Le script installé sur la machine Firewall
____________________________________________________
TABLE DES MATIERES
:
Partie
1: Declaration of interfaces
Partie 5: Flushing old ip tables
Partie 6 : Rules during compilation
Partie 7: Building up ip tables
Partie 8: Linking each kind of packets with ip tables
Partie 9: Rules for ICMP packets
Partie 10: Rules for each ip tables
Partie 11: Rules for interfaces of Firewall
____________________________________________________
#Internet
BAD_IFACE=eth1
#Demilitarized
Zone
DMZ_IFACE=eth2
DMZ_ADDR=***.***.*.***/**
#LAN
GOOD_IFACE=eth0
GOOD_ADDR=***.***.*.*/**
#DMZ Server
PROXY_SERVER=***.***.*.***
#SERVER NNTP
NNTP_ADDR=***.**.**.**
#SERVER SMTP
SMTP_ADDR=***.**.**.**
#SERVER POP3
POP3_ADDR=***.**.**.**
#SERVER DNS
DNS_ADDR=***.*.*.**
#testing
#set
-x
# Routing commands
ip route del ***.***.*.***/**
dev $BAD_IFACE
ip route del
***.***.*.***/** dev $DMZ_IFACE
route
del default dev eth1
route
del default dev eth0
#t est ***.***.*.*** <->***.***.*.***
ip route add
***.***.*.*** dev $BAD_IFACE
ip route add
***.***.*.***/** dev $DMZ_IFACE
route add default
gateway ***.***.*.*** dev eth1
# turn on ip forwarding
echo
1 >> /proc/sys/net/ipv4/ip_forward
# Building up of ip tables' interfaces
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up
the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
#
external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j DROP #DROP<->ACCEPT
for debugging
# dmz
iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j DROP #DROP<->ACCEPT
for debugging
#
internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j
ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j
ACCEPT
iptables -A good-if -j icmp-acc
# Uncomment for debugging
iptables -A good-if -j DROP
# remove the compete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
#
Building up of ip tables' interfaces
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j DROP #DROP<->ACCEPT
for debugging
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j DROP #DROP<->ACCEPT
for debugging
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j
ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j
ACCEPT
iptables -A good-if -j icmp-acc
# Uncomment for debugging
iptables -A good-if -j DROP
# remove the compete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
# flush all rules in the
the filter table
iptables
-F
iptables -t nat -F #flush
NAT table
iptables -F INPUT
iptables -F OUTPUT
iptables
-F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to
define packet directions
# bad is the internet,
dmz is our dmz, good is the LAN
iptables
-N good-dmz #from
good network to dmz network
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables
-N icmp-acc
iptables -F good-dmz
iptables -F bad-dmz
iptables -F good-bad
iptables -F dmz-good
iptables -F dmz-bad
iptables -F bad-good
iptables
-F icmp-acc
iptables -F bad-if
iptables -F dmz-if
iptables -F good-if
# NAT
source + redirect #
#####################
# Redirect HTTP towards
Proxy
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR -p tcp --dport http -j DNAT --to-destination
$PROXY_SERVER:3128
# Redirect NNTP towards
Proxy
iptables -t nat -A PREROUTING
-i eth0 -s $GOOD_ADDR -d $NNTP_ ADDR -p tcp --dport nntp -j DNAT
--to-destination $PROXY_SERVER:119
# Redirect NNTP towards
Proxy
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR –d $NNTP_ ADDR -p udp --dport nntp -j DNAT
--to-destination $PROXY_SERVER:119
# Redirect DNS towards
Proxy
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR –d $DNS_ADDR -p udp --dport domain -j DNAT
--to-destination $PROXY_SERVER:53
# Redirect SMTP towards
Proxy
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR –d $SMTP_ADDR
-p tcp --dport smtp -j DNAT --to-destination $PROXY_SERVER:25
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR –d $SMTP_ADDR -p udp --dport smtp -j DNAT
--to-destination $PROXY_SERVER:25
# Redirect POP towards
Proxy
iptables -t nat -A PREROUTING
-i eth0 -s $GOOD_ADDR –d $POP_ ADDR -p tcp --dport pop3 -j DNAT
--to-destination $PROXY_SERVER:110
iptables -t nat -A
PREROUTING -i eth0 -s $GOOD_ADDR –d $POP_ ADDR -p udp --dport pop3 -j DNAT
--to-destination $PROXY_SERVER:110
# accept related packets
iptables -A FORWARD -m
state --state INVALID -j DROP
iptables -A FORWARD -m
state --state RELATED,ESTABLISHED -j ACCEPT
# set which addresses
jump to which chains be careful of the writing of rules the rules are processed
one after the other (from the top of the script to the # bottom) write the
rules for small networks before the bigger ones
