generalconfig / root / iptables.rules /
Newer Older
65 lines | 2.844kb
initial commit
admin cloud-section (root) authored on 2016-12-10
1
-X
2
-F
3
-P INPUT DROP
4
-P FORWARD DROP
5
-P OUTPUT DROP
6

            
7
# on autorise les boucles locales
8
-A INPUT -i lo -j ACCEPT
9
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
10

            
11
-A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
12

            
13
# DNS
14
-A OUTPUT         -p udp --dport domain -j ACCEPT
15

            
16
# https
17
-A INPUT  -i eth0  -p tcp -m multiport --dports http,https -j ACCEPT
18
-A OUTPUT          -p tcp -m multiport --sports http,https -j ACCEPT
19
-A OUTPUT          -p tcp --dport https -j ACCEPT
20
#-A INPUT  -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport https -j ACCEPT
21
#-A OUTPUT         -m state --state ESTABLISHED     -p tcp --sport https -j ACCEPT
22

            
23
## http pour maj
24
-A OUTPUT -m owner --uid-owner root -p tcp --dport http -j ACCEPT
25
-A OUTPUT -m owner --uid-owner www-data -p tcp --dport http -j ACCEPT
26
-A OUTPUT -m owner --uid-owner sms -p tcp --dport http -j ACCEPT
27
-A OUTPUT -m owner --uid-owner action -p tcp --dport http -j ACCEPT
28

            
29
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1913 DF PROTO=TCP SPT=49487 DPT=8080 WINDOW=43690 RES=0x00 SYN URGP=0 
30
-A OUTPUT -p tcp --destination 127.0.0.1 --dport http-alt -j ACCEPT
31
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DP
32
-A OUTPUT -p tcp --destination 127.0.0.1 --sport http-alt -j ACCEPT
33

            
34
# SSH uniquement depuis 192.168.1.51
35
-A INPUT  -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport ssh --source 192.168.1.51      -j ACCEPT
36
-A OUTPUT         -m state --state ESTABLISHED     -p tcp --sport ssh --destination 192.168.1.51 -j ACCEPT
37

            
38
# envoi de courrier pour les membres du groupe mail (sélection par la conf de ssmtp)
39
-A OUTPUT         -m state --state NEW,ESTABLISHED -p tcp --dport ssmtp -j ACCEPT
40
-A INPUT  -i eth0 -m state --state ESTABLISHED     -p tcp --dport ssmtp -j ACCEPT
41

            
42
# NTP
43
-A OUTPUT         -m state --state NEW,ESTABLISHED -p udp --sport ntp -j ACCEPT
44

            
45
# SaMBa
46
-A OUTPUT   -p tcp --destination 192.168.1.51,192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT
47

            
48
# XMPP
49
-A INPUT -p tcp --source 192.168.1.52,192.168.1.55 --dport xmpp-client -j ACCEPT
50
-A OUTPUT -p tcp --destination 192.168.1.52,192.168.1.55 --sport xmpp-client -j ACCEPT
51

            
52
-A INPUT -p tcp --source 192.168.1.52 --sport xmpp-client -j ACCEPT
53
-A OUTPUT -p tcp --destination 192.168.1.52 --dport xmpp-client -j ACCEPT
54

            
55
# log iptables denied calls (access via 'dmesg' command)
56
#-A INPUT  -p tcp -j LOG --log-prefix "INPUT denied: " --log-level 7
57
#-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT denied: " --log-level 7
58
#-A INPUT  -i eth0 -m limit --limit 5/min -j LOG --log-prefix "INPUT denied: " --log-level 7
59
#-A OUTPUT         -m limit --limit 5/min -j LOG --log-prefix "OUTPUT denied: " --log-level 7
60

            
61
# tout le reste dehors
62
-A INPUT   -j DROP
63
-A FORWARD -j DROP
64
-A OUTPUT  -j DROP
65