par Djsquall » 07 Sep 2002 00:03
Salut,
<BR>
<BR>Je n'ai pas encore testé SME, mais j'ai déjà testé le forwarding et la masquerade grace à IPTABLES, je vous donne ma config sur un 2.4.18 <IMG SRC="images/smiles/icon_smile.gif">
<BR>
<BR>D'abord creez
<BR>
<BR>[djsquall@redhat djsquall]$ cat /etc/firewall.sh
<BR>#!/bin/bash
<BR>
<BR>#Activation de l'IP FORWARDING
<BR>echo 1 > /proc/sys/net/ipv4/ip_forward
<BR>
<BR>#anti spoofing
<BR>if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
<BR>then
<BR>for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
<BR>do
<BR>echo 1 > $filtre
<BR>done
<BR>fi
<BR>
<BR>#anti icmp
<BR>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
<BR>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
<BR>
<BR>#vidage des regles
<BR>/sbin/iptables -F
<BR>/sbin/iptables -X
<BR>
<BR>#Ajout de deux chaines
<BR>/sbin/iptables -N LOG_DROP
<BR>/sbin/iptables -A LOG_DROP -j LOG --log-prefix ' [IPTABLES DROP] : '
<BR>/sbin/iptables -A LOG_DROP -j DROP
<BR>/sbin/iptables -N LOG_ACCEPT
<BR>/sbin/iptables -A LOG_ACCEPT -j LOG --log-prefix ' [IPTABLES ACCEPT] : '
<BR>/sbin/iptables -A LOG_ACCEPT -j ACCEPT
<BR>
<BR>#on rejette tout
<BR>/sbin/iptables -P INPUT DROP
<BR>/sbin/iptables -P OUTPUT DROP
<BR>/sbin/iptables -P FORWARD DROP
<BR>
<BR>#la machine locale
<BR>/sbin/iptables -A INPUT -i lo -j ACCEPT
<BR>/sbin/iptables -A OUTPUT -o lo -j ACCEPT
<BR>
<BR>#partage de connection internet
<BR>/sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
<BR>/sbin/iptables -A FORWARD -o eth0 -i ppp0 -j ACCEPT
<BR>/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
<BR>
<BR>
<BR>#pour le web
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol tcp --source-port 80 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #http
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 80 -m
<BR>state
<BR>--state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol tcp --source-port 53 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #dns
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 53 -m
<BR>state
<BR>--state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol udp --source-port 53 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #dns
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol udp --destination-port 53 -m
<BR>state
<BR>--state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol tcp --source-port 6667 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #irc
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 6667 -m
<BR>state --state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol tcp --source-port 25 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #smtp
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 25 -m
<BR>state
<BR>--state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>/sbin/iptables -A INPUT -i ppp0 --protocol tcp --source-port 110 -m state
<BR>--state ESTABLISHED -j LOG_ACCEPT #pop
<BR>/sbin/iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 110 -m
<BR>state --state NEW,ESTABLISHED -j LOG_ACCEPT
<BR>
<BR>/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 21 -m state --state
<BR>ESTABLISHED
<BR>-j ACCEPT
<BR>/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state
<BR>NEW,ESTABLISHED -j ACCEPT
<BR>/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 20 -m state --state
<BR>ESTABLISHED,RELATED -j ACCEPT
<BR>/sbin/iptables -A OUTPUT -o ppp0 -p tcp --dport 20 -m state --state
<BR>ESTABLISHED -j ACCEPT
<BR>/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535
<BR>-m state --state ESTABLISHED -j ACCEPT
<BR>/sbin/iptables -A OUTPUT -o ppp0 -p tcp --sport 1024:65535 --dport
<BR>1024:65535
<BR>-m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR>/sbin/iptables -A FORWARD -j LOG_DROP
<BR>/sbin/iptables -A INPUT -j LOG_DROP
<BR>/sbin/iptables -A OUTPUT -j LOG_DROP
<BR>
<BR>echo "[FIREWALL ACTIF]"
<BR>echo "-----------------------------------------------------"
<BR>