IdentifiantMot de passe
Loading...
Mot de passe oublié ?Je m'inscris ! (gratuit)

Installation et sécurisation d'une station Debian 3.0 stable

15/05/2004




ANNEXE 1. Paramètrage du firewall Ipchains


ANNEXE 1. Paramètrage du firewall Ipchains


/home/system/scripts/fw/custom_net.sh :

#!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains # Simon Castro # ### NETWORK CUSTOMIZATION echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "60" > /proc/sys/net/ipv4/ip_default_ttl echo "0" > /proc/sys/net/ipv4/ip_forward ZERO_FLAGS="accept_redirects accept_source_route forwarding proxy_arp send_redirects"; ONE_FLAGS="rp_filter log_martians"; CHEMIN="/proc/sys/net/ipv4/conf"; for repert in `ls "$CHEMIN"` ; do for fichier in `echo "$ZERO_FLAGS"`; do if [ -e "$CHEMIN/$repert/$fichier" ] then echo "0" > "$CHEMIN/$repert/$fichier"; fi done for fichier in `echo "$ONE_FLAGS"`; do if [ -e "$CHEMIN/$repert/$fichier" ] then echo "1" > "$CHEMIN/$repert/$fichier"; fi done done
/etc/init.d/init_ipchains.sh :

#!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains # Simon Castro # RULES_UP=/home/system/scripts/fw/rules_up_ipchains.sh RULES_DOWN=/home/system/scripts/fw/rules_down_ipchains.sh case "$1" in start) if [ -f $RULES_UP ] && [ -x $RULES_UP ] then $RULES_UP else echo "$0 : Cannot execute $RULES_UP !!!" exit 0 fi ;; stop) if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ] then $RULES_DOWN else echo "$0 : Cannot execute $RULES_DOWN !!!" exit 0 fi ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0
/home/system/scripts/fw/rules_down_ipchains.sh :

#!/bin/sh # # Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains # Simon Castro # IPCH=/sbin/ipchains # IpChains binary ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### VARIABLES DEFAULT_POL="input output forward" # Default policies ### BEGIN # Flush and remove all chains then default the policies to ACCEPT $IPCH -F $IPCH -X for i in $DEFAULT_POL do $IPCH -P $i ACCEPT done echo "$0 done"
/home/system/scripts/fw/rules_up_ipchains.sh :

#!/bin/sh # # Debian-secinst v0.1.4 : ANNEXE 1 - Paramètrage du firewall Ipchains # Simon Castro # IPCH=/sbin/ipchains # IpChains binary ### CHECK KERNEL VERSION AND BINARY PRESENCE if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"` if [ "$CHECK" ] then echo "$0 : Not with this kernel" exit 0 fi ### Set OUR value to the printk variable echo "6 4 1 7" > /proc/sys/kernel/printk ### NETWORK CUSTOMIZATION test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh ### VARIABLES # Addresses LOCAL_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address ADM_IP="@IPS_OF_ADMINISTRATION_HOSTS" DNS_IP="@IP_OF_DNS_SERVERS"" PROXY_IP="@IPS_OF_HTTP_PROXYS" #NTP_IP="@IPS_OF_NTP_SERVERS" #ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS" #WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS" #NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS" # Policies DEFAULT_POL="input output forward" LOG_ACCEPT="LogAcc" LOG_DROP="LogDrop" # Various RPORTS=":1024" NRPORTS="1024:" ### BEGIN # Flush and remove all chains then default the policies to DROP $IPCH -F $IPCH -X for i in $DEFAULT_POL do $IPCH -P $i DENY done ### Create and set personnal chains # Log and deny chain $IPCH -N $LOG_DROP # Create a new one $IPCH -A $LOG_DROP -j DENY -l # Log and deny # Log and accept chain $IPCH -N $LOG_ACCEPT # Create a new one $IPCH -A $LOG_ACCEPT -j ACCEPT -l # Log and accept ### LOOPBACK AND REMOTE MANAGEMENT # Allow whatever on loopback $IPCH -A output -i lo -j ACCEPT $IPCH -A input -i lo -j ACCEPT # Allow SSH remote management and log connections for i in $ADM_IP do $IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -y -j $LOG_ACCEPT $IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -j ACCEPT $IPCH -A output -p tcp -s $LOCAL_IP 22 -d $ADM_IP $NRPORTS -j ACCEPT done ### ALLOW THESE TCP CONNECTIONS # Allow HTTP/HTTPS to HTTP proxy servers and log Syn Scan profit port for i in $PROXY_IP do $IPCH -A output -p tcp --sport $NRPORTS -d $i 8080 -j ACCEPT $IPCH -A input -p tcp -s $i 8080 -y -j $LOG_DROP $IPCH -A input -p tcp -s $i 8080 --dport $NRPORTS -j ACCEPT done ### Uncomment if you want to use Prelude communications. ## Allow Prelude communications to Prelude server and log syn scan profit port # $IPCH -A output -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} 5553:5554 -j ACCEPT # $IPCH -A input -p tcp -s {PRELUDE_SRV_IP} 5553:5554 -y -j $LOG_DROP # $IPCH -A input -p tcp -s {PRELUDE_SRV_IP} 5553:5554 --dport $NRPORTS -j ACCEPT ### ALLOW THESE UDP CONNECTIONS # Allow DNS Protocol to DNS Servers for i in $DNS_IP do $IPCH -A output -p udp --sport $NRPORTS -d $i 53 -j ACCEPT $IPCH -A input -p udp -s $i 53 --dport $NRPORTS -j ACCEPT done ### Uncomment if you want to use communications to NTP servers. ### => Also uncomment and set NTP_IP at the beginning of the script. ## Allow NTP Protocol to NTP Servers # for i in $NTP_IP # do # $IPCH -A output -p udp --sport $NRPORTS -d $i 123 -j ACCEPT # $IPCH -A input -p udp -s $i 123 --dport $NRPORTS -j ACCEPT # done ### ALLOW THESE ICMP REQUESTS AND RESPONSES ### Uncomment if you want to certain hosts to send us icmp requests ### => Also uncomment and set ICMP_IP at the beginning of the script ## Allow some host's icmp requests #for i in $ICMP_IP # do # $IPCH -A input -p icmp --icmp-type echo-request -s $i -j ACCEPT # $IPCH -A input -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT # $IPCH -A input -p icmp --icmp-type time-exceeded -s $i -j ACCEPT # $IPCH -A output -p icmp --icmp-type echo-reply -d $i -j ACCEPT #done ### ALLOW SPECIFIC PROTOCOLS ### Uncomment if you want to allow NetBios networks streams ### => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script ## Allow NetBios protocol with certains hosts #$IPCH -A output -p udp --sport 137:138 -d $BROADCAST_IP 137:138 -j ACCEPT #for i in $WINS_IP # do # $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT # $IPCH -A input -p udp -s $i --dport 137 -j ACCEPT #done ## Allow but log incoming syn connections on the 139 port number. #for i in $NETBIOS_IP # do # $IPCH -A input -p udp -s $i 137 --dport 137 -j ACCEPT # $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT # $IPCH -A input -p tcp -s $i $NRPORTS --dport 139 -y -j $LOG_ACCEPT # $IPCH -A input -p tcp -s $i $NRPORTS --dport 139 -j ACCEPT # $IPCH -A output -p tcp --sport 139 -d $i $NRPORTS -j ACCEPT #done ### AND LAST : LOG AND DENY for i in $DEFAULT_POL do $IPCH -A $i -j $LOG_DROP done echo "$0 done"


Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.