lo -j ACCEPT <BR>Et avant <BR>/sbin/iptables -A INPUT -p icmp -j ACCEPT <BR> <BR>Ce qui donne donc : <BR> <BR> # localhost and ethernet. <BR>/sbin/iptables -A INPUT -i lo -j ACCEPT <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 0 -i $RED_DEV -j DROP <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 5 -i $RED_DEV -j DROP <BR>/sbin/iptables -A INPUT -p icmp --icmp-type 8 -i $RED_DEV -j DROP <BR>/sbin/iptables -A INPUT -p icmp -j ACCEPT <BR> <BR>Malgré tout, on sait encore pinger mon interface WAN. <BR> <BR>Any ideas ? <BR> <BR>Thxs <BR> <BR>

[tomtom]

1- As-tu redemarré ton ipcop ? <BR>2- d'ou fais-tu tes tests ? <BR>3- quelle est ta version de ipcop ? <BR> <BR> <BR> <BR>T.

[blackbird]

J'ai fait des tests depuis l'extérieur. <BR>J'ai rebooté ma machine et voici mon ip : 81.240.114.131 <BR>Help <IMG SRC="images/smiles/icon_smile.gif">

[linlau]

idem pour moi. <BR> <BR>Avec les mêmes règles <IMG SRC="images/smiles/icon_razz.gif">

[grosbedos]

salu <BR>tomtom avait pausé trois questions

[blackbird]

sorry, pour la troisième question : ipcop 1.3 avec tous les patchs.

[grosbedos]

tu n'as pas modifié les regles precedentes ???? <BR>peux tu donner un resultat d'un iptables -L ?? <BR> <BR>bizard bizard, ces regles ont eté testé sur plusieurs conf sans prob.. <IMG SRC="images/smiles/icon_confused.gif"> <BR> <BR>_________________ <BR>Pour retrouver une aiguille dans une botte de foin, il suffit d'y mettre le feu puis de fouiller les cendres avec un aimant. Bernard Werber<BR><BR><font size=-2></font>

[grosbedos]

tu pourrais aussi essayer de relancer le firewall manuellement : <BR>/etc/rc.d/rc.firewall restart <BR> <BR>voir si y donne ^pas d'erreur...

[blackbird]

Tout d'abord merci pour ton aide. <BR>J'ai relancé le firewall manuellement -> aucune erreur. <BR>Voici le résultat d'un iptables -L <BR>Chain INPUT (policy DROP) <BR>target prot opt source destination <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE <BR> tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5 <BR>CUSTOMINPUT all -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <BR>ACCEPT all -- anywhere anywhere <BR>DROP icmp -- anywhere anywhere icmp echo-reply <BR>DROP icmp -- anywhere anywhere icmp redirect <BR>DROP icmp -- anywhere anywhere icmp echo-request <BR>ACCEPT icmp -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere <BR>RED all -- anywhere anywhere <BR>XTACCESS all -- anywhere anywhere <BR>LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT ' <BR> <BR>Chain FORWARD (policy DROP) <BR>target prot opt source destination <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE <BR>CUSTOMFORWARD all -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <BR>ACCEPT all -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere <BR>PORTFWACCESS all -- anywhere anywhere <BR>DMZHOLES all -- anywhere anywhere <BR>LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `OUTPUT ' <BR> <BR>Chain OUTPUT (policy ACCEPT) <BR>target prot opt source destination <BR> <BR>Chain CUSTOMFORWARD (1 references) <BR>target prot opt source destination <BR> <BR>Chain CUSTOMINPUT (1 references) <BR>target prot opt source destination <BR> <BR>Chain DMZHOLES (1 references) <BR>target prot opt source destination <BR> <BR>Chain PORTFWACCESS (1 references) <BR>target prot opt source destination <BR> <BR>Chain PSCAN (4 references) <BR>target prot opt source destination <BR>LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? ' <BR>LOG udp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? ' <BR>LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? ' <BR>LOG all -f anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? ' <BR>DROP all -- anywhere anywhere <BR> <BR>Chain RED (1 references) <BR>target prot opt source destination <BR>ACCEPT all -- anywhere anywhere <BR>ACCEPT gre -- anywhere anywhere <BR>ACCEPT ipv6-crypt-- anywhere anywhere <BR>ACCEPT ipv6-auth-- anywhere anywhere <BR>ACCEPT udp -- anywhere anywhere udp spt:isakmp dpt:isakmp <BR> <BR>Chain XTACCESS (1 references) <BR>

[tomtom]

ACCEPT all -- anywhere anywhere <BR> <BR>C'est koi ca ??? <BR> <BR>Tu as modifieé d'autres regles !!! <BR> <BR> <BR>t.

