initial commit
|
1 |
-X |
2 |
-F |
|
3 |
-P INPUT DROP |
|
4 |
-P FORWARD DROP |
|
5 |
-P OUTPUT DROP |
|
6 | ||
7 |
# on autorise les boucles locales |
|
8 |
-A INPUT -i lo -j ACCEPT |
|
9 |
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT |
|
10 | ||
11 |
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
12 | ||
13 |
# DNS |
|
14 |
-A OUTPUT -p udp --dport domain -j ACCEPT |
|
15 | ||
16 |
# https |
|
17 |
-A INPUT -i eth0 -p tcp -m multiport --dports http,https -j ACCEPT |
|
18 |
-A OUTPUT -p tcp -m multiport --sports http,https -j ACCEPT |
|
19 |
-A OUTPUT -p tcp --dport https -j ACCEPT |
|
20 |
#-A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport https -j ACCEPT |
|
21 |
#-A OUTPUT -m state --state ESTABLISHED -p tcp --sport https -j ACCEPT |
|
22 | ||
23 |
## http pour maj |
|
24 |
-A OUTPUT -m owner --uid-owner root -p tcp --dport http -j ACCEPT |
|
25 |
-A OUTPUT -m owner --uid-owner www-data -p tcp --dport http -j ACCEPT |
|
26 |
-A OUTPUT -m owner --uid-owner sms -p tcp --dport http -j ACCEPT |
|
27 |
-A OUTPUT -m owner --uid-owner action -p tcp --dport http -j ACCEPT |
|
28 | ||
29 |
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1913 DF PROTO=TCP SPT=49487 DPT=8080 WINDOW=43690 RES=0x00 SYN URGP=0 |
|
30 |
-A OUTPUT -p tcp --destination 127.0.0.1 --dport http-alt -j ACCEPT |
|
31 |
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DP |
|
32 |
-A OUTPUT -p tcp --destination 127.0.0.1 --sport http-alt -j ACCEPT |
|
33 | ||
34 |
# SSH uniquement depuis 192.168.1.51 |
|
35 |
-A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport ssh --source 192.168.1.51 -j ACCEPT |
|
36 |
-A OUTPUT -m state --state ESTABLISHED -p tcp --sport ssh --destination 192.168.1.51 -j ACCEPT |
|
37 | ||
38 |
# envoi de courrier pour les membres du groupe mail (sélection par la conf de ssmtp) |
|
39 |
-A OUTPUT -m state --state NEW,ESTABLISHED -p tcp --dport ssmtp -j ACCEPT |
|
40 |
-A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --dport ssmtp -j ACCEPT |
|
41 | ||
42 |
# NTP |
|
43 |
-A OUTPUT -m state --state NEW,ESTABLISHED -p udp --sport ntp -j ACCEPT |
|
44 | ||
45 |
# SaMBa |
|
46 |
-A OUTPUT -p tcp --destination 192.168.1.51,192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT |
|
47 | ||
48 |
# XMPP |
|
49 |
-A INPUT -p tcp --source 192.168.1.52,192.168.1.55 --dport xmpp-client -j ACCEPT |
|
50 |
-A OUTPUT -p tcp --destination 192.168.1.52,192.168.1.55 --sport xmpp-client -j ACCEPT |
|
51 | ||
52 |
-A INPUT -p tcp --source 192.168.1.52 --sport xmpp-client -j ACCEPT |
|
53 |
-A OUTPUT -p tcp --destination 192.168.1.52 --dport xmpp-client -j ACCEPT |
|
54 | ||
55 |
# log iptables denied calls (access via 'dmesg' command) |
|
56 |
#-A INPUT -p tcp -j LOG --log-prefix "INPUT denied: " --log-level 7 |
|
57 |
#-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT denied: " --log-level 7 |
|
58 |
#-A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix "INPUT denied: " --log-level 7 |
|
59 |
#-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "OUTPUT denied: " --log-level 7 |
|
60 | ||
61 |
# tout le reste dehors |
|
62 |
-A INPUT -j DROP |
|
63 |
-A FORWARD -j DROP |
|
64 |
-A OUTPUT -j DROP |
|
65 |