{{tag>Brouillon Réseau iptables Sécurité Script}}
= Exemples de script init iptables
Note : ** iptables est remplacé maintenant par [[nftables_un_remplacant_d_iptables|nftables]] **
#!/bin/bash
. $(dirname "$0")/lib/common.sh
dieIfNotRoot
IPTABLES=/sbin/iptables
pf=$(getPlateformBasename $HOSTNAME)
### DEBUT config ###
INTERFACE=eth0
VLAN='172\.16\.12\.'
REGEX_MACHINE='qua.*1|ftp1|gdp1'
### FIN config ###
check()
{ # Verif si $INTERFACE est dans le bon VLAN
/sbin/ifconfig $INTERFACE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN" >/dev/null
if [ $? -ne 0 ]
then
echo "ERREUR. L'interface $INTERFACE n'est pas dans le VLAN $(echo $VLAN| sed -e 's!\\.!\.!g')"
exit 10
fi
# iptables doit etre demarre
/etc/init.d/iptables status >/dev/null
if [ $? -ne 0 ]
then
echo "ERREUR. Le service iptables n'est pas demarre"
exit 11
fi
}
flush()
{
## On flush $IPTABLES.
$IPTABLES -F
## On supprime toutes les chaines utilisateurs.
$IPTABLES -X
# Regle par defaut (on autorise tout)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
filter()
{
# On whitelist toutes les machines de prod
$IPTABLES -N WL_PROD
for ip in $(grep -v -e '^#' /etc/hosts |egrep -i -e "$REGEX_MACHINE" |awk '{print $1}')
do
$IPTABLES -A INPUT -i $INTERFACE -s $ip -j WL_PROD
done
$IPTABLES -A WL_PROD -j ACCEPT
# On autorise tous les packets de retour (quand la connexion est initiee depuis ce serveur)
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Par defaut aucun accees en interne hors des machines explicitement autorisees
$IPTABLES -A INPUT -i $INTERFACE -s $(echo $VLAN |tr -d '\' |sed -e 's!$!0/24!') -j REJECT
}
case $1 in
'start'|'restart')
check
if [ $? -eq 0 ]
then
flush
filter
else
echo "ERREUR check"
exit $?
fi
;;
'stop')
flush
;;
*)
echo "usage: $0 start|stop|restart"
;;
esac
#!/bin/bash
set -e
PATH=$PATH:/sbin
SERVERDNS=$(cat /etc/resolv.conf |grep -e '^nameserver' |awk '{print $2}')
INTERFACE_OPEN=eth0
INTERFACE_SAFE=eth1
VLAN_OPEN='192\.168\.1\.'
VLAN_SAFE='10\.0\.2'
IPSERVER=$(ifconfig eth0 |grep -e 'inet adr:' |tr -s ' ' ':' |cut -f 4 -d':')
IP_ZABBIX_SERVER="172.16.110.3"
/sbin/ifconfig $INTERFACE_OPEN |sed -n -e '2p' |tr -s ' ' ':' | cut -d':' -f4 |grep -e "$VLAN_OPEN"
if [ $? -ne 0 ]
then
echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_OPEN| sed -e 's!\\.!\.!g')"
exit 1
fi
/sbin/ifconfig $VLAN_SAFE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN_SAFE"
if [ $? -ne 0 ]
then
echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_SAFE| sed -e 's!\\.!\.!g')"
exit 2
fi
/etc/init.d/iptables status
if [ $? -ne 0 ]
then
echo "ERREUR. Le service iptables n'est pas démarré"
exit 3
fi
## On flush iptables.
iptables -F
## On supprime toutes les chaînes utilisateurs.
iptables -X
## On drop tout le trafic entrant.
iptables -P INPUT DROP
## On drop tout le trafic sortant.
iptables -P OUTPUT DROP
## On drop le forward.
iptables -P FORWARD DROP
## Permettre à une connexion ouverte de recevoir du trafic en entrée.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Permettre à une connexion ouverte de recevoir du trafic en sortie.
# SSH, NTP etc...
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
## On accepte la boucle locale en entrée.
iptables -I INPUT -i lo -j ACCEPT
# Open bar sur eth1
iptables -I INPUT -i $INTERFACE_SAFE -j ACCEPT
# DNS ==> IDEM POUR UDP
iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT
# SERVER SSH
iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# SERVER Agent Zabbix
iptables -A INPUT -i $INTERFACE_OPEN -s $IP_ZABBIX_SERVER -p tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT
# On restreint des ping http://www.oregontechsupport.com/articles/icmp.txt ?
# ou Ping dans tous les sens
iptables -A INPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT
iptables -A OUTPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT
case $HOSTNAME in
*web*)
echo "Machine WEB"
# SERVER HTTP/HTTPS
iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# SERVER NFS
#iptables -A INPUT -i $INTERFACE_OPEN -p tcp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $INTERFACE_OPEN -p udp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
;;
*app*)
echo "Machine APP"
###
iptables -A INPUT -i $INTERFACE_OPEN -s qua-web3 -p tcp --dport 9960 -m state --state NEW,ESTABLISHED -j ACCEPT
;;
*db*)
echo "Machine DB"
# SERVER Postgres
iptables -A INPUT -i $INTERFACE_OPEN -s qua-app3 -p tcp --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
;;
esac
''/usr/share/doc/openvpn/examples/sample-config-files/firewall.sh''
#!/bin/sh
# A Sample OpenVPN-aware firewall.
# eth0 is connected to the internet.
# eth1 is connected to a private subnet.
# Change this subnet to correspond to your private
# ethernet subnet. Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=10.0.0.0/24
# Loopback address
LOOP=127.0.0.1
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface. Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
---------
Source : http://www.linuxjournal.com/content/server-hardening?page=0,1
# make sure forwarding is off and clear everything
# also turn off ipv6 cause if you don't need it
# turn it off
sysctl net.ipv6.conf.all.disable_ipv6=1
sysctl net.ipv4.ip_forward=0
iptables -F
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#make the default -drop everything
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
#allow all in loopback
iptables -A INPUT -i lo -j ACCEPT
#allow related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow ssh
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,http,https -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports http,https