Attention à ne pas faire n'importe quoi ici, vous risqueriez de ne plus avoir la main sur votre propre système !
Mise en place du firewall avec iptables
Code : Tout sélectionner
apt install iptablesCréer un fichier /etc/iptables-rules.sh :
Code : Tout sélectionner
nano /etc/iptables-rules.shModifier bien le port SSH configuré dans /etc/ssh/sshd_config (ici : 2222)
Code : Tout sélectionner
#!/bin/bash
#
# iptables-rules.sh - filter incoming and outgoing packets.
#
# Réinitialise les règles
iptables -t filter -F
iptables -t filter -X
# Bloque tout le trafic
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Autoriser localhost
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH
iptables -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 2222 -j ACCEPT
# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP (horloge du serveur)
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# Ouverture port HTTP 80 et HTTPS 443 pour serveur web
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# Mail SMTP and SMTPS
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP and POPS
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# Mail IMAP and IMAPS
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
# Ouverture port DHCP 68
iptables -t filter -A OUTPUT -p udp --dport 68 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 68 -j ACCEPT
# Anti Flood / Deni de service / scan de port
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# All other connections are registered in syslog
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -j REJECT
iptables -P OUTPUT DROP
# Other network protections
# (some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Supprimer les règles "ACCEPT all"
iptables -t filter -D INPUT 1
iptables -t filter -D OUTPUT 1Script original : https://github.com/jeremiedecock/iptables-scripts
Code : Tout sélectionner
#!/bin/bash
# iptables-rules.sh - filter incoming and outgoing packets.
# Copyright (c) 2007,2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# For more information, see https://github.com/jeremiedecock/iptables-scripts
#
# To display the curent Netfilter rules, type the following commands in a Linux
# console (from the administrator account):
#
# iptables -L -n -v
# ip6tables -L -n -v
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
[ -x $IP4TABLES ] || { echo "Error: $IP4TABLES not found" ; exit 1 ; }
[ -x $IP6TABLES ] || { echo "Error: $IP6TABLES not found" ; exit 1 ; }
# Kernel params ###############################################################
#modprobe ip_conntrack_ftp
# IPv6 ########################################################################
# Flush rules
$IP6TABLES -F
$IP6TABLES -X
# Default rule: reject every packet (incoming, outgoing and forwarded)
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# Accept everything on the loopback interface
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
# IPv4 ########################################################################
# Flush rules
$IP4TABLES -F
$IP4TABLES -X
# Default rule: reject every packet (incoming, outgoing and forwarded)
$IP4TABLES -P INPUT DROP
$IP4TABLES -P OUTPUT DROP
$IP4TABLES -P FORWARD DROP
# Accept everything on the loopback interface
$IP4TABLES -A INPUT -i lo -j ACCEPT
$IP4TABLES -A OUTPUT -o lo -j ACCEPT
# Reject invalid incoming packets
$IP4TABLES -A INPUT -m state --state INVALID -j DROP
# Reject invalid incoming TCP packets (i.e. with flags not equals to "ALL" or "SYN")
$IP4TABLES -A INPUT -m state --state NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j DROP
# Reject (and notify) incoming connexions on port 113/TCP ("authentication tap ident")
$IP4TABLES -A INPUT -p tcp --destination-port auth -j REJECT --reject-with tcp-reset
# DNS #################################
# DNS_IP contains the list of trusted DNS servers (IPs allowed for DNS
# resolution). For instance:
#
# DNS_IP=(192.168.0.1 192.168.0.2 8.8.8.8 8.8.4.4)
# or:
# DNS_IP=(192.168.0.1)
# or:
# DNS_IP=()
#
# DNS_PROTOCOL contains the list of allowed DNS protocols. For instance:
#
# DNS_PROTOCOL=(tcp udp)
# or:
# DNS_PROTOCOL=(tcp)
DNS_IP=()
DNS_PROTOCOL=(tcp udp)
for IP in ${DNS_IP[@]}; do
for PROTOCOL in ${DNS_PROTOCOL[@]}; do
$IP4TABLES -A INPUT -p $PROTOCOL -s $IP --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p $PROTOCOL -d $IP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
