SCRIPT FIREWALL AVEC IPTABLES
Voici un script FIREWALL mettant en oeuvre IPTABLES. Pour installer ce script, il est préferable de lire un bon article portant sur les scripts de démarrage sous Linux (voir Init System V). Pour info Debian propose une commande spécifique à l'installation de tels scripts : update-rc.d
LE SHELL SCRIPT#!/bin/sh
IPT=/sbin/iptables
NAME=firewall
DESC="packet filter"
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
$IPT -P INPUT DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 --syn -j ACCEPT
$IPT -A INPUT -j ACCEPT -m state --state ESTABLISHED
$IPT -A INPUT -j ACCEPT -m state --state RELATED
$IPT -A INPUT -j LOG
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -j REJECT
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
$IPT -F
$IPT -X
$IPT -P FORWARD ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -F
echo "."
;;
restart|force-reload)
$0 stop
$0 start
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
IPT=/sbin/iptables
NAME=firewall
DESC="packet filter"
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
$IPT -P INPUT DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 --syn -j ACCEPT
$IPT -A INPUT -j ACCEPT -m state --state ESTABLISHED
$IPT -A INPUT -j ACCEPT -m state --state RELATED
$IPT -A INPUT -j LOG
$IPT -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp -j REJECT
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
$IPT -F
$IPT -X
$IPT -P FORWARD ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -F
echo "."
;;
restart|force-reload)
$0 stop
$0 start
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
GESTION DU FTPPour pouvoir accepter les connexions FTP en mode passif, il faut ajouter les lignes suivantes :
$IPT -A INPUT -p tcp --dport 21 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 --syn -j ACCEPT
$IPT -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
Rédigé le : 2004-12-09 20:06:54