IdentifiantMot de passe
Mot de passe oublié ?Je m'inscris ! (gratuit)

Installation et sécurisation d'une station Debian 3.0 stable

15/05/2004

[ Précédent ] [ Sommaire ] [ Suivant ] [ Télécharger ]

ANNEXE 1. Paramètrage du firewall Ipchains


ANNEXE 1. Paramètrage du firewall Ipchains


/home/system/scripts/fw/custom_net.sh : 

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#

### NETWORK CUSTOMIZATION

echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "60" > /proc/sys/net/ipv4/ip_default_ttl
echo "0" > /proc/sys/net/ipv4/ip_forward

ZERO_FLAGS="accept_redirects accept_source_route forwarding proxy_arp send_redirects";
ONE_FLAGS="rp_filter log_martians";
CHEMIN="/proc/sys/net/ipv4/conf";

for repert in `ls "$CHEMIN"` ; do
for fichier in `echo "$ZERO_FLAGS"`; do
  if [ -e "$CHEMIN/$repert/$fichier" ]
	then echo "0" > "$CHEMIN/$repert/$fichier"; fi
done
for fichier in `echo "$ONE_FLAGS"`; do
  if [ -e "$CHEMIN/$repert/$fichier" ]
	then echo "1" > "$CHEMIN/$repert/$fichier"; fi
done
done
/etc/init.d/init_ipchains.sh : 

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#

RULES_UP=/home/system/scripts/fw/rules_up_ipchains.sh
RULES_DOWN=/home/system/scripts/fw/rules_down_ipchains.sh

case "$1" in
   start)
	 if [ -f $RULES_UP ] && [ -x $RULES_UP ]
	   then 
		 $RULES_UP
	   else
		 echo "$0 : Cannot execute $RULES_UP !!!"
		 exit 0
	 fi
   ;;
   stop)
	 if [ -f $RULES_DOWN ] && [ -x $RULES_DOWN ]
	   then 
		 $RULES_DOWN
	   else
		 echo "$0 : Cannot execute $RULES_DOWN !!!"
		 exit 0
	 fi
   ;;
   restart)
	 $0 stop
	 $0 start
   ;;
   *)
	 echo "Usage: $0 {start|stop|restart}"
	 exit 1
   ;;
esac

exit 0
/home/system/scripts/fw/rules_down_ipchains.sh : 

#!/bin/sh

#
# Debian-secinst v0.1.3 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#

IPCH=/sbin/ipchains # IpChains binary

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`  
if [ "$CHECK" ]
then
  echo "$0 : Not with this kernel"
  exit 0
fi

### VARIABLES

DEFAULT_POL="input output forward" # Default policies

### BEGIN

# Flush and remove all chains then default the policies to ACCEPT
$IPCH -F
$IPCH -X
for i in $DEFAULT_POL
  do
	$IPCH -P $i ACCEPT
 done

echo "$0 done"
/home/system/scripts/fw/rules_up_ipchains.sh : 

#!/bin/sh

#
# Debian-secinst v0.1.4 : ANNEXE 1 - Paramètrage du firewall Ipchains
# Simon Castro
#

IPCH=/sbin/ipchains # IpChains binary

### CHECK KERNEL VERSION AND BINARY PRESENCE

if [ ! -f $IPCH ] && [ ! -x $IPCH ] ; then exit 0 ; fi
CHECK=`$IPCH -L -n 2>&1 > /dev/null || echo "bad"`  
if [ "$CHECK" ]
then
  echo "$0 : Not with this kernel"
  exit 0
fi

### Set OUR value to the printk variable
echo "6 4 1 7" > /proc/sys/kernel/printk

### NETWORK CUSTOMIZATION

test -f /home/system/scripts/fw/custom_net.sh && test -x /home/system/scripts/fw/custom_net.sh && /home/system/scripts/fw/custom_net.sh

### VARIABLES

# Addresses
LOCAL_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /addr:/ { print $2 }'` # Get local Eth0 IP Address
BROADCAST_IP=`ifconfig eth0 | awk 'BEGIN { FS=":" ; RS=" " } /Bcast:/ { print $2 }'` # Get local Eth0 Broadcast IP Address    

ADM_IP="@IPS_OF_ADMINISTRATION_HOSTS"

DNS_IP="@IP_OF_DNS_SERVERS""
PROXY_IP="@IPS_OF_HTTP_PROXYS"
#NTP_IP="@IPS_OF_NTP_SERVERS"
#ICMP_IP="@IPS_OF_ALLOWED_ICMP_REQUESTER_HOSTS"
#WINS_IP="@IPS_OF_WINS_AND_DOMAIN_SERVERS"
#NETBIOS_IP="@IP_OF_ALLOWED_NETBIOS_REMOTE_HOSTS"

# Policies
DEFAULT_POL="input output forward"
LOG_ACCEPT="LogAcc"
LOG_DROP="LogDrop"

# Various
RPORTS=":1024"
NRPORTS="1024:"

### BEGIN

# Flush and remove all chains then default the policies to DROP
$IPCH -F
$IPCH -X
for i in $DEFAULT_POL
  do
	$IPCH -P $i DENY
done

