| View previous topic :: View next topic |
| Author |
Message |
kwenspc
Advocate
Joined: 21 Sep 2003
Posts: 4954
|
 Posted: Tue Nov 09, 2004 10:48 am Post subject: |
 |
|
| genAlphA wrote: |
Faut pas voir le parefeu comme un système de protection ultime, ça ne l'est pas.
|
vas t'en expliquer ça à tout les patrons et/ou admin réseau qui ont pas compris ça...
(enfin en même temps le fait que beaucoup n'ai pas compris ça, ça donne encore beaucoup de facilité/possibilité aux crackers, hackers etc...tant mieux. trop de sécurité peut s'avérer mauvais pour la liberté...bon je me comprends hein) |
|
| Back to top |
|
 |
genAlphA
n00b
Joined: 26 Apr 2002
Posts: 14
Location: france
|
| Posted: Tue Nov 09, 2004 11:38 am Post subject: |
|
|
| kwenspc wrote: | | genAlphA wrote: |
Faut pas voir le parefeu comme un système de protection ultime, ça ne l'est pas.
|
vas t'en expliquer ça à tout les patrons et/ou admin réseau qui ont pas compris ça... |
Ben, tout dépend du type de client. Les miens le comprennent et pas qu'un peu. Donc on peut leur vendre des archis de fou furieux et ils aiment ça. Après pour ceux qui veulent pas comprendre, reste toujours la prestation de pentest  Too bad quand un RSI se fait jeter après que son patron ait découvert qu'en 1/2h l'auditeur avait ownzé toutes les boxs qui trainaient.
_________________
You don't need reasons when you've got Linux |
|
| Back to top |
|
|
befa
Apprentice
Joined: 28 Oct 2004
Posts: 208
Location: rennes
|
| Posted: Tue Nov 09, 2004 12:43 pm Post subject: |
|
|
perso, j'utilise une debian sarge comme gateway, avec un fw...pour le fw, c'est pas quelquechose de totalement complet, mais c'est une bonne base! il s'agit d'un script iptables!le voici :
| Code: |
#!/bin/sh
# --------( Initial Setup - Variables (required) )--------
# Type of Service (TOS) parameters
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
TOSOPT=8
# Default Packet Rejection Type
# ( do NOT change this here - set it in the GUI instead )
STOP=DENY
# --------( Initial Setup - Firewall Location Check )--------
IPT=/sbin/iptables
IFC=/sbin/ifconfig
MPB=/sbin/modprobe
LSM=/sbin/lsmod
RMM=/sbin/rmmod
echo "********( debut script firewall )********"
# --------( Initial Setup - Network Information (required) )--------
echo "--------( Initial Setup - Network Information (required) )--------"
IF=ppp0
INIF=eth1
IP=`$IFC $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`$IFC $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK
INMASK="user specified in INNET"
INNET=192.168.0.0/24
echo "--------( initialisation des interfaces )--------"
if [ "$MASK" = "" ]; then
echo "External network device $IF is not ready. Aborting.."
exit 2
fi
if [ "$INMASK" = "" ]; then
echo "Internal network device $INIF is not ready. Aborting.."
exit 3
fi
# --------( Initial Setup - Firewall Modules Check )--------
# Some distributions still load ipchains
echo "--------( chargement module ipchain )--------"
$LSM | grep ipchains -q -s && $RMM ipchains
# --------( Initial Setup - Firewall Modules Autoloader )--------
echo "--------( initialisation conntrack )--------"
