# pour memoire
# /8 /255.0.0.0
#/16 /255.255.0.0
#/24 /255.255.255.0
# Definition des interfaces
local=eth0 # cote local
localip=10.1.1.0/16
wan=eth1 # cote DMZ
wanip=10.0.0.0/24
# on remet la police par debut A ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# On remet les polices par debut pour la table NAT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# On vide (flush) toutes les regles existantes
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# initialisation log
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level warn --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-level warn --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT
iptables -N LOG_FORWARD
iptables -A LOG_FORWARD -j LOG --log-level info --log-prefix '[IPTABLES FORWARD] : '
iptables -A LOG_FORWARD -j DROP
# Politique de refus
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Je veux pas de spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don¹t send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# ------- Stealth Scans and TCP State Flags ------------
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
# ----------- FORWARD -----------------
# FORWARD du local vers wan si cnx etablies par local
iptables -t filter -A FORWARD -i $wan -o $local -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i $local -o $wan -m state --state ! INVALID -j ACCEPT
# ----------- INPUT / OUTPUT ----------
# telnet
iptables -A INPUT -i $local -m state --state ESTABLISHED,RELATED -p tcp --sport 23 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 23 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 23 -j ACCEPT
# SSH en serveur...
iptables -A INPUT -i $local -m state --state ! INVALID -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ! INVALID -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT
# SSH en client...
iptables -A INPUT -i $local -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 22 -j ACCEPT
# FTP en client...
iptables -A INPUT -i $local -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 20:21 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 20:21 -j ACCEPT
# smtp en client
iptables -A INPUT -i $local -m state --state ESTABLISHED,RELATED -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 25 -j ACCEPT
# Regle pour DNS
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED --protocol udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID --protocol udp --destination-port 53 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED --protocol tcp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID --protocol tcp --destination-port 53 -j ACCEPT
# en serveur...
iptables -A INPUT -i $wan -m state --state ! INVALID --protocol udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ESTABLISHED,RELATED --protocol udp --sport 53 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ! INVALID --protocol tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ESTABLISHED,RELATED --protocol tcp --sport 53 -j ACCEPT
# Regle pour HTTP et HTTPS
iptables -A INPUT -i $wan -m state --state ESTABLISHED -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $wan -m state --state ESTABLISHED -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $local -m state --state ESTABLISHED -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $local -m state --state ESTABLISHED -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $local -m state --state ! INVALID -p tcp --dport 80 -j ACCEPT
# SNMP en serveur..
iptables -A OUTPUT -o $local -d $localip -m state --state ESTABLISHED,RELATED -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -i $local -s $localip -m state --state ! INVALID -p tcp --dport 143 -j ACCEPT
# SNMP en serveur..
iptables -A OUTPUT -o $local -d $localip -m state --state ESTABLISHED,RELATED -p udp --sport 161 -j ACCEPT
iptables -A INPUT -i $local -s $localip -m state --state ! INVALID -p udp --dport 161 -j ACCEPT
# -- IRC --
# en client
iptables -A INPUT -i $wan -m state --state ESTABLISHED,RELATED -p tcp --sport 6667 -j ACCEPT
iptables -A OUTPUT -o $wan -m state --state ! INVALID -p tcp --dport 6667 -j ACCEPT
# ----------- MASQUERADE / FORWARD DE PORT -----------------
# On active le NAT... pour qu'on puisse surfer :))
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
# Logs des paquets refuses
echo "4 4 1 7"> /proc/sys/kernel/printk # Pour ne pas que les logs arrivent sur la console
iptables -A INPUT -p tcp -j LOG_DROP
iptables -A OUTPUT -p tcp -j LOG_DROP
iptables -A INPUT -p udp -j LOG_DROP
iptables -A OUTPUT -p udp -j LOG_DROP
iptables -A FORWARD -j LOG_FORWARD