First commit
This commit is contained in:
commit
f3b9d45ca9
14 changed files with 1724 additions and 0 deletions
74
firewall
Executable file
74
firewall
Executable file
|
|
@ -0,0 +1,74 @@
|
|||
#!/bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: firewall rules
|
||||
# Required-Start: $remote_fs $syslog
|
||||
# Required-Stop: $remote_fs $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start daemon at boot time
|
||||
# Description: Enable service provided by daemon.
|
||||
### END INIT INFO
|
||||
|
||||
#Suppression des règles précédentes
|
||||
iptables -F
|
||||
iptables -X
|
||||
|
||||
########
|
||||
# DROP #
|
||||
########
|
||||
|
||||
# Définition du blocage général
|
||||
iptables -P INPUT DROP
|
||||
iptables -P OUTPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
|
||||
# Drop des scans XMAS et NULL
|
||||
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
|
||||
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
|
||||
##########
|
||||
# ACCEPT #
|
||||
##########
|
||||
|
||||
# Conservations des connexions déjà établies
|
||||
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Autorisation du loopback (127.0.0.1)
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Autorisation des échanges avec le serveur DNS (53)
|
||||
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# NTP (123)
|
||||
iptables -A INPUT -p udp --sport 123 -j ACCEPT
|
||||
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
|
||||
|
||||
# HTTP (80)
|
||||
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# HTTPS (443)
|
||||
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
# SSH (7943)
|
||||
iptables -A INPUT -p tcp --dport 7943 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 7943 -j ACCEPT
|
||||
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
|
||||
|
||||
# ICMP (Ping)
|
||||
iptables -A INPUT -p icmp -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp -j ACCEPT
|
||||
|
||||
# Parer les attaques de type Déni de Service
|
||||
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
|
||||
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
|
||||
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
|
||||
|
||||
# Parer les scans de ports
|
||||
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
|
||||
Loading…
Add table
Add a link
Reference in a new issue