137 lines
5.4 KiB
Plaintext
137 lines
5.4 KiB
Plaintext
# Fichier de configuration
|
|
# pour minifirewall
|
|
|
|
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
|
|
|
# Interface concernee
|
|
INT='eth0.11'
|
|
|
|
IPV6=on
|
|
|
|
# IP associee (plus utilisee dans les scripts)
|
|
# INTIP='192.168.0.2'
|
|
# reseau beneficiant d'acces privilegies
|
|
# (sera souvent IP/32)
|
|
INTLAN='192.0.2.1/32'
|
|
|
|
# trusted ip addresses
|
|
TRUSTEDIPS='62.212.121.90 62.212.111.216 88.179.18.233 85.118.59.4 85.118.59.50 31.170.8.4 31.170.9.129 82.65.34.85 54.37.106.210 51.210.84.146'
|
|
|
|
# privilegied ip addresses
|
|
# (trusted ip addresses *are* privilegied)
|
|
PRIVILEGIEDIPS='80.14.117.69 31.170.8.6 31.170.11.167 31.170.11.167 31.170.8.7 31.170.8.249 31.170.8.76 31.170.8.222 80.245.23.179 51.38.233.228'
|
|
|
|
# Services "protected"
|
|
# a mettre aussi en public si necessaire !!
|
|
SERVICESTCP1p=''
|
|
SERVICESUDP1p=''
|
|
|
|
# Services "publics"
|
|
SERVICESTCP1='21 80 443 2222'
|
|
SERVICESUDP1=''
|
|
|
|
# Services "semi-publics"
|
|
SERVICESTCP2='20 22 25'
|
|
SERVICESUDP2=''
|
|
|
|
# Services "prives"
|
|
SERVICESTCP3='5666'
|
|
SERVICESUDP3=''
|
|
|
|
################### SORTANTS
|
|
|
|
# DNS
|
|
# (Attention, si un serveur DNS est installe en local
|
|
# mettre 0.0.0.0/0)
|
|
DNSSERVEURS='0.0.0.0/0'
|
|
|
|
# HTTP : security.d.o x3, zidane, modsecurity www.debian.org
|
|
# /!\ Possibilite d'utiliser des noms de domaines
|
|
# mais il est conseiller de placer un rechargement
|
|
# du minifirewall en crontab
|
|
# (Attention, si un proxy HTTP est installe en local
|
|
# mettre 0.0.0.0/0)
|
|
HTTPSITES='0.0.0.0/0'
|
|
|
|
# HTTPS
|
|
# /!\ Possibilite d'utiliser des noms de domaines
|
|
# mais il est conseiller de placer un rechargement
|
|
# du minifirewall en crontab
|
|
HTTPSSITES='0.0.0.0/0'
|
|
|
|
# FTP
|
|
FTPSITES='0.0.0.0/0'
|
|
|
|
# SSH
|
|
SSHOK='0.0.0.0/0'
|
|
|
|
# SMTP
|
|
SMTPOK='0.0.0.0/0'
|
|
|
|
# SMTP secure (port 465 et 587)
|
|
SMTPSECUREOK='0.0.0.0/0'
|
|
|
|
# NTP
|
|
NTPOK='0.0.0.0/0'
|
|
|
|
################### IPv6 Specific rules
|
|
# /sbin/ip6tables ...
|
|
|
|
# Allow HTTP/HTTPS/SMTP traffic
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow DNS, NTP and traceroute traffic
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
|
|
|
# Allow DHCPv6
|
|
/sbin/ip6tables -t filter -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
|
/sbin/ip6tables -t filter -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
|
|
|
################### IPv4 Specific rules
|
|
# /sbin/iptables ...
|
|
|
|
# Allow DNS, NTP and traceroute traffic
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
|
/sbin/iptables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
|
|
|
# EvoBackup
|
|
# /sbin/iptables -A INPUT -p tcp --sport XXXX --dport 1024:65535 -s 85.118.59.1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# /sbin/iptables -A INPUT -p tcp --sport XXXX --dport 1024:65535 -s 31.170.8.1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# /sbin/iptables -A INPUT -p tcp --sport XXXX --dport 1024:65535 -s 178.32.100.48 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 2223 --dport 1024:65535 -s 62.210.209.17 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# FTP en mode passif
|
|
/sbin/iptables -A INPUT -p tcp --dport 60000:61000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# EvoMaintenance
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 31.170.8.4 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 62.212.121.90 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 62.212.111.216 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 88.179.18.233 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 85.118.59.50 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s 31.170.9.129 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Proxy
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 31.170.8.7 -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 31.170.8.10 -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 31.170.8.217 -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 31.170.8.218 -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j LOG --log-uid
|
|
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888
|
|
|
|
#43251
|
|
iptables -I INPUT -s 5.188.211.0/24 -p tcp --dport 80 -j DROP
|
|
iptables -I INPUT -s 5.188.211.0/24 -p tcp --dport 443 -j DROP
|
|
|
|
/sbin/iptables -A INPUT -p tcp --sport 2222 --dport 1024:65535 -s 31.170.11.167,31.170.8.7,31.170.8.249,31.170.8.76,31.170.8.222 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Ticket #52247 : Blocage git / Autorisation port 22 en IPv6
|
|
/sbin/ip6tables -A INPUT -p tcp ! --syn --sport 22 -s ::/0 -j ACCEPT
|