if ! ( $LSM | /bin/grep ip_conntrack > /dev/null ); then
$MPB ip_conntrack
fi
if ! ( $LSM | /bin/grep ip_conntrack_ftp > /dev/null ); then
$MPB ip_conntrack_ftp
fi
if ! ( $LSM | /bin/grep ip_conntrack_irc > /dev/null ); then
$MPB ip_conntrack_irc
fi
if ! ( $LSM | /bin/grep ipt_REJECT > /dev/null ); then
$MPB ipt_REJECT
fi
if ! ( $LSM | /bin/grep ipt_REDIRECT > /dev/null ); then
$MPB ipt_REDIRECT
fi
if ! ( $LSM | /bin/grep ipt_TOS > /dev/null ); then
$MPB ipt_TOS
fi
if ! ( $LSM | /bin/grep ipt_MASQUERADE > /dev/null ); then
$MPB ipt_MASQUERADE
fi
if ! ( $LSM | /bin/grep ipt_LOG > /dev/null ); then
$MPB ipt_LOG
fi
if ! ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$MPB iptable_mangle
fi
if ! ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$MPB iptable_nat
fi
# --------( Chain Configuration - Flush Existing Chains )--------
# Delete user made chains. Flush and zero the chains.
echo "--------( R.A.Z des chaines )--------"
$IPT -F
$IPT -X
$IPT -Z
# Remove Firestarter lock
if [ -e /var/lock/subsys ]; then
rm -f /var/lock/subsys/firestarter
else
rm -f /var/lock/firestarter
fi
# --------( Chain Configuration - Delete Extinct Chains )--------
echo "--------( R.A.Z des chaines mangle, nat )--------"
# Delete `nat' and `mangle' chains.
if ( $LSM | /bin/grep iptable_mangle > /dev/null ); then
$IPT -t mangle -F
fi
if ( $LSM | /bin/grep iptable_nat > /dev/null ); then
$IPT -t nat -F
fi
# --------( Chain Configuration - Create Default Result Chains )--------
# Create a new log and drop (LD) convenience chain.
echo "--------( creation des logs )--------"
$IPT -N LD 2> /dev/null
$IPT -F LD
$IPT -A LD -j LOG
$IPT -A LD -j DROP
STOP=LD
# --------( Chain Configuration - Create Default Traffic Chains )--------
echo "--------( creation des chaines par defaut )--------"
# Create a new 'unclean module check' (UNCLEAN) convenience chain.
$IPT -N UNCLEAN 2> /dev/null
$IPT -F UNCLEAN
$IPT -A UNCLEAN -j $STOP
# Create a new 'stateful module check' (STATE) convenience chain.
$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state NEW -i ! lo -j $STOP
$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A STATE -j $STOP
# Create a new 'sanity (check, mark and fwd) check' (SANITY) convenience chain.
$IPT -N SANITY 2> /dev/null
$IPT -F SANITY
$IPT -A SANITY -j $STOP
# --------( Chain Configuration - Set Default Chain Policy )--------
echo "--------( mise en place de la default policy )--------"
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
# --------( Initial Setup - Nameservers )--------
echo "--------( setup nameserveurs )--------"
# Allow responses from the nameservers
while read s1 s2 s3
do
if [ "$s1" = "nameserver" ] ; then
$IPT -A INPUT -p tcp ! --syn -s $s2 -d 0/0 -j ACCEPT
$IPT -A INPUT -p udp -s $s2 -d 0/0 -j ACCEPT
fi
done < /etc/resolv.conf
# --------( Initial Setup - External Lists )--------
echo "--------( setup des listes externes )--------"
# Trusted hosts
while read host
do
$IPT -A INPUT -s $host -d 0/0 -j ACCEPT
done < /etc/firestarter/trusted-hosts
# Blocked hosts
while read host
do
$IPT -A INPUT -s $host -d 0/0 -j DROP
done < /etc/firestarter/blocked-hosts
# Forwarded ports
while read port int_host int_port
do
$IPT -A FORWARD -p tcp -d $int_host --dport $int_port -j ACCEPT
$IPT -A FORWARD -p udp -d $int_host --dport $int_port -j ACCEPT
$IPT -A PREROUTING -t nat -p tcp -d $NET --dport $port -j DNAT --to $int_host:$int_port
$IPT -A PREROUTING -t nat -p udp -d $NET --dport $port -j DNAT --to $int_host:$int_port
done < /etc/firestarter/forward
# Open ports
while read port
do
$IPT -A INPUT -p tcp -s 0/0 -d $NET --dport $port -j ACCEPT
$IPT -A INPUT -p udp -s 0/0 -d $NET --dport $port -j ACCEPT
done < /etc/firestarter/open-ports
# Stealthed ports (Ports open to specific hosts)
while read port host
do
$IPT -A INPUT -p tcp -s $host -d $NET --dport $port -j ACCEPT
$IPT -A INPUT -p udp -s $host -d $NET --dport $port -j ACCEPT