### Create and set personnal chains

# Log and deny chain
$IPCH -N $LOG_DROP # Create a new one
$IPCH -A $LOG_DROP -j DENY -l # Log and deny

# Log and accept chain
$IPCH -N $LOG_ACCEPT # Create a new one
$IPCH -A $LOG_ACCEPT -j ACCEPT -l # Log and accept

### LOOPBACK AND REMOTE MANAGEMENT

# Allow whatever on loopback
$IPCH -A output -i lo -j ACCEPT
$IPCH -A input -i lo -j ACCEPT

# Allow SSH remote management and log connections
for i in $ADM_IP
  do
	$IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -y -j $LOG_ACCEPT
	$IPCH -A input -p tcp -s $ADM_IP $NRPORTS -d $LOCAL_IP 22 -j ACCEPT
	$IPCH -A output -p tcp -s $LOCAL_IP 22 -d $ADM_IP $NRPORTS -j ACCEPT
done

### ALLOW THESE TCP CONNECTIONS

# Allow HTTP/HTTPS to HTTP proxy servers and log Syn Scan profit port
for i in $PROXY_IP
  do
	$IPCH -A output -p tcp --sport $NRPORTS -d $i 8080 -j ACCEPT
	$IPCH -A input -p tcp -s $i 8080 -y -j $LOG_DROP
	$IPCH -A input -p tcp -s $i 8080 --dport $NRPORTS -j ACCEPT
done

### Uncomment if you want to use Prelude communications.
## Allow Prelude communications to Prelude server and log syn scan profit port
#  $IPCH -A output -p tcp --sport $NRPORTS -d {PRELUDE_SRV_IP} 5553:5554 -j ACCEPT
#  $IPCH -A input  -p tcp -s {PRELUDE_SRV_IP} 5553:5554 -y -j $LOG_DROP
#  $IPCH -A input  -p tcp -s {PRELUDE_SRV_IP} 5553:5554 --dport $NRPORTS -j ACCEPT

### ALLOW THESE UDP CONNECTIONS

# Allow DNS Protocol to DNS Servers
for i in $DNS_IP
  do
  $IPCH -A output -p udp --sport $NRPORTS -d $i 53 -j ACCEPT
  $IPCH -A input -p udp -s $i 53 --dport $NRPORTS -j ACCEPT
done

### Uncomment if you want to use communications to NTP servers.
###  => Also uncomment and set NTP_IP at the beginning of the script.
## Allow NTP Protocol to NTP Servers
#  for i in $NTP_IP
#    do
#    $IPCH -A output -p udp --sport $NRPORTS -d $i 123 -j ACCEPT
#    $IPCH -A input -p udp -s $i 123 --dport $NRPORTS -j ACCEPT
#  done

### ALLOW THESE ICMP REQUESTS AND RESPONSES

### Uncomment if you want to certain hosts to send us icmp requests
###  => Also uncomment and set ICMP_IP at the beginning of the script
## Allow some host's icmp requests
#for i in $ICMP_IP
#  do
#    $IPCH -A input  -p icmp --icmp-type echo-request -s $i -j ACCEPT
#    $IPCH -A input  -p icmp --icmp-type destination-unreachable -s $i -j ACCEPT
#    $IPCH -A input  -p icmp --icmp-type time-exceeded -s $i -j ACCEPT
#    $IPCH -A output -p icmp --icmp-type echo-reply -d $i -j ACCEPT
#done

### ALLOW SPECIFIC PROTOCOLS

### Uncomment if you want to allow NetBios networks streams
###  => Also uncomment and set WINS_IP and NETBIOS_IP at the beginning of the script
## Allow NetBios protocol with certains hosts
#$IPCH -A output -p udp --sport 137:138 -d $BROADCAST_IP 137:138 -j ACCEPT
#for i in $WINS_IP
#  do
#    $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
#    $IPCH -A input  -p udp -s $i --dport 137 -j ACCEPT
#done
## Allow but log incoming syn connections on the 139 port number.
#for i in $NETBIOS_IP
#  do
#  $IPCH -A input  -p udp -s $i 137 --dport 137 -j ACCEPT
#  $IPCH -A output -p udp --sport 137 -d $i 137 -j ACCEPT
#  $IPCH -A input  -p tcp -s $i $NRPORTS --dport 139 -y -j $LOG_ACCEPT
#  $IPCH -A input  -p tcp -s $i $NRPORTS --dport 139 -j ACCEPT
#  $IPCH -A output -p tcp --sport 139 -d $i $NRPORTS -j ACCEPT
#done

### AND LAST : LOG AND DENY

for i in $DEFAULT_POL
do
  $IPCH -A $i -j $LOG_DROP
done

echo "$0 done"
[ Précédent ] [ Sommaire ] [ Suivant ] [ Télécharger ]
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.