[grosbedos]

et ca revient plusieurs fois... <BR>envoie voir ton rc.firewall?? <IMG SRC="images/smiles/icon_eek.gif">

[blackbird]

Chain INPUT (policy DROP) <BR>target prot opt source destination <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG <BR>PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE <BR> tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5 <BR>CUSTOMINPUT all -- anywhere anywhere <BR>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <BR>ACCEPT all -- anywhere anywhere <BR>DROP icmp -- anywhere anywhere icmp echo-reply <BR>DROP icmp -- anywhere anywhere icmp redirect <BR>#!/bin/sh <BR> <BR>. /var/ipcop/ppp/settings <BR>. /var/ipcop/ethernet/settings <BR>IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '012'` <BR> <BR>iptables_init() { <BR> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter <BR> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects <BR> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route <BR> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians <BR> <BR> # Reduce DoS'ing ability by reducing timeouts <BR> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout <BR> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling <BR> echo 0 > /proc/sys/net/ipv4/tcp_timestamps <BR> echo 0 > /proc/sys/net/ipv4/tcp_sack <BR> echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog <BR> <BR> # Flush all rules and delete all custom chains <BR> /sbin/iptables -F <BR> /sbin/iptables -t nat -F <BR> /sbin/iptables -X <BR> /sbin/iptables -t nat -X <BR> <BR> # Set up policies <BR> /sbin/iptables -P INPUT DROP <BR> /sbin/iptables -P FORWARD DROP <BR> /sbin/iptables -P OUTPUT ACCEPT <BR> <BR> # This chain will log, then DROPs "Xmas" and Null packets which might <BR> # indicate a port-scan attempt <BR> /sbin/iptables -N PSCAN <BR> /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " <BR> /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " <BR> /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " <BR> /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " <BR> /sbin/iptables -A PSCAN -j DROP <BR> <BR> # Disallow packets frequently used by port-scanners, XMas and Null <BR> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN <BR> /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN <BR> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN <BR> /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN <BR>} <BR> <BR>iptables_red() { <BR> /sbin/iptables -F RED <BR> /sbin/iptables -t nat -F RED <BR> <BR> # PPPoE / PPTP Device <BR> if [ "$IFACE" != "" ]; then <BR> # PPPoE / PPTP <BR> if [ "$DEVICE" != "" ]; then <BR> /sbin/iptables -A RED -i $DEVICE -j ACCEPT <BR> fi <BR> if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then <BR> if [ "$RED_DEV" != "" ]; then <BR> /sbin/iptables -A RED -i $RED_DEV -j ACCEPT <BR> fi <BR> fi <BR> fi <BR> <BR> if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then <BR> # DHCP <BR> if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then <BR> /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> fi <BR> if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then <BR> /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> fi <BR> <BR> # Allow IPSec <BR> /sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT <BR> <BR> # Outgoing masquerading <BR> /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE <BR> fi <BR>} <BR> <BR># See how we were called. <BR>case "$1" in <BR> start) <BR> iptables_init <BR> <BR> # Limit Packets- helps reduce dos/syn attacks <BR> /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec <BR> <BR> # CUSTOM chains, can be used by the users themselves <BR> /sbin/iptables -N CUSTOMINPUT <BR> /sbin/iptables -A INPUT -j CUSTOMINPUT <BR> /sbin/iptables -N CUSTOMFORWARD <BR> /sbin/iptables -A FORWARD -j CUSTOMFORWARD <BR> /sbin/iptables -t nat -N CUSTOMPREROUTING <BR> /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING <BR> <BR> # Accept everyting connected <BR> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT <BR> /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT <BR> <BR> # localhost and ethernet. <BR> /sbin/iptables -A INPUT -i lo -j ACCEPT <BR> /sbin/iptables -A INPUT -p icmp --icmp-type 0 -i $RED_DEV -j DROP <BR> /sbin/iptables -A INPUT -p icmp --icmp-type 5 -i $RED_DEV -j DROP <BR> /sbin/iptables -A INPUT -p icmp --icmp-type 8 -i $RED_DEV -j DROP <BR> /sbin/iptables -A INPUT -p icmp -j ACCEPT <BR> /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT <BR> /sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT <BR> <BR> # accept all traffic from ipsec interfaces <BR> /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT <BR> /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT <BR> <BR> # Port forwarding <BR> if [ "$ORANGE_DEV" != "" ]; then <BR> # This rule enables a host on ORANGE network to connect to the outside <BR> /sbin/iptables -A FORWARD -i $ORANGE_DEV -o ipsec+ -j DROP <BR> /sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp <BR> -o ! $GREEN_DEV -j ACCEPT <BR> /sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp <BR> -o ! $GREEN_DEV -j ACCEPT <BR> fi <BR> <BR> # RED chain, used for the red interface <BR> /sbin/iptables -N RED <BR> /sbin/iptables -A INPUT -j RED <BR> /sbin/iptables -t nat -N RED <BR> /sbin/iptables -t nat -A POSTROUTING -j RED <BR> <BR> iptables_red <BR> <BR> # XTACCESS chain, used for external access <BR> /sbin/iptables -N XTACCESS <BR> /sbin/iptables -A INPUT -j XTACCESS <BR> <BR> # PORTFWACCESS chain, used for portforwarding <BR> /sbin/iptables -N PORTFWACCESS <BR> /sbin/iptables -A FORWARD -j PORTFWACCESS <BR> <BR> # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow <BR> # ORANGE to talk to GREEN. <BR> /sbin/iptables -N DMZHOLES <BR> /sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES <BR> <BR> # Custom prerouting chains (for transparent proxy and port forwarding) <BR> /sbin/iptables -t nat -N SQUID <BR> /sbin/iptables -t nat -A PREROUTING -j SQUID <BR> /sbin/iptables -t nat -N PORTFW <BR> /sbin/iptables -t nat -A PREROUTING -j PORTFW <BR> <BR> # last rule in input and forward chain is for logging. <BR> /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " <BR> /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " <BR> ;; <BR> stop) <BR> iptables_init <BR> <BR> # Accept everyting connected <BR> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT <BR> <BR> # localhost and ethernet. <BR> /sbin/iptables -A INPUT -i lo -j ACCEPT <BR> /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT <BR> <BR> if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then <BR> /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> fi <BR> if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then <BR> /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT <BR> fi <BR> <BR> /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " <BR> /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " <BR> ;; <BR> reload) <BR> iptables_red <BR> ;; <BR> restart) <BR> $0 stop <BR> $0 start <BR> ;; <BR> *) <BR> echo "Usage: $0 {start|stop|reload|restart}" <BR> exit 1 <BR> ;; <BR>esac <BR> <BR>exit 0

[tomtom]

j'pige po.. <BR> <BR>On va faire un test : <BR> <BR>tape ceci dans une console : <BR> <BR> <BR>iptables -I INPUT -p icmp --icmp-type echo-request -j DROP <BR> <BR> <BR>pis tu reteste le ping ! <BR> <BR>t. <BR> <BR>_________________ <BR>"Unix is user friendly. He's just very picky about who his friends are... "<BR><BR><font size=-2></font>

[grosbedos]

j'attendais demain pour dire que je pige pas...mais ca a l'air normal lol <BR> <BR>ce qui est bizard c'est que si t'as fait ce que je T dit de faire, tu as fait un firewall restart...et ton ping fonctionne encore ! <BR> <BR>normalement toutes les regles sont rechargé, et seulement les regles du rc.firewall... <BR>donc euh..ca doit etre la (??)

[tomtom]

et ben voila ca bloque ces pings <IMG SRC="images/smiles/icon_wink.gif"> <BR> <BR>Bon, je vois pas ou est le problème du rc.firewall... <BR>Tu l'as edité sous windows ?? <BR> <BR>T.