done
# ALLOWED_OUTGOING_UDP_SERVICES #######
# ALLOWED_REMOTE_UDP_SERVICES contains the list of reachable UDP outgoing services.
# For instance:
#
# ALLOWED_REMOTE_UDP_SERVICES=(123 514)
# or:
# ALLOWED_REMOTE_UDP_SERVICES=(123)
# or:
# ALLOWED_REMOTE_UDP_SERVICES=()
#
# Here is a list of common UDP services:
#
# 123 : NTP
# 514 : SYSLOG
#
# The full list is available in /etc/services
ALLOWED_REMOTE_UDP_SERVICES=(123)
for SERVICE in ${ALLOWED_REMOTE_UDP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p udp --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p udp --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
# ALLOWED_OUTGOING_TCP_SERVICES #######
# ALLOWED_REMOTE_TCP_SERVICES contains the list of reachable TCP outgoing services.
# For instance:
#
# ALLOWED_REMOTE_TCP_SERVICES=(80 443)
# or:
# ALLOWED_REMOTE_TCP_SERVICES=(80)
# or:
# ALLOWED_REMOTE_TCP_SERVICES=()
#
# Here is a list of common TCP services:
#
# 22 : SSH
# 23 : TELNET
# 25 : SMTP
# 80 : HTTP
# 110 : POP3
# 123 : NTP
# 194 : IRC
# 443 : HTTPS
# 465 : SMTP over SSL (POP)
# 515 : Line printer spooler
# 587 : SMTP over TSL (IMAP)
# 993 : IMAP over SSL
# 995 : POP3 over SSL
# 3690 : SVN
# 5222 : XMPP
# 5223 : XMPP over SSL
# 6667 : IRCD
# 9418 : GIT
#
# The full list is available in /etc/services
ALLOWED_REMOTE_TCP_SERVICES=(80 443)
for SERVICE in ${ALLOWED_REMOTE_TCP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p tcp --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p tcp --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
# ALLOWED_INCOMING_TCP_SERVICES #######
# TRUSTED_IP contains the list of trusted IPs (IPs allowed to connect to this
# computer). For instance:
#
# TRUSTED_IP=(192.168.0.1 192.168.0.2)
# or:
# TRUSTED_IP=(192.168.0.1)
# or:
# TRUSTED_IP=()
#
# ALLOWED_LOCAL_TCP_SERVICES contains the list of services made available for
# trusted IPs. For instance:
#
# ALLOWED_LOCAL_TCP_SERVICES=(80 443)
# or:
# ALLOWED_LOCAL_TCP_SERVICES=(80)
# or:
# ALLOWED_LOCAL_TCP_SERVICES=()
TRUSTED_IP=()
ALLOWED_LOCAL_TCP_SERVICES=()
for IP in ${TRUSTED_IP[@]}; do
for SERVICE in ${ALLOWED_LOCAL_TCP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p tcp -s $IP --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p tcp -d $IP --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
done
done
# USERS RULES #########################
#$IP4TABLES -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner john -j DROP
#$IP4TABLES -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner alice -j DROP
# DEFAUT ##############################
#$IP4TABLES -A INPUT -m limit --limit 4/s -j LOG --log-prefix "NETFILTER (IN) : "
#$IP4TABLES -A OUTPUT -m limit --limit 4/s -j LOG --log-prefix "NETFILTER (OUT) : Code : Tout sélectionner
DNS_IP=(192.168.0.1 192.168.0.2 8.8.8.8 8.8.4.4)Code : Tout sélectionner
cat /etc/resolv.confCode : Tout sélectionner
DNS_PROTOCOL=(tcp udp)Code : Tout sélectionner
ALLOWED_REMOTE_UDP_SERVICES=(123)Code : Tout sélectionner
cat /etc/servicesAjouter votre port SSH (ici : 2222)
Code : Tout sélectionner
ALLOWED_REMOTE_TCP_SERVICES=(2222 80 443)2. Configurer le service
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Créer un fichier /etc/systemd/system/iptables-rules.service :
Code : Tout sélectionner
nano /etc/systemd/system/iptables-rules.serviceCode : Tout sélectionner
[Unit]
Description=Iptables rules
DefaultDependencies=no
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/iptables-rules.sh
ExecStop=/etc/iptables-off.sh
[Install]
WantedBy=multi-user.targetCode : Tout sélectionner
chown root:root /etc/systemd/system/iptables-rules.service
