Un script iptables
Par lepigeon le vendredi 10 avril 2009, 17:48 - Configuration - Lien permanent
#!/bin/sh
# ports bas
dw_ports="0:1023"
# ports hauts
up_ports="1024:65535"
#adresse ip fourni par fai
ipv4_fai="xxx.yyy.zzz.ttt"
ipv4_tele="212.27.38.253"
#adresse ip machine perso
v4ip001="192.168.0.1"
#adresse ip esclave perso
v4ip002="192.168.0.11"
#adresse ip serveur gandi perso
v4ipext001="aaa.bbb.ccc.ddd"
case "$1" in
start)
$0 startipv4
$0 startipv4ftp
$0 ipv4ssh
$0 ipv4jelogue
;;
stop)
$0 stopipv4
;;
info|status)
$0 infoipv4
;;
restart|force-reload)
$0 stop
$0 start
;;
infoipv4)
iptables -L -n -v
;;
stopipv4)
iptables -F
iptables -X
# Politique par défaut : on accepte tout
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
;;
startipv4)
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
# Politique par défaut : on rejette tout
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
# Initialisation de la table NAT (existe pas en ipv6)
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Initialisation de la table MANGLE
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
# Ne pas casser les connexions etablies
#iptables -t filter -A INPUT -i eth0 -p tcp --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -p udp --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# autoriser les requetes dhcp
iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT -m comment --comment "requete dhcp"
iptables -A OUTPUT -o eth0 -p udp -d 192.168.20.254 --dport 67:68 --sport 67:68 -j ACCEPT -m comment --comment "requete dhcp"
# Autoriser loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS In/Out (Pour accepter les résolutions de nom)
iptables -t filter -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT -m comment --comment "tcp4 dns"
iptables -t filter -A INPUT -i eth0 -p tcp --sport 53 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT -m comment --comment "udp4 dns"
iptables -t filter -A INPUT -i eth0 -p udp --sport 53 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client didiwiki
#iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -d $v4ip002 -p tcp --dport 8000 -j ACCEPT -m comment --comment "client didiwiki"
#iptables -t filter -A INPUT -i eth0 -s $v4ip002 -p tcp --sport 8000 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client pop3 courier
iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -p tcp --dport 110 -j ACCEPT -m comment --comment "client pop"
iptables -t filter -A INPUT -i eth0 -p tcp --sport 110 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client http
iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -p tcp --dport 80 -j ACCEPT -m comment --comment "client http"
iptables -t filter -A INPUT -i eth0 -p tcp --sport 80 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -p tcp --dport 8080 -j ACCEPT
#iptables -t filter -A INPUT -i eth0 -p tcp --sport 8080 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client https
iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -p tcp --dport 443 -j ACCEPT -m comment --comment "client https"
iptables -t filter -A INPUT -i eth0 -p tcp --sport 443 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client NTP
#iptables -t filter -A OUTPUT -o eth0 -p udp --dport 123 -j ACCEPT
;;
ipv4jelogue)
#On logue le reste
iptables -A INPUT -j LOG -m limit --limit 500/hour --log-level 6 --log-prefix "[in4-reject]"
iptables -A OUTPUT -j LOG -m limit --limit 500/hour --log-level 6 --log-prefix "[out4-reject]"
;;
ipv4ssh)
# client SSH
iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -d $v4ip002 -p tcp --dport 22 -j ACCEPT -m comment --comment "client ssh"
iptables -t filter -A INPUT -i eth0 -s $v4ip002 -p tcp --sport 22 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
# client SSH
iptables -t filter -A OUTPUT -o eth0 -s $v4ip001 -d $v4ipext001 -p tcp --dport 22 -j ACCEPT -m comment --comment "client ssh"
iptables -t filter -A INPUT -i eth0 -s $v4ipext001 -p tcp --sport 22 --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
;;
startipv4ftp)
# client ftp Autoriser les requetes FTP
modprobe ip_conntrack_ftp
#pour la connection ftp puisse s'etablir
iptables -t filter -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#connexion pour les données (en mode actif).
iptables -t filter -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#la connexion pour les données (en mode passif).
iptables -t filter -A INPUT -i eth0 -p tcp --sport $up_ports --dport $up_ports -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -p tcp --sport $up_ports --dport $up_ports -m state --state ESTABLISHED,RELATED -j ACCEPT
;;
*)
echo "Usage: {start|stop|restart|status}"
exit 1
;;
esac
exit 0