Created
December 18, 2016 13:24
-
-
Save Hotfirenet/583939a027738cbed8b4e8f62390d94a to your computer and use it in GitHub Desktop.
Custom firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ### BEGIN INIT INFO | |
| # Provides: firewall | |
| # Required-Start: $remote_fs $syslog | |
| # Required-Stop: $remote_fs $syslog | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| # Short-Description: Démarre les règles iptables | |
| # Description: Charge la configuration du pare-feu iptables | |
| ### END INIT INFO | |
| # Réinitialise les règles | |
| iptables -t filter -F | |
| iptables -t filter -X | |
| # Bloque tout le trafic | |
| iptables -t filter -P INPUT DROP | |
| iptables -t filter -P FORWARD DROP | |
| iptables -t filter -P OUTPUT DROP | |
| # Autorise les connexions déjà établies et localhost | |
| iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| iptables -t filter -A INPUT -i lo -j ACCEPT | |
| iptables -t filter -A OUTPUT -o lo -j ACCEPT | |
| # ICMP (Ping) | |
| iptables -t filter -A INPUT -p icmp -j ACCEPT | |
| iptables -t filter -A OUTPUT -p icmp -j ACCEPT | |
| # SSH | |
| iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT | |
| # DNS | |
| iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
| iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT | |
| iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT | |
| # NTP (horloge du serveur) | |
| iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT | |
| # HTTP | |
| iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
| iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT | |
| # HTTP Caldav | |
| #iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 8008 -j ACCEPT | |
| # HTTPS | |
| iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
| iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # HTTPS Caldav | |
| #iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT | |
| # FTP | |
| #iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT | |
| # Mail SMTP | |
| #iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT | |
| iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT | |
| # Mail POP3 | |
| #iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT | |
| # Mail IMAP | |
| #iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT | |
| #iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT | |
| #iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT | |
| # Anti Flood / Deni de service / scan de port | |
| iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT | |
| iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT | |
| iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT | |
| iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment