2009-08-10 19:02:09 +02:00
|
|
|
# Fichier de configuration
|
|
|
|
# pour minifirewall
|
|
|
|
|
|
|
|
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
|
|
|
|
|
|
|
# Interface concernee
|
|
|
|
INT='eth0'
|
|
|
|
|
2011-11-11 15:47:37 +01:00
|
|
|
IPV6=on
|
|
|
|
|
2011-02-13 21:23:17 +01:00
|
|
|
# IP associee (plus utilisee dans les scripts)
|
|
|
|
# INTIP='192.168.0.2'
|
2009-08-12 13:21:53 +02:00
|
|
|
# reseau beneficiant d'acces privilegies
|
|
|
|
# (sera souvent IP/32)
|
|
|
|
INTLAN='192.168.0.2/32'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
|
|
|
# trusted ip addresses
|
2011-08-28 19:32:13 +02:00
|
|
|
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
|
|
|
# privilegied ip addresses
|
|
|
|
# (trusted ip addresses *are* privilegied)
|
|
|
|
PRIVILEGIEDIPS=''
|
|
|
|
|
2009-08-12 13:21:53 +02:00
|
|
|
# Services "protected"
|
|
|
|
# a mettre aussi en public si necessaire !!
|
|
|
|
SERVICESTCP1p='21'
|
|
|
|
SERVICESUDP1p=''
|
|
|
|
|
2009-08-10 19:02:09 +02:00
|
|
|
# Services "publics"
|
2009-08-12 13:21:53 +02:00
|
|
|
SERVICESTCP1='20 21 25 53 993 995'
|
2009-08-10 19:02:09 +02:00
|
|
|
SERVICESUDP1='53'
|
|
|
|
|
|
|
|
# Services "semi-publics"
|
2009-08-12 13:21:53 +02:00
|
|
|
SERVICESTCP2='22 80 110 143 443'
|
2009-08-10 19:02:09 +02:00
|
|
|
SERVICESUDP2=''
|
|
|
|
|
|
|
|
# Services "prives"
|
2009-08-12 13:21:53 +02:00
|
|
|
SERVICESTCP3='5666'
|
2009-08-10 19:02:09 +02:00
|
|
|
SERVICESUDP3=''
|
|
|
|
|
|
|
|
################### SORTANTS
|
|
|
|
|
|
|
|
# DNS
|
2009-08-12 13:21:53 +02:00
|
|
|
# (Attention, si un serveur DNS est installe en local
|
|
|
|
# mettre 0.0.0.0/0)
|
2011-04-19 15:51:15 +02:00
|
|
|
DNSSERVEURS='0.0.0.0/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
|
|
|
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
|
|
|
|
# /!\ Possibilite d'utiliser des noms de domaines
|
|
|
|
# mais il est conseiller de placer un rechargement
|
|
|
|
# du minifirewall en crontab
|
2009-08-12 13:21:53 +02:00
|
|
|
# (Attention, si un proxy HTTP est installe en local
|
|
|
|
# mettre 0.0.0.0/0)
|
2013-10-31 14:11:07 +01:00
|
|
|
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
|
|
|
# HTTPS
|
2009-08-12 13:21:53 +02:00
|
|
|
# /!\ Possibilite d'utiliser des noms de domaines
|
|
|
|
# mais il est conseiller de placer un rechargement
|
|
|
|
# du minifirewall en crontab
|
2011-04-02 11:48:19 +02:00
|
|
|
HTTPSSITES='0.0.0.0/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
|
|
|
# FTP
|
|
|
|
FTPSITES=''
|
|
|
|
|
|
|
|
# SSH
|
|
|
|
SSHOK='0.0.0.0/0'
|
|
|
|
|
|
|
|
# SMTP
|
|
|
|
SMTPOK='0.0.0.0/0'
|
|
|
|
|
2011-03-25 19:02:45 +01:00
|
|
|
# SMTP secure (port 465 et 587)
|
2011-06-03 11:53:51 +02:00
|
|
|
SMTPSECUREOK=''
|
2011-03-25 19:02:45 +01:00
|
|
|
|
2009-08-10 19:02:09 +02:00
|
|
|
# NTP
|
2011-07-14 15:23:04 +02:00
|
|
|
NTPOK='0.0.0.0/0'
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2012-08-22 16:21:28 +02:00
|
|
|
################### IPv6 Specific rules
|
|
|
|
# /sbin/ip6tables ...
|
2009-08-10 19:02:09 +02:00
|
|
|
|
2012-10-29 12:28:55 +01:00
|
|
|
# Allow HTTP/HTTPS/SMTP traffic
|
2012-08-22 16:21:28 +02:00
|
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
2012-11-14 00:55:35 +01:00
|
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
2011-10-21 02:10:24 +02:00
|
|
|
|
2012-10-24 10:32:05 +02:00
|
|
|
# Allow DNS, NTP and traceroute traffic
|
2012-11-14 00:55:35 +01:00
|
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
2011-10-21 02:10:24 +02:00
|
|
|
|
2013-12-13 11:22:27 +01:00
|
|
|
# Allow DHCPv6
|
|
|
|
/sbin/ip6tables -t filter -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
|
|
|
/sbin/ip6tables -t filter -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
|
|
|
|
2012-11-09 10:05:34 +01:00
|
|
|
################### IPv4 Specific rules
|
|
|
|
# /sbin/iptables ...
|
|
|
|
|
|
|
|
# Allow DNS, NTP and traceroute traffic
|
2012-11-14 00:55:35 +01:00
|
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|