done < /etc/firestarter/stealthed-ports
# Blocked ports (explicit, no logging)
while read port
do
$IPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport $port -j DROP
$IPT -A INPUT -p udp -s 0/0 -d 0/0 --dport $port -j DROP
done < /etc/firestarter/blocked-ports
# --------( Chain Configuration Finalize - Set Default Chain Policy )--------
echo "--------( config et finalisation des chaines )--------"
$IPT -P OUTPUT DROP
# --------( Sysctl Tuning - Recommended Parameters )--------
echo "--------( parametres perso )--------"
# Turn off IP forwarding by default
# (this will be enabled if you require masquerading)
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 0 > /proc/sys/net/ipv4/ip_forward
fi
# Log 'odd' IP addresses (excludes 0.0.0.0 & 255.255.255.255)
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
fi
# --------( Sysctl Tuning - TCP Parameters )--------
echo "--------( parametres perso TCP )--------"
# Turn off TCP Timestamping in kernel
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
fi
# Set TCP Re-Ordering value in kernel to '5'
if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi
# Turn off TCP ACK in kernel
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
echo 0 > /proc/sys/net/ipv4/tcp_sack
fi
#Turn off TCP Window Scaling in kernel
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
fi
#Set Keepalive timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
fi
#Set FIN timeout to 30 seconds
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_fin_timeout
fi
# Set TCP retry count to 3
if [ -e /proc/sys/net/ipv4/tcp_retries1 ]; then
echo 3 > /proc/sys/net/ipv4/tcp_retries1
fi
#Turn off ECN notification in kernel
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# --------( Sysctl Tuning - SYN Parameters )--------
echo "--------( parametre perso SYN )--------"
# Turn on SYN cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Set SYN ACK retry attempts to '3'
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
fi
# Set SYN backlog buffer to '64'
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then
echo 64 > /proc/sys/net/ipv4/tcp_max_syn_backlog
fi
# Set SYN retry attempts to '6'
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then
echo 6 > /proc/sys/net/ipv4/tcp_syn_retries
fi
# --------( Sysctl Tuning - Routing / Redirection Parameters )--------
echo "--------( parametres perso: routage / redirection )--------"
# Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
# Turn off source routes in kernel
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
fi
# Do not respond to 'redirected' packets
if [ -e /proc/sys/net/ipv4/secure_redirects ]; then
echo 0 > /proc/sys/net/ipv4/secure_redirects
fi
# Do not reply to 'redirected' packets if requested
if [ -e /proc/sys/net/ipv4/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/send_redirects
fi
# Do not reply to 'proxyarp' packets
if [ -e /proc/sys/net/ipv4/proxy_arp ]; then
echo 0 > /proc/sys/net/ipv4/proxy_arp
fi
# Set FIB model to be RFC1812 Compliant
# (certain policy based routers may break with this - if you find
# that you can't access certain hosts on your network - please set
# this option to '0' - which is the default)
if [ -e /proc/sys/net/ipv4/ip_fib_model ]; then
echo 2 > /proc/sys/net/ipv4/ip_fib_model
fi
# --------( Sysctl Tuning - ICMP/IGMP Parameters )--------
echo "--------( parametres perso ICMP / IGMP )--------"
# ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# IGMP Membership 'overflow' protection
# (if you are planning on running your box as a router - you should either
# set this option to a number greater than 5, or disable this protection
# altogether by commenting out this option)
if [ -e /proc/sys/net/ipv4/igmp_max_memberships ]; then
echo 1 > /proc/sys/net/ipv4/igmp_max_memberships
fi
# --------( Sysctl Tuning - Miscellanous Parameters )--------
echo "--------( parametres perso options diverses )--------"