chmod 644 /etc/systemd/system/iptables-rules.serviceCréer un fichier /etc/init.d/iptables-rules :
Code : Tout sélectionner
nano /init.d/iptables-rulesCode : Tout sélectionner
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $syslog
# Required-Stop: $local_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Iptables scripts to setup Netfilter (the Linux firewall)
# Description: Iptables scripts to setup Netfilter (the Linux firewall)
### END INIT INFO
################################################################################
# IPTABLES-SCRIPTS INIT (SYSTEM V)
#
# Copyright (c) 2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# The MIT license
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
################################################################################
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin
DESC="Iptables scripts to setup Netfilter (the Linux firewall)"
NAME=iptables
IPTABLES_CONFIG_FILE=/etc/default/iptables
SCRIPT_NAME=/etc/init.d/iptables-rules
IPTABLES_SCRIPT=/etc/iptables-rules.sh
IPTABLES_OFF_SCRIPT=/etc/iptables-off.sh
# Read configuration variable file if it is present
[ -r ${IPTABLES_CONFIG_FILE} ] && . ${IPTABLES_CONFIG_FILE}
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
[ -x "${IPTABLES_SCRIPT}" ] || exit 2
${IPTABLES_SCRIPT} || exit 1
}
#
# Function that stops the daemon/service
#
do_stop()
{
[ -x "${IPTABLES_OFF_SCRIPT}" ] || exit 2
${IPTABLES_OFF_SCRIPT} || exit 1
}
case "$1" in
start|restart|reload)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1|2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1|2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
*)
echo "Usage: ${SCRIPT_NAME} {start|stop|restart}" >&2
exit 3
;;
esac
exit 0Code : Tout sélectionner
chown root:root /etc/init.d/iptables-rules
chmod 700 /etc/init.d/iptables-rulesCréer un fichier /etc/iptables-off.sh :
Code : Tout sélectionner
nano /etc/iptables-off.shCode : Tout sélectionner
#!/bin/sh
# iptables-off.sh - switch off the firewall (for IPv4 and IPv6).
# Copyright (c) 2007,2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# For more information, see https://github.com/jeremiedecock/iptables-scripts
#
# To display the curent Netfilter rules, type the following commands in a Linux
# console (from the administrator account):
#
# iptables -L -n -v
# ip6tables -L -n -v
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
[ -x $IP4TABLES ] || { echo "Error: $IP4TABLES not found" ; exit 1 ; }
[ -x $IP6TABLES ] || { echo "Error: $IP6TABLES not found" ; exit 1 ; }
# Setup Netfilter for IPv4 and IPv6
for IPTABLES in "$IP4TABLES" "$IP6TABLES"
do
# Flush rules
$IPTABLES -F
$IPTABLES -X
# Default rule: accept every packet (incoming, outgoing and forwarded)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
doneCode : Tout sélectionner
chown root:root /etc/iptables-*.sh
chmod 700 /etc/iptables-*Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl start iptables-rules.service
systemctl status iptables-rules.serviceCode : Tout sélectionner
service iptables-rules startAvant d'activer le service au démarrage, il est recommandé de tester les paramètres. En effet, en cas d'erreur (surtout SSH) vous pouvez perdre la main complètement sur votre système ! Une fois les paramètres validés, lancer :
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl enable --now iptables-rules.serviceCode : Tout sélectionner
update-rc.d iptables-rules defaultsSur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl stop iptables-rules.serviceCode : Tout sélectionner
service iptables-rules stop