#
# Options of iptables:
# -A: ADD rules
# -s: Source Network
# -i: Input interface
# -o: Output interface
# -j: Jump to iptable XXXX
#
# Decisions for rules:
#
# ACCEPT :accept the
packet
# REJECT :reject
the packet
# DROP :reject the packet
but does not warn the source
iptables -A FORWARD -s
$DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s
$DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -s
$GOOD_ADDR -i $GOOD_IFACE -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s
$GOOD_ADDR -i $GOOD_IFACE -o $BAD_IFACE -j good-bad
iptables -A FORWARD -o
$DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o
$GOOD_IFACE -j bad-good
# drop anything that
doesn't fit these
iptables -A FORWARD -j
LOG --log-prefix "chain-jump"
iptables -A FORWARD -j
DROP
# icmp
acceptance
iptables
-A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables
-A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p
icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p
icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p
icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc
-j LOG --log-prefix "icmp-acc"
iptables -A icmp-acc -j
DROP
# from internal(LAN) to
dmz
|
iptables -A good-dmz -p tcp --dport http -j ACCEPT |
#HTTP |
|
|
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT |
#FTP |
|
|
iptables -A good-dmz -p udp --dport domain -j ACCEPT |
#DNS |
|
|
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT |
#SMTP |
|
|
iptables -A good-dmz -p udp --dport smtp -j ACCEPT |
#SMTP |
|
|
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT |
#POP3 |
|
|
iptables -A good-dmz -p tcp --dport ripng -j ACCEPT |
#RIP v2 |
|
|
iptables -A good-dmz -p udp --dport ripng -j ACCEPT |
#RIP v2 |
|
|
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT |
#SSH |
|
|
iptables -A good-dmz -p udp --dport ssh -j ACCEPT |
#SSH |
|
|
iptables -A good-dmz -p tcp --dport 3128 -j ACCEPT |
#3128: Proxy http |
|
|
iptables -A good-dmz -p tcp --dport 10000 -j ACCEPT |
#10000: Proxy mngt |
|
|
|
|
|
|
iptables -A good-dmz -j DROP |
#ACCEPT<->DROP |
#DROP others |
|
|
|
|
|
# from external(WAN) to dmz |
|
|
|
iptables -A bad-dmz -p tcp --dport ident -j ACCEPT |
#ACCEPT ident |
|
|
iptables -A bad-dmz -j DROP |
#ACCEPT<->DROP |
#DROP all |
|
|
|
|
|
# from internal(LAN) to external(WAN) |
|
|
|
iptables -A good-bad -p tcp --dport ftp -j ACCEPT |
#FTP direct cf WAN->LAN ident |
|
|
iptables -A good-bad -p tcp --dport nntp -j ACCEPT |
#NNTP direct |
|
|
iptables -A good-bad -p udp --dport nntp -j ACCEPT |
#NNTP direct |
|
|
iptables -A good-bad -p tcp --dport pop3 -j ACCEPT |
#POP3 direct |
|
|
iptables -A good-bad -p udp --dport pop3 -j ACCEPT |
#POP3 direct |
|
|
iptables -A good-bad -p tcp --dport smtp -j ACCEPT |
|
#SMTP direct |
|
iptables -A good-bad -p udp --dport smtp -j ACCEPT |
#SMTP direct |
|
|
iptables -A good-bad -p udp --dport domain -j ACCEPT |
#DNS direct |
|
|
iptables -A good-bad -p tcp --dport https -j ACCEPT |
#HHTPS direct, |
|
|
|
|
|
|
iptables -A good-bad -j REJECT |
#REJECT all |
|
|
|
|
|
|
# from dmz to internal (LAN) |
|
|
|
iptables -A dmz-good -j DROP |
#ACCEPT<->DROP |
#DROP all |
|
|
|
|
|
# from dmz to external (WAN) |
|
|
|
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT |
#FTP |
|
|
iptables -A dmz-bad -p tcp --dport http -j ACCEPT |
#HTTP |
|
|
iptables -A dmz-bad -p tcp --dport pop3 -j ACCEPT |
#POP3 |
|
|
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT |
#SMTP |
|
|
iptables -A dmz-bad -p udp --dport smtp -j ACCEPT |
#SMTP |
|
|
iptables -A dmz-bad -p udp --dport domain -j ACCEPT |
#DNS |
|
|
|
|
|
|
iptables -A dmz-bad -j REJECT |
#REJECT<->ACCEPT |
#REJECT others |
|
|
|
|
|
# from external (WAN) to internal (LAN) |
|
|
|
iptables -A bad-good -p tcp --dport ident -j ACCEPT |
#ACCEPT ident->security hole for FTP direct |
|
|
iptables -A bad-good -j DROP |
#DROP all |
|
# Building up of ip
tables' interfaces
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# Set up the jumps to
each chain
iptables -A INPUT -i
$BAD_IFACE -j bad-if
iptables -A INPUT -i
$DMZ_IFACE -j dmz-if
iptables -A INPUT -i
$GOOD_IFACE -j good-if
# External iface
iptables -A bad-if -p
icmp -j icmp-acc
iptables -A bad-if -j
DROP #DROP<->ACCEPT
for debugging
# Dmz iface
iptables -A bad-if -p
icmp -j icmp-acc
iptables -A dmz-if -j
DROP #DROP<->ACCEPT
for debugging
# Internal iface
iptables -A good-if -p
tcp --dport ssh -j ACCEPT
iptables -A good-if -p
ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p
ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j
icmp-acc
# Uncomment for
debugging
iptables -A good-if -j
DROP
# Remove the compete
blocks
iptables
-D INPUT 1
iptables
-D FORWARD 1
iptables -D OUTPUT 1