par jeal » 21 Jan 2004 20:31
le --limit (voir les pages man du firewall) m a pas trop aide en fait ci dessous mon fichier de config en l'etat, un special parano qui se trouve dans:
<BR>/etc/rc.d/rc.firewall pour ceux qui veulent le recuperer et améliorer attentiona penser à remettre le chmod en 777 et comme ma soluce a pas marche meme probleme d acces à mon site, suit le meme fichier en plus soft
<BR>si ca interresse du monde je peux mettre 'ma' version d ipcop en download sur mon site ou ailleurs (interface graphique refaite, ajout de samba, portsentry....)
<BR>
<BR>
<BR>#!/bin/sh
<BR>
<BR>. /var/ipcop/ppp/settings
<BR>. /var/ipcop/ethernet/settings
<BR>IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '012'`
<BR>
<BR>iptables_init() {
<BR> echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
<BR> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
<BR> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
<BR> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
<BR>
<BR> # Reduce DoS'ing ability by reducing timeouts
<BR> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
<BR> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
<BR> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
<BR> echo 0 > /proc/sys/net/ipv4/tcp_sack
<BR> echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
<BR>
<BR> # Flush all rules and delete all custom chains
<BR> /sbin/iptables -F
<BR> /sbin/iptables -t nat -F
<BR> /sbin/iptables -X
<BR> /sbin/iptables -t nat -X
<BR>
<BR> # Set up policies
<BR> /sbin/iptables -P INPUT DROP
<BR> /sbin/iptables -P FORWARD DROP
<BR> /sbin/iptables -P OUTPUT ACCEPT
<BR>
<BR> # This chain will log, then DROPs "Xmas" and Null packets which might
<BR> # indicate a port-scan attempt
<BR> /sbin/iptables -N PSCAN
<BR> /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
<BR> /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
<BR> /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
<BR> /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
<BR> /sbin/iptables -A PSCAN -j DROP
<BR>
<BR> # Disallow packets frequently used by port-scanners, XMas and Null
<BR> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
<BR> /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
<BR> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
<BR> /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
<BR>}
<BR>
<BR>iptables_red() {
<BR> /sbin/iptables -F RED
<BR> /sbin/iptables -t nat -F RED
<BR>
<BR> # PPPoE / PPTP Device
<BR> if [ "$IFACE" != "" ]; then
<BR> # PPPoE / PPTP
<BR> if [ "$DEVICE" != "" ]; then
<BR> /sbin/iptables -A RED -i $DEVICE -j ACCEPT
<BR> fi
<BR> if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
<BR> if [ "$RED_DEV" != "" ]; then
<BR> /sbin/iptables -A RED -i $RED_DEV -j ACCEPT
<BR> fi
<BR> fi
<BR> fi
<BR>
<BR> if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
<BR> # DHCP
<BR> if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
<BR> /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> fi
<BR> if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
<BR> /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> fi
<BR>
<BR> # Allow IPSec
<BR> /sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT
<BR>
<BR> # Outgoing masquerading
<BR> /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
<BR> fi
<BR>}
<BR>
<BR># See how we were called.
<BR>case "$1" in
<BR> start)
<BR> iptables_init
<BR>
<BR> # Limit Packets- helps reduce dos/syn attacks
<BR> /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
<BR>
<BR> # CUSTOM chains, can be used by the users themselves
<BR> /sbin/iptables -N CUSTOMINPUT
<BR> /sbin/iptables -A INPUT -j CUSTOMINPUT
<BR> /sbin/iptables -N CUSTOMFORWARD
<BR> /sbin/iptables -A FORWARD -j CUSTOMFORWARD
<BR> /sbin/iptables -t nat -N CUSTOMPREROUTING
<BR> /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
<BR>
<BR> # Accept everyting connected
<BR> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR> /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> # localhost and ethernet.
<BR> /sbin/iptables -A INPUT -i lo -j ACCEPT
<BR> /sbin/iptables -A INPUT -p icmp -j ACCEPT
<BR> /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
<BR> /sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT
<BR>
<BR> # accept all traffic from ipsec interfaces
<BR> /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT
<BR> /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
<BR>
<BR> # Port forwarding
<BR> if [ "$ORANGE_DEV" != "" ]; then
<BR> # This rule enables a host on ORANGE network to connect to the outside
<BR> /sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp
<BR> -o ! $GREEN_DEV -j ACCEPT
<BR> /sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp
<BR> -o ! $GREEN_DEV -j ACCEPT
<BR> fi
<BR>
<BR> # RED chain, used for the red interface
<BR> /sbin/iptables -N RED
<BR> /sbin/iptables -A INPUT -j RED
<BR> /sbin/iptables -t nat -N RED
<BR> /sbin/iptables -t nat -A POSTROUTING -j RED
<BR>
<BR> iptables_red
<BR>
<BR> # XTACCESS chain, used for external access
<BR> /sbin/iptables -N XTACCESS
<BR> /sbin/iptables -A INPUT -j XTACCESS
<BR>
<BR> # PORTFWACCESS chain, used for portforwarding
<BR> /sbin/iptables -N PORTFWACCESS
<BR> /sbin/iptables -A FORWARD -j PORTFWACCESS
<BR>
<BR> # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
<BR> # ORANGE to talk to GREEN.
<BR> /sbin/iptables -N DMZHOLES
<BR> /sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES
<BR>
<BR> # Custom prerouting chains (for transparent proxy and port forwarding)
<BR> /sbin/iptables -t nat -N SQUID
<BR> /sbin/iptables -t nat -A PREROUTING -j SQUID
<BR> /sbin/iptables -t nat -N PORTFW
<BR> /sbin/iptables -t nat -A PREROUTING -j PORTFW
<BR>
<BR> # last rule in input and forward chain is for logging.
<BR> /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
<BR> /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
<BR> ;;
<BR> stop)
<BR> iptables_init
<BR>
<BR> # Accept everyting connected
<BR> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<BR>
<BR> # localhost and ethernet.
<BR> /sbin/iptables -A INPUT -i lo -j ACCEPT
<BR> /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
<BR>
<BR> if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
<BR> /sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> fi
<BR> if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
<BR> /sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> /sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
<BR> fi
<BR>
<BR> /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
<BR> /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
<BR> ;;
<BR> reload)
<BR> iptables_red
<BR> ;;
<BR> restart)
<BR> $0 stop
<BR> $0 start
<BR> ;;
<BR> *)
<BR> echo "Usage: $0 {start|stop|reload|restart}"
<BR> exit 1
<BR> ;;
<BR>esac
<BR>
<BR>exit 0
<BR>
<BR>fin du script
<BR>**********************************************************
<BR>mes nouvelles regles:
<BR>#!/bin/sh
<BR>
<BR>echo 1 > /proc/sys/net/ipv4/ip_forward
<BR>
<BR>iptables -F INPUT
<BR>iptables -F OUTPUT
<BR>iptables -F FORWARD
<BR>iptables -t nat -F PREROUTING
<BR>iptables -t nat -F POSTROUTING
<BR>iptables -t nat -F OUTPUT
<BR>iptables -P INPUT ACCEPT
<BR>iptables -P OUTPUT ACCEPT
<BR>iptables -P FORWARD ACCEPT
<BR>iptables -t nat -P PREROUTING ACCEPT
<BR>iptables -t nat -P POSTROUTING ACCEPT
<BR>iptables -t nat -P OUTPUT ACCEPT
<BR>
<BR>
<BR>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p all -j MASQUERADE