benhu/firewall.sh

## firewall.sh
#!/bin/sh
case "$1" in
start)

echo - Initialisation du firewall :

# Vidage des tables et des regles personnelles
iptables -t filter -F
iptables -t filter -X

ip6tables -t filter -F
ip6tables -t filter -X

echo - Vidage des regles et des tables : [OK]

# Interdire toutes connexions entrantes et sortantes
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

ip6tables -t filter -P INPUT DROP
ip6tables -t filter -P FORWARD DROP
ip6tables -t filter -P OUTPUT DROP

echo - Interdire toutes les connexions entrantes et sortantes : [OK]

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

echo - Ne pas casser les connexions établies : [OK]

########## Regles ##########

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

ip6tables -t filter -A INPUT -i lo -j ACCEPT
ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
ip6tables -t filter -A INPUT -s ::1 -d ::1 -j ACCEPT

# Autoriser le ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

ip6tables -t filter -A INPUT -p icmp -j ACCEPT
ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

# Allow but rate-limit echo request/reply
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT

# Allow router advertisements on local network segments
for icmptype in 133 134 135 136 137
do
    ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
    ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
done

# Allow RFC 4890 but with rate-limiting
for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153
do
    ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
    ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
done

# Recommended, but unsupported on older kernels
ip6tables -A INPUT  -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

# identd requests
ip6tables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

# Autoriser SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

# Autoriser DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

ip6tables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

# Autoriser NTP
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

ip6tables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# Autoriser HTTP et HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

ip6tables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
ip6tables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Bloquer W00t-W00t
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

ip6tables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

# Bloquer Scanner
iptables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP

ip6tables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP

# Empeche de deni de service
iptables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT

ip6tables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT
ip6tables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m limit --limit 10/second -j ACCEPT

# Empeche le scan des ports
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

echo - Initialisation des regles : [OK]

;;
status)

echo - Liste des regles IPv4 :
iptables -n -L

echo - Liste des regles IPv6 :
ip6tables -n -L

;;
stop)

# Vidage des tables et des regles personnelles
iptables -t filter -F
iptables -t filter -X

ip6tables -t filter -F
ip6tables -t filter -X

echo - Vidage des regles et des tables : [OK]

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT

echo - Autoriser toutes les connexions entrantes et sortantes : [OK]

;;
esac
exit 0
	#!/bin/sh
	case "$1" in
	start)

	echo - Initialisation du firewall :

	# Vidage des tables et des regles personnelles
	iptables -t filter -F
	iptables -t filter -X

	ip6tables -t filter -F
	ip6tables -t filter -X

	echo - Vidage des regles et des tables : [OK]

	# Interdire toutes connexions entrantes et sortantes
	iptables -t filter -P INPUT DROP
	iptables -t filter -P FORWARD DROP
	iptables -t filter -P OUTPUT DROP

	ip6tables -t filter -P INPUT DROP
	ip6tables -t filter -P FORWARD DROP
	ip6tables -t filter -P OUTPUT DROP

	echo - Interdire toutes les connexions entrantes et sortantes : [OK]

	# Ne pas casser les connexions etablies
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	echo - Ne pas casser les connexions établies : [OK]

	########## Regles ##########

	# Autoriser loopback
	iptables -t filter -A INPUT -i lo -j ACCEPT
	iptables -t filter -A OUTPUT -o lo -j ACCEPT

	ip6tables -t filter -A INPUT -i lo -j ACCEPT
	ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
	ip6tables -t filter -A INPUT -s ::1 -d ::1 -j ACCEPT

	# Autoriser le ping
	iptables -t filter -A INPUT -p icmp -j ACCEPT
	iptables -t filter -A OUTPUT -p icmp -j ACCEPT

	ip6tables -t filter -A INPUT -p icmp -j ACCEPT
	ip6tables -t filter -A OUTPUT -p icmp -j ACCEPT

	# Allow but rate-limit echo request/reply
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT
	ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT

	# Allow router advertisements on local network segments
	for icmptype in 133 134 135 136 137
	do
	ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m hl --hl-eq 255 -j ACCEPT
	done

	# Allow RFC 4890 but with rate-limiting
	for icmptype in 1 2 3/0 3/1 4/0 4/1 4/2 130 131 132 133 141 142 143 148 149 151 152 153
	do
	ip6tables -A INPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type $icmptype -m limit --limit 900/min -j ACCEPT
	done

	# Recommended, but unsupported on older kernels
	ip6tables -A INPUT -m rt --rt-type 0 -j DROP
	ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
	ip6tables -A FORWARD -m rt --rt-type 0 -j DROP

	# identd requests
	ip6tables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

	# Autoriser SSH
	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

	ip6tables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

	# Autoriser DNS
	iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
	iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

	ip6tables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
	ip6tables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

	# Autoriser NTP
	iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

	ip6tables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

	# Autoriser HTTP et HTTPS
	iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
	iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

	ip6tables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
	ip6tables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

	# Bloquer W00t-W00t
	iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

	ip6tables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

	# Bloquer Scanner
	iptables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP

	ip6tables -I INPUT -p tcp --dport 80 -m string --to 700 --algo bm --string 'Host: 62.210.90.164' -j DROP

	# Empeche de deni de service
	iptables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT
	iptables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT
	iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT

	ip6tables -A FORWARD -p tcp --syn -m limit --limit 100/second -j ACCEPT
	ip6tables -A FORWARD -p udp -m limit --limit 10/second -j ACCEPT
	ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -m limit --limit 10/second -j ACCEPT

	# Empeche le scan des ports
	iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

	ip6tables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

	echo - Initialisation des regles : [OK]

	;;
	status)

	echo - Liste des regles IPv4 :
	iptables -n -L

	echo - Liste des regles IPv6 :
	ip6tables -n -L

	;;
	stop)

	# Vidage des tables et des regles personnelles
	iptables -t filter -F
	iptables -t filter -X

	ip6tables -t filter -F
	ip6tables -t filter -X

	echo - Vidage des regles et des tables : [OK]

	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT

	ip6tables -P INPUT ACCEPT
	ip6tables -P FORWARD ACCEPT
	ip6tables -P OUTPUT ACCEPT

	echo - Autoriser toutes les connexions entrantes et sortantes : [OK]

	;;
	esac
	exit 0