#!/bin/sh
IP=213.xxxxxxx
start() {
# configure des options de sécurité de la pile tcp/ip
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# purge
purge
# politiques par défaut
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ouvre tout sur localhost
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT
# ouvre les ports TCP publics
iptables -A INPUT -i eth0 -d $IP -p tcp -m multiport --dport 21,22,25,53,110,143,80,8000,10000 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 21,22,25,53,110,143,80,8000,10000 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ouvert les ports UDP publics
iptables -A INPUT -i eth0 -d $IP -p udp -m multiport --dport 53,8000 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m multiport --sport 53,8000 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ping de notre serveur autorisé mais limité pour éviter le flood
iptables -A INPUT -i eth0 -d $IP -p icmp --icmp-type echo-request -m limit --limit 4/s -j ACCEPT
iptables -A OUTPUT -o eth0 -s $IP -p icmp --icmp-type echo-reply -m limit --limit 4/s -j ACCEPT
# autorise toutes les connexions clientes
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 1:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 1:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 1:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# msg de statut
echo "Firewall: OK"
}
stop() {
purge
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo "Firewall: STOP"
}
purge() {
iptables -F
iptables -X
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
start
;;
esac
exit 0
Partager