# Set TTL to '64' hops
# (If you are running a masqueraded network, or use policy-based
# routing - you may want to increase this value depending on the load
# on your link.)
if [ -e /proc/sys/net/ipv4/conf/all/ip_default_ttl ]; then
for f in /proc/sys/net/ipv4/conf/*/ip_default_ttl
do
echo 64 > $f
done
fi
# Always defragment incoming packets
# (Some cable modems [ Optus @home ] will suffer intermittent connection
# droputs with this setting. If you experience problems, set this to '0')
if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
fi
# Keep packet fragments in memory for 8 seconds
# (Note - this option has no affect if you turn packet defragmentation
# (above) off!)
if [ -e /proc/sys/net/ipv4/ipfrag_time ]; then
echo 8 > /proc/sys/net/ipv4/ipfrag_time
fi
# Do not reply to Address Mask Notification Warnings
# (If you are using your machine as a DMZ router or a PPP dialin server
# that relies on proxy_arp requests to provide addresses to it's clients
# you may wish to disable this option by setting the value to '1'
if [ -e /proc/sys/net/ipv4/ip_addrmask_agent ]; then
echo 0 > /proc/sys/net/ipv4/ip_addrmask_agent
fi
# Turn off dynamic TCP/IP address hacking
# (Some broken PPPoE clients have issues when this is disabled
# If you experience problems with DSL or Cable providers, set this to '1')
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi
# --------( Sysctl Tuning - IPTables Specific Parameters )--------
echo "--------( parametres perso : specifications IPTables )--------"
# Doubling current limit for ip_conntrack
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
fi
# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------
echo "--------( configuration regles specifiques interface Loopback )--------"
# Allow all traffic on the loopback interface
$IPT -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# --------( Rules Configuration - ICMP - Default Ruleset )--------
echo "--------( configuration regles ICMP )--------"
# Allowing all ICMP
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET -m limit --limit 10/s -j ACCEPT
# --------( Rules Configuration - Masquerading )--------
echo "--------( configuration MASQUERADING )--------"
# --------( Rules Configuration - Masquerading - Firewall Modules Autoloader )--------
if ! ( $LSM | /bin/grep ip_nat_ftp > /dev/null ); then
$MPB ip_nat_ftp
fi
if ! ( $LSM | /bin/grep ip_nat_irc > /dev/null ); then
$MPB ip_nat_irc
fi
# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------
#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]
then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# --------( Rules Configuration - Masquerading - Default Policy )--------
#Setting forward (masquerading) policy to DENY
$IPT -t filter -P FORWARD DROP
$IPT -A FORWARD -p tcp -i ppp0 -o eth1 -s 0.0.0.0/0 -d 192.168.0.0/24 --dport 2201 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# --------( Rules Configuration - Masquerading - Default Ruleset )--------
#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I FORWARD -m unclean -j UNCLEAN
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Invalid Flags )--------
$IPT -t filter -A INPUT -m state --state INVALID -j $STOP
# --------( Rules Configuration - Forwarded Traffic - Block Traffic w/ Excessive Fragmented Packets )--------
$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP
#Forward Int/Ext & Ext/Int Traffic before Masquerading"
$IPT -t filter -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT
$IPT -t filter -A FORWARD -d $INNET -j ACCEPT
#Masquerade outgoing traffic
$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE
#Don't masq external interface traffic
$IPT -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT
#Allow traffic from internal network going anywhere
$IPT -t filter -A INPUT -s $INNET -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -s $INNET -d 0/0 -j ACCEPT
$IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I INPUT -i $IF -m unclean -j UNCLEAN
# --------( Rules Configuration - Inbound Traffic - Block nonroutable IP Addresses )--------
#Block nonroutable IPs, netblock list v2.0 2003-04-08
$IPT -t filter -A INPUT -s 0.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 1.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 2.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 5.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 7.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 10.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 23.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 27.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 31.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 36.0.0.0/8 -d $NET -i $IF -j $STOP
$IPT -t filter -A INPUT -s 37.0.0.0/8 -d $NET -i $IF -j $STOP
......
$IPT -t filter -A INPUT -s 224.0.0.0/3 -d $NET -i $IF -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block known Trojan Ports )--------
echo "--------( configuration blocage des ports Trojan )--------"
#Block Back Orifice
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31337 -m limit --limit 2/minute -j $STOP
#Block Trinity v3
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 33270 -m limit --limit 2/minute -j $STOP
#Block Subseven (1.7/1.9)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 6711 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1234 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 6711 -m limit --limit 2/minute -j $STOP
#Block Stacheldraht
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 60001 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 16660 --syn -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 60001 --syn -m limit --limit 2/minute -j $STOP
#Block NetBus
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 12345:12346 -m limit --limit 2/minute -j $STOP
#Block MS-RPC (dce)
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 135 -m limit --limit 2/minute -j $STOP
