Script pour le firewall - aide
Bonjour,
J'ai besoin de votre aide, cela fait quelques heures que je cherche sans trouver de solution à mon problème.
J'ai un script pour paramétrer mon firewall sous Debian 8 :
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
| #!/bin/sh
#
# Simple Firewall configuration.
#
# Author: Nicolargo
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $syslog $network
# Required-Stop: $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall daemon at boot time
# Description: Custom Firewall scrip.
### END INIT INFO
PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Services that the system will offer to the network
TCP_SERVICES="2222 80 443 2812 1723" # SSH
UDP_SERVICES=""
# Services the system will use from the network
REMOTE_TCP_SERVICES="2222 80 443 25 2812 1723" # web browsing
REMOTE_UDP_SERVICES="53" # DNS
# FTP backups
# Allow backups to an external FTP
FTP_BACKUPS=""
if ! [ -x /sbin/iptables ]; then
exit 0
fi
##########################
# Start the Firewall rules
##########################
fw_start () {
# Input traffic:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j MASQUERADE
# Services
if [ -n "$TCP_SERVICES" ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$UDP_SERVICES" ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# Ftp backups
if [ -n "$FTP_BACKUPS" ] ; then
# The following two rules allow the inbound FTP connection
/sbin/iptables -A INPUT -p tcp --sport ${FTP_BACKUPS} -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport ${FTP_BACKUPS} -m state --state NEW,ESTABLISHED -j ACCEPT
# The next 2 lines allow active ftp connections
#/sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# These last two rules allow for passive transfers
/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
fi
# Remote testing
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -j LOG
# Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP is permitted:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# So are security package updates:
# Note: You can hardcode the IP address here to prevent DNS spoofing
# and to setup the rules even if DNS does not work but then you
# will not "see" IP changes for this service:
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
# As well as the services we have defined:
if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$REMOTE_UDP_SERVICES" ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# All other connections are registered in syslog
/sbin/iptables -A OUTPUT -j LOG
#/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -P OUTPUT DROP
# Other network protections
# (some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
##########################
# Stop the Firewall rules
##########################
fw_stop () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
##########################
# Clear the Firewall rules
##########################
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
############################
# Restart the Firewall rules
############################
fw_restart () {
fw_stop
fw_start
}
##########################
# Test the Firewall rules
##########################
fw_save () {
/sbin/iptables-save > /etc/iptables.backup
}
fw_restore () {
if [ -e /etc/iptables.backup ]; then
/sbin/iptables-restore < /etc/iptables.backup
fi
}
fw_test () {
fw_save
fw_restart
sleep 30
fw_restore
}
case "$1" in
start|restart)
echo -n "Starting firewall..."
fw_restart
echo "done."
;;
stop)
echo -n "Stopping firewall..."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing firewall rules..."
fw_clear
echo "done."
;;
test)
echo -n "Test Firewall rules..."
echo -n "Previous configuration will be restore in 30 seconds"
fw_test
echo -n "Configuration as been restored"
;;
*)
echo "Usage: $0 {start|stop|restart|clear|test}"
echo "Be aware that stop drop all incoming/outgoing traffic !!!"
exit 1
;;
esac
exit 0 |
Il fonctionne parfait pour tout SAUF pour la ligne :
Code:
/sbin/iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j MASQUERADE
Cette ligne me sert pour mon VPN pptp pour le routage web.
Si je n'exécute pas mon script, et que j'applique juste celle ligne, cela marche parfaitement, mais si je l'inclus dans mon script firewall.sh la ligne est bien ajouté dans les règles, mais le routage web via mon VPN pptp ne fonctionne plus.
Avez-vous une idée sur ce qui bloque ?
Merci
