Created
December 7, 2016 19:27
-
-
Save benhu/b06e3487966715135817873f16cc6b96 to your computer and use it in GitHub Desktop.
firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
case "$1" in | |
start) | |
echo - Initialisation du firewall : | |
# Vidage des tables et des regles personnelles | |
iptables -t filter -F | |
iptables -t filter -X | |
ip6tables -t filter -F | |
ip6tables -t filter -X | |
echo - Vidage des regles et des tables : [OK] | |
# Interdire toutes connexions entrantes et sortantes | |
iptables -t filter -P INPUT DROP | |
iptables -t filter -P FORWARD DROP | |
iptables -t filter -P OUTPUT DROP | |
ip6tables -t filter -P INPUT DROP | |
ip6tables -t filter -P FORWARD DROP | |
ip6tables -t filter -P OUTPUT DROP | |
echo - Interdire toutes les connexions entrantes et sortantes : [OK] | |
# Ne pas casser les connexions etablies | |
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
echo - Ne pas casser les connexions établies : [OK] | |
########## Regles ########## | |
# Autoriser loopback | |
iptables -t filter -A INPUT -i lo -j ACCEPT | |
iptables -t filter -A OUTPUT -o lo -j ACCEPT | |
ip6tables -t filter -A INPUT -i lo -j ACCEPT | |
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT | |
ip6tables -t filter -A INPUT -s ::1 -d ::1 -j ACCEPT | |
# Autoriser le ping | |
iptables -t filter -A INPUT -p icmp -j ACCEPT | |
iptables -t filter -A OUTPUT -p icmp -j ACCEPT | |
ip6tables -t filter -A INPUT -p icmp -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT | |
# Allow but rate-limit echo request/reply | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT | |
# Allow router advertisements on local network segments | |
for icmptype in 133 134 135 136 137 | |
do | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT | |
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT | |
done | |
# Allow RFC 4890 but with rate-limiting | |
for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153 | |
do | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT | |
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT | |
done | |
# Recommended, but unsupported on older kernels | |
ip6tables -A INPUT -m rt --rt-type 0 -j DROP | |
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP | |
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP | |
# identd requests | |
ip6tables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | |
# Autoriser SSH | |
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT | |
ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT | |
# Autoriser DNS | |
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT | |
# Autoriser NTP | |
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT | |
# Autoriser HTTP et HTTPS | |
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT | |
ip6tables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT | |
# Bloquer W00t-W00t | |
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP | |
ip6tables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP | |
# Bloquer Scanner | |
iptables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP | |
ip6tables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP | |
# Empeche de deni de service | |
iptables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT | |
iptables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT | |
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT | |
ip6tables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT | |
ip6tables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT | |
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m limit --limit 10/second -j ACCEPT | |
# Empeche le scan des ports | |
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | |
ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | |
echo - Initialisation des regles : [OK] | |
;; | |
status) | |
echo - Liste des regles IPv4 : | |
iptables -n -L | |
echo - Liste des regles IPv6 : | |
ip6tables -n -L | |
;; | |
stop) | |
# Vidage des tables et des regles personnelles | |
iptables -t filter -F | |
iptables -t filter -X | |
ip6tables -t filter -F | |
ip6tables -t filter -X | |
echo - Vidage des regles et des tables : [OK] | |
iptables -P INPUT ACCEPT | |
iptables -P FORWARD ACCEPT | |
iptables -P OUTPUT ACCEPT | |
ip6tables -P INPUT ACCEPT | |
ip6tables -P FORWARD ACCEPT | |
ip6tables -P OUTPUT ACCEPT | |
echo - Autoriser toutes les connexions entrantes et sortantes : [OK] | |
;; | |
esac | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment