generalconfig / root / iptables.rules /
Newer Older
68 lines | 3.073kb
initial commit
admin cloud-section (root) authored on 2016-12-10
1
-X
2
-F
3
-P INPUT DROP
4
-P FORWARD DROP
5
-P OUTPUT DROP
6

            
7
# on autorise les boucles locales
8
-A INPUT -i lo -j ACCEPT
9
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
10

            
11
-A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
12

            
13
# DNS
14
-A OUTPUT         -p udp --dport domain -j ACCEPT
15

            
adaptation de la conf iptabl...
admin cloud-section (root) authored on 2017-02-17
16
# http
initial commit
admin cloud-section (root) authored on 2016-12-10
17
-A INPUT  -i eth0  -p tcp -m multiport --dports http,https -j ACCEPT
18
-A OUTPUT          -p tcp -m multiport --sports http,https -j ACCEPT
adaptation de la conf iptabl...
admin cloud-section (root) authored on 2017-02-17
19
-A OUTPUT          -p tcp -m multiport --dports http,https -j ACCEPT
20
-A OUTPUT          -p tcp --destination 127.0.0.1 --dport 8888 -j ACCEPT
21
-A OUTPUT          -p tcp --source 127.0.0.1 --sport 8888 -j ACCEPT
initial commit
admin cloud-section (root) authored on 2016-12-10
22
#-A INPUT  -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport https -j ACCEPT
23
#-A OUTPUT         -m state --state ESTABLISHED     -p tcp --sport https -j ACCEPT
24

            
25
## http pour maj
adaptation de la conf iptabl...
admin cloud-section (root) authored on 2017-02-17
26
#-A OUTPUT -m owner --uid-owner root -p tcp -m multiport --dports http,https -j ACCEPT
27

            
28
#-A OUTPUT -m owner --uid-owner www-data -p tcp -m multiport --dport http,https -j ACCEPT
29
#-A OUTPUT -m owner --uid-owner sms -p tcp -m multiport --dport http -j ACCEPT
30
#-A OUTPUT -m owner --uid-owner action -p tcp -m multiport --dport http -j ACCEPT
initial commit
admin cloud-section (root) authored on 2016-12-10
31

            
32
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1913 DF PROTO=TCP SPT=49487 DPT=8080 WINDOW=43690 RES=0x00 SYN URGP=0 
33
-A OUTPUT -p tcp --destination 127.0.0.1 --dport http-alt -j ACCEPT
34
#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DP
35
-A OUTPUT -p tcp --destination 127.0.0.1 --sport http-alt -j ACCEPT
36

            
37
# SSH uniquement depuis 192.168.1.51
38
-A INPUT  -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport ssh --source 192.168.1.51      -j ACCEPT
39
-A OUTPUT         -m state --state ESTABLISHED     -p tcp --sport ssh --destination 192.168.1.51 -j ACCEPT
40

            
41
# envoi de courrier pour les membres du groupe mail (sélection par la conf de ssmtp)
42
-A OUTPUT         -m state --state NEW,ESTABLISHED -p tcp --dport ssmtp -j ACCEPT
43
-A INPUT  -i eth0 -m state --state ESTABLISHED     -p tcp --dport ssmtp -j ACCEPT
44

            
45
# NTP
46
-A OUTPUT         -m state --state NEW,ESTABLISHED -p udp --sport ntp -j ACCEPT
47

            
48
# SaMBa
49
-A OUTPUT   -p tcp --destination 192.168.1.51,192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT
50

            
51
# XMPP
52
-A INPUT -p tcp --source 192.168.1.52,192.168.1.55 --dport xmpp-client -j ACCEPT
53
-A OUTPUT -p tcp --destination 192.168.1.52,192.168.1.55 --sport xmpp-client -j ACCEPT
54

            
55
-A INPUT -p tcp --source 192.168.1.52 --sport xmpp-client -j ACCEPT
56
-A OUTPUT -p tcp --destination 192.168.1.52 --dport xmpp-client -j ACCEPT
57

            
58
# log iptables denied calls (access via 'dmesg' command)
59
#-A INPUT  -p tcp -j LOG --log-prefix "INPUT denied: " --log-level 7
60
#-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT denied: " --log-level 7
61
#-A INPUT  -i eth0 -m limit --limit 5/min -j LOG --log-prefix "INPUT denied: " --log-level 7
62
#-A OUTPUT         -m limit --limit 5/min -j LOG --log-prefix "OUTPUT denied: " --log-level 7
63

            
64
# tout le reste dehors
65
-A INPUT   -j DROP
66
-A FORWARD -j DROP
67
-A OUTPUT  -j DROP
68