| View previous topic :: View next topic |
| Author |
Message |
sharlaan
Tux's lil' helper
Joined: 10 Jun 2003
Posts: 120
Location: France
|
 Posted: Sun Nov 23, 2003 6:26 pm Post subject: [IPTABLES] Question pour demarer IPTABLES (Résolu) |
 |
|
Salut,
j'ai créé mes règles IP Tables :
Script de démarage (startfirewall):
| Code: | #!/bin/sh
IPTABLES=/sbin/iptables
modprobe ip_conntrack_irc
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# "On accepte le traffic sur 'lo'"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A FORWARD -o lo -j ACCEPT
# "On accepte le traffic sur le réseau local"
$IPTABLES -A INPUT -i $INTERNAL_IF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_IF -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_IF -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_IF -j ACCEPT
# On loggue les packets DROPés
$IPTABLES -A LOG_DROP -j LOG --log-prefix "[IPT] "
$IPTABLES -A LOG_DROP -j DROP
# Local <-> Internet
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp --sport www -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp --dport www -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Internet <-> Local
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp -m multiport --sports www,https -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp -m multiport --dports www,https -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# DCC -> ??? cf lea-linux
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
# Ping
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state NEW -m limit --limit 10/min -j ACCEPT
# Identification IP-nom
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp --sport domain -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp --dport domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF -p udp --sport domain -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p udp --dport domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Rsync
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp --sport rsync -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp --dport rsync -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Accelere les connections sur IRC
IPTABLES -A OUTPUT -o $EXTERNAL_IF -p tcp --sport auth -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_IF -p tcp --dport auth -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Loggue avec Syslogd
$IPTABLES -A FORWARD -j LOG_DROP
$IPTABLES -A INPUT -j LOG_DROP
$IPTABLES -A OUTPUT -j LOG_DROP |
Script d'arret (stopfirewall):
| Code: | #!/bin/sh
# Script d'arrêt du mur pare feu
# mettez ici l'emplacement d'iptables :
IPTABLES=/sbin/iptables
echo "On vide toutes les régles."
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -F LOG_DROP
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "On décharge les modules."
rmmod `lsmod | grep -E "^ip" | cut -d" " -f 1`
|
Je ne sais pas si elles sont bonnes, donc je voulais les tester, je lance iptable
| Code: | # /etc/init.d/iptables start
* Not starting iptables. First create some rules then run
* /etc/init.d/iptables save |
Je dois faire quoi ?
Last edited by sharlaan on Wed Nov 26, 2003 3:43 pm; edited 1 time in total |
|
| Back to top |
|
 |
Leander256
l33t
Joined: 05 Jul 2003
Posts: 910
Location: Singapour
|
| Posted: Sun Nov 23, 2003 6:57 pm Post subject: |
|
|
Il faut lancer ton script (en supposant qu'il soit dans le répertoire courant):
Ensuite une fois que c'est fait (qu'il n'y a aucune erreur, rien):
| Code: | | # /etc/init.d/iptables save |
Ca va sauvegarder les règles actuelles (donc celles que tu as définies grâce à ton script), et au prochain appel de /etc/init.d/iptables start, il ne devrait pas se plaindre. Et pour que le firewall soit lancé à chaque démarrage, tu dois sûrement devoir quelque chose du genre (lis la doc pour être sûr):
| Code: | | rc-update add iptables boot |
|
|
| Back to top |
|
|
sharlaan
Tux's lil' helper
Joined: 10 Jun 2003
Posts: 120
Location: France
|
| Posted: Sun Nov 23, 2003 7:04 pm Post subject: |
|
|
Voila ce que j'obtient :
| Code: | modprobe: Can't locate module ip_conntrack_irc
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Warning: wierd character in interface `-j' (No aliases, :, ! or *).
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-j' (No aliases, :, ! or *).
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-j' (No aliases, :, ! or *).
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-j' (No aliases, :, ! or *).
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `udp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `udp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
./startfirewall: line 42: IPTABLES: command not found
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
Vous avez une idée ? |
|
| Back to top |
|
|
kwenspc
Advocate
Joined: 21 Sep 2003
Posts: 4954
|
| Posted: Sun Nov 23, 2003 9:30 pm Post subject: |
|
|
dans la conf de ton kernel il faut mettre tout ce qui touche à la rubrique netfilter en module, pour iptable et tout ça.
fais un genkernel --config je crois que c dans "networking options"
mets tout en module au moisn ce qui concerne la filtration de paquet etc... |
|
| Back to top |
|
|
sharlaan
Tux's lil' helper
Joined: 10 Jun 2003
Posts: 120
Location: France
|
| Posted: Sun Nov 23, 2003 9:39 pm Post subject: |
|
|
| ok, je recompile |
|
| Back to top |
|
|
sireyessire
Advocate
Joined: 20 Mar 2003
Posts: 2991
Location: back in Paris, France
|
| Posted: Mon Nov 24, 2003 4:09 pm Post subject: |
|
|
| Leander256 wrote: |
| Code: | | rc-update add iptables boot |
|
Il me semble qu'il faut lajouter au runlevel default et non pas au boot (c ALSA qui va au boot  )
sinon il faut voir la doc sur la sécurité sous gentoo (section firewall) :
http://www.gentoo.org/doc/fr/gentoo-security.xml
Ps: si tu es sous un noyau 2.6, il faut compiler les iptables avec :
| Code: | | ACCEPT_KEYWORDS="~x86" emerge iptables |
sinon elles ne compileront pas (enfin je crois que ça marchait pas avec les 1.8.??r1) 
Enjoy 
_________________
I never think of the future. It comes soon enough.
Albert Einstein
Try simpler first
Shockley |
|
| Back to top |
|
|
sharlaan
Tux's lil' helper
Joined: 10 Jun 2003
Posts: 120
Location: France
|
| Posted: Wed Nov 26, 2003 3:43 pm Post subject: |
|
|
| ok, merci ca marche |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
French
