Browse Source

Add NEEDRESTRICT chain to deny some services by free rules

Somes improvements
systemd
Gregory Colpart 12 years ago
parent
commit
c3a66eb333
  1. 24
      firewall.rc
  2. 27
      minifirewall

24
firewall.rc

@ -8,39 +8,53 @@ INT='eth0'
# IP associee
INTIP='192.168.0.2'
INTLAN='192.168.0.0/24'
# reseau beneficiant d'acces privilegies
# (sera souvent IP/32)
INTLAN='192.168.0.2/32'
# trusted ip addresses
TRUSTEDIPS='62.212.121.90 62.212.111.216'
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4'
# privilegied ip addresses
# (trusted ip addresses *are* privilegied)
PRIVILEGIEDIPS=''
# Services "protected"
# a mettre aussi en public si necessaire !!
SERVICESTCP1p='21'
SERVICESUDP1p=''
# Services "publics"
SERVICESTCP1='21 25 53 993 995'
SERVICESTCP1='20 21 25 53 993 995'
SERVICESUDP1='53'
# Services "semi-publics"
SERVICESTCP2='22 25 53 80 110 143 443'
SERVICESTCP2='22 80 110 143 443'
SERVICESUDP2=''
# Services "prives"
SERVICESTCP3='636 5666'
SERVICESTCP3='5666'
SERVICESUDP3=''
################### SORTANTS
# DNS
# (Attention, si un serveur DNS est installe en local
# mettre 0.0.0.0/0)
DNSSERVEURS='85.31.205.33 78.153.240.29'
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
# /!\ Possibilite d'utiliser des noms de domaines
# mais il est conseiller de placer un rechargement
# du minifirewall en crontab
# (Attention, si un proxy HTTP est installe en local
# mettre 0.0.0.0/0)
HTTPSITES='security.debian.org 85.31.205.33 80.25.139.226 www.debian.org'
# HTTPS
# /!\ Possibilite d'utiliser des noms de domaines
# mais il est conseiller de placer un rechargement
# du minifirewall en crontab
HTTPSSITES=''
# FTP

27
minifirewall

@ -1,9 +1,10 @@
#!/bin/sh
# version 0.1.1 - 13 avril 2009 : firewall.rc est charge un peu plus loin
# version 0.2 - 10 aout 2009 : add NEEDRESTRICT chain
# version 0.1.1 - 13 avril 2009 : firewall.rc is loaded later
# version 0.1 - 12 juillet 2007 $Id: minifirewall,v 1.6 2007/07/12 19:08:59 reg Exp $
# Copyright (c) 2007 Gregory Colpart
# Copyright (c) 2007-2009 Gregory Colpart
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
@ -16,7 +17,7 @@
# http://www.kernel.org/
# Description
# script pour machine unique
# script for local server
###
# Configuration des variables
@ -25,6 +26,9 @@
# chemin iptables
IPT=/sbin/iptables
# Configuration
test -f /etc/firewall.rc && . /etc/firewall.rc
# variables TCP/IP
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
@ -108,6 +112,9 @@ for x in $PRIVILEGIEDIPS
$IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT
done
# chain for restrictions (blacklist ips/ranges)
$IPT -N NEEDRESTRICT
# politique
# par defaut rien ne rentre
@ -126,7 +133,7 @@ $IPT -A INPUT -i lo -j ACCEPT
# on evite pas mal de paquets "martiens" effet de bord de virus
# notamment W32/Blaster qui attaquait windowsupdate.com
# et dont l'enregistrement DNS a ete change pour 127.0.0.1
# et dont l'enregistrement DNS avait ete change pour 127.0.0.1
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
$IPT -A INPUT -s $LOOPBACK -i ! lo -j DROP
@ -138,6 +145,17 @@ $IPT -A INPUT -s $LOOPBACK -i ! lo -j DROP
#$IPT -A INPUT -i $INT2 -j ACCEPT
$IPT -A INPUT -s $INTLAN -j ACCEPT
# On passe tout d'abord par la chaine de protection pour certains services
for x in $SERVICESTCP1p
do
$IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT
done
for x in $SERVICESUDP1p
do
$IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT
done
# Services publics
for x in $SERVICESTCP1
do
@ -269,6 +287,7 @@ echo 0 > /proc/sys/net/ipv4/ip_forward
$IPT -X ONLYPRIVILEGIED
$IPT -X ONLYTRUSTED
$IPT -X ICMP_STACK
$IPT -X NEEDRESTRICT
echo "OK"
;;

Loading…
Cancel
Save