#Block Trin00
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A INPUT -p udp -s 0/0 -d $NET --dport 31335 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 1524 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p tcp -s $NET -d 0/0 --dport 27665 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 27444 -m limit --limit 2/minute -j $STOP
$IPT -t filter -A OUTPUT -p udp -s $NET -d 0/0 --dport 31335 -m limit --limit 2/minute -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Multicast Traffic )--------
echo "--------( configuration blocage du traffic multi-cast )--------"
# (some cable/DSL providers require their clients to accept multicast transmissions
# you should remove the following four rules if you are affected by multicasting
$IPT -t filter -A INPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A INPUT -s 0/0 -d 224.0.0.0/8 -j $STOP
$IPT -t filter -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j $STOP
$IPT -t filter -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Stuffed Routing )--------
# (early versions of PUMP - (the DHCP client application included in RH / Mandrake) require
# inbound packets to be accepted from a source address of 255.255.255.255. If you have issues
# with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)
$IPT -t filter -A INPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A INPUT -d 0.0.0.0 -j $STOP
$IPT -t filter -A OUTPUT -s 255.255.255.255 -j $STOP
$IPT -t filter -A OUTPUT -d 0.0.0.0 -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Broadcast )--------
$IPT -t filter -A INPUT -i $IF -s 10.0.0.255 -j DROP
$IPT -t filter -A INPUT -i $IF -s 0.0.0.0 -j DROP
$IPT -t filter -A INPUT -i $IF -d 255.255.255.255 -j DROP
$IPT -t filter -A INPUT -i $IF -d 0.0.0.0 -j DROP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Invalid Flags )--------
$IPT -t filter -A INPUT -m state --state INVALID -j $STOP
# --------( Rules Configuration - Inbound Traffic - Block Traffic w/ Excessive Fragmented Packets )--------
$IPT -t filter -A INPUT -f -m limit --limit 10/minute -j $STOP
# --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )--------
#DHCP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT
$IPT -t filter -A INPUT -p udp -s 0/0 -d 0/0 --dport 67:68 -i $IF -j ACCEPT
# --------( Rules Configuration - Inbound Traffic - Highport Connection Fixes )--------
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j $STOP
#SSH fix
$IPT -A INPUT -p tcp --sport 22 --dport 513:65535 ! --syn -m state --state RELATED -j ACCEPT
# --------( Rules Configuration - Inbound Traffic - Highport Connections )--------
$IPT -A INPUT -p tcp -s 0/0 -d $NET --dport 1024:65535 -j STATE
$IPT -A INPUT -p udp -s 0/0 -d $NET --dport 1023:65535 -j ACCEPT
# --------( Rules Configuration - Outbound Traffic - Highport Connection Fixes )--------
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# --------( Rules Configuration - Outbound Traffic - TTL Mangling )--------
$IPT -A OUTPUT -m ttl --ttl 64
# --------( Rules Configuration - Outbound Traffic - Block Traffic w/ Incorrect Flags )--------
$IPT -t filter -I OUTPUT -o $IF -m unclean -j UNCLEAN
# --------( Rules Configuration - Outbound Traffic - Default Ruleset )--------
$IPT -A OUTPUT -p icmp -s $NET -d 0/0 -o $IF -j ACCEPT
$IPT -A OUTPUT -j ACCEPT
echo "--------( configuration ouverture ports Emule )--------"
echo "------>192.168.0.6 sur 4662 (tcp) 4672 (udp)"
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.6
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.0.6
echo "------>192.168.0.10 sur 4663 (tcp) 4673 (udp)"
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4663 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4673 -j DNAT --to 192.168.0.10
# --------( Catch all Rules (required) )--------
echo "--------( prise en compte de toutes les regles )--------"
# Deny everything not let through earlier
$IPT -A INPUT -j $STOP
# Create Firestarter lock file
if [ -e /var/lock/subsys ]; then
touch /var/lock/subsys/firestarter
else
touch /var/lock/firestarter
fi
echo "******( fin de script )********"
|
voila, quelques modifs a faire...
si vous avez des commentaires, des choses à ajouter...a me conseiller...je vous ecoute!
_________________
Open Minds! Open Sources! Open Future!
think_tux@jabber.org |
|
| Back to top |
|
|
tetienne
Apprentice
Joined: 06 Oct 2004
Posts: 163
Location: Lille/France
|
| Posted: Tue Nov 09, 2004 12:57 pm Post subject: |
|
|
salut,
j'ai pas eu le courage de tout lire, mais simplement pour répondre à marvin rouge :
protéger un port sans appli en écoute dessus ça peut tout simplement servir à empêcher le gars qui arrive à exploiter une faille d'un de tes autres services d'aller y coller quelque chose. Typiquement des serveurs FTP ou trucs du genre pour distribuer du matériel pirate, ou un proxy pour pouvoir aller attaquer d'autres serveurs bien plus risqués.
D'autre part, pour les clients windows, je trouve le firewall presque plus important que l'antivirus. Si tu fais pas le neuneu, tu peux tres bien naviguer sous windows avec un simple firewall et sans antivirus.
Et aussi le firewall peut t'apporter un bon logger d'évènements aussi.
@+ |
|
| Back to top |
|
|
befa
Apprentice
Joined: 28 Oct 2004
Posts: 208
Location: rennes
|
| Posted: Tue Nov 09, 2004 1:03 pm Post subject: |
|
|
personnelement,quelqu'un connait des virus qui touchent linux??? ( si il y en a, désolé je pensais que c'etait réservé au monde micro$oftien!! ) lol
un petit truc de securite si on utilise ssh pour aller bidouiller sa gateway, dans le sshd_conf, il vaut mieux mettre
| Code: | #ListenAddress ::
ListenAddress ip_gateway_cote_reseau_local
|
voila, et bien sur utilisé les cles! 
_________________
Open Minds! Open Sources! Open Future!
think_tux@jabber.org |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
French
