1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#!/bin/sh
# script /etc/firewall.sh
## We put the firewall to inital settings
iptables -F #Flush Vide la chaîne sélectionnée (ou toutes les chaînes de la table si aucune n'est précisée). Ceci équivaut à effacer toutes les règles une par une.
iptables -X # Delete Chain /Efface la chaîne désignée définie par l'utilisateur. Il ne doit plus exister de référence à cette chaîne. S'il en reste, vous devez effacer ou remplacer les règles concernées avant de pouvoir effacer cette chaîne. Si aucun argument n'est fourni, une tentative aura lieu pour effacer dans la table toutes les chaînes non prédéfinies.
iptables -Z # -zero [chaîne] Met à zéro le compteur de paquets et d'octets dans toutes les chaînes. Il est autorisé d'associer l'option -L, --list (liste), pour visualiser les compteurs juste avant qu'ils ne soient initialisés (voir ci-dessus).
iptables -t nat -F # New table connexions
# Put the rules to "DROP" everythings
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth4/proxy_arp
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth3 -p tcp -j ACCEPT
iptables -A OUTPUT -d eth3 -p tcp -j ACCEPT
#limit ICMP packet to 10/sec on the eth0 (WAN)
iptables -A INPUT -i 192.168.213.129 -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -i 192.168.213.129 -p icmp -j DROP
# We authorise eth2 to create all new connexion to everywhere
iptables -t nat -A PREROUTING -d 192.168.3.1 -j ACCEPT
# We authorize the super user to use telnet (port 23)
iptables -A INPUT -s 192.168.3.254 -p tcp --dport 23 -j ACCEPT
iptables -A OUTPUT -d 192.168.3.254 -p tcp --sport 23 -j ACCEPT
# For avoid IP Spoofing
# No Lan ip (192.168.3.0/24) or DMZ IP (192.168.2.0/24) can enter from eth0 (WAN)
# Because all the parc of client and all servers can't come from the internet,
# it will mean that someone have take the same IP than our network
iptables -A INPUT -i 192.168.213.129 -d 192.168.2.0/24 -j DROP
iptables -A INPUT -i 192.168.213.129 -d 192.168.3.0/24 -j DROP
# No Lan ip (192.168.3.0/24) can enter from eth1 (DMZ)
# Every Lan Ip are in 192.168.3.0/24 and can not come from the DMZ parc
# It will mean that someone try to stole the identity of our LAN
iptables -A INPUT -s 192.168.2.1 -d 192.168.3.0/24 -j DROP
# LAN-DMZ
# IMPORTANT:
# For the firewall works, it must have the foward actived !!!!!
# So we active this option for the IPv4 :
echo 1 > /proc/sys/net/ipv4/ip_forward
# We authorize the DMZ to go out our network
iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT
# authorization to execute a ping command in our network (DMZ to LAN and LAN to DMZ)
#iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -p icmp -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -p icmp -j ACCEPT
# Authorization to realize WWW tranfert with the protocol HTTP between DMZ and LAN
# For security reason, only the LAN can create new request to the DMZ
iptables -A FORWARD -p tcp -s 192.168.3.1 -d 192.168.2.5 -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.5 -d 192.168.3.1 -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
# Authorization to realize WWW tranfert with the protocol HTTPS between DMZ and LAN
# For security reason, only the LAN can create new request to the DMZ
iptables -A FORWARD -p tcp -s 192.168.3.1 -d 192.168.2.5 -m state --state NEW,ESTABLISHED,RELATED --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.5 -d 192.168.3.1 -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT
# Authorization to realize MAIL tranfert with the protocol IMAP between DMZ and LAN
# For security reason, only the LAN can create new request to the DMZ
iptables -A FORWARD -p tcp -s 192.168.3.1 -d 192.168.2.6 -m state --state NEW,ESTABLISHED,RELATED --dport 220 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.6 -d 192.168.3.1 -m state --state ESTABLISHED,RELATED --sport 220 -j ACCEPT
# Authorization to realize MAIL tranfert with the protocol POP3 between DMZ and LAN
# For security reason, only the LAN can create new request to the DMZ
iptables -A FORWARD -p tcp -s 192.168.3.1 -d 192.168.2.6 -m state --state NEW,ESTABLISHED,RELATED --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.6 -d 192.168.3.1 -m state --state ESTABLISHED,RELATED --sport 110 -j ACCEPT
# Authorization to realize MAIL tranfert with the protocol SMTP between DMZ and LAN
# For security reason, only the LAN can create new request to the DMZ
iptables -A FORWARD -p tcp -s 192.168.3.1 -d 192.168.2.6 -m state --state NEW,ESTABLISHED,RELATED --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.6 -d 192.168.3.1 -m state --state ESTABLISHED,RELATED --sport 25 -j ACCEPT
# Permitir al equipo del administrador acceso total a la DMZ.
# Total authorization for the administrator between the DMZ and HIM
# For security reason, only the administrator can create new request to the DMZ
iptables -A FORWARD -s 192.168.3.254 -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 198.168.3.254 -m state --state ESTABLISHED,RELATED -j ACCEPT
## 3. Conexiones WAN-DMZ
# Every WAN connextion which try to entre in the networks without the server address but with special port (80; 443; 25) are routing to the DMZ
# 3 possibility, for the port 80 and 443 the request are routing to the web server
# and if the port is 25 the request are routing to the MAIL sever
iptables -t NAT -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.168.2.5:80
iptables -t NAT -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.168.2.5:443
iptables -t NAT -A PREROUTING -i eth0 -p udp –dport 25 -j DNAT –to-destination 192.168.2.6:25
# Authorize the WAN connexion with the DMZ
# For WWW request (HTTP)
iptables -A FORWARD -p tcp --dport 80 -i 192.168.213.129 -d 192.168.2.1 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -s 192.168.2.1 -o 192.168.213.129 -j ACCEPT
# For WWW request (HTTPS)
iptables -A FORWARD -p tcp --dport 443 -i 192.168.213.129 -d 192.168.2.1 -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -s 192.168.2.1 -o 192.168.213.129 -j ACCEPT
# For WWW request (HTTPS)
iptables -A FORWARD -p tcp --dport 25 -i 192.168.213.129 -d 192.168.2.1 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -s 192.168.2.1 -o 192.168.213.129 -j ACCEPT
## 4. Conexiones WAN-LAN
# For security reason, we need to hide LAN IP from the world
# When the LAN when go to the WAN, the firewall will change the LAN ip to eth 0
# Like that, if on hacker want try to look the LAN IP. He will see only the public Firewall IP
#toutes les adresses du lan son changées par celle de ETH0 du FW (sécurité)
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
# Authorize the LAN to go to WAN and the WAN to reply
# For security reason, only the LAN can create new request, the WAN can only reply
iptables -A FORWARD -p tcp -s 192.168.3.1/24 -d 192.168.213.129 -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.213.129 -d 192.168.3.1/24 -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.3.1/24 -d 192.168.213.129 -m state --state NEW,ESTABLISHED,RELATED --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.213.129 -d 192.168.3.1/24 -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT
# Authorization for the administrator to do all what he want !!!!! He is the boss !!!!!
# For security reason, the Wan can only reply.
iptables -A FORWARD -s 192.168.3.254 -o 192.168.213.129 -j ACCEPT
iptables -A FORWARD -i 192.168.213.129 -d 192.168.3.254 -m state --state ESTABLISHED,RELATED -j ACCEPT |
aide iptables WAN-DMZ-LAN
Répondre avec citation
Partager