...
|
...
|
@@ -1,3 +1,4 @@
|
|
1
|
+# vim: set ft=iptables :
|
1
|
2
|
-X
|
2
|
3
|
-F
|
3
|
4
|
-P INPUT DROP
|
...
|
...
|
@@ -6,62 +7,44 @@
|
6
|
7
|
|
7
|
8
|
# on autorise les boucles locales
|
8
|
9
|
-A INPUT -i lo -j ACCEPT
|
|
10
|
+-A OUTPUT -o lo -j ACCEPT
|
9
|
11
|
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
|
10
|
12
|
|
11
|
|
--A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
13
|
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
12
|
14
|
|
13
|
15
|
# DNS
|
14
|
|
--A OUTPUT -p udp --dport domain -j ACCEPT
|
|
16
|
+-A OUTPUT -p udp --dport domain -j ACCEPT
|
15
|
17
|
|
16
|
18
|
# http
|
17
|
|
--A INPUT -i eth0 -p tcp -m multiport --dports http,https -j ACCEPT
|
18
|
|
--A OUTPUT -p tcp -m multiport --sports http,https -j ACCEPT
|
19
|
|
--A OUTPUT -p tcp -m multiport --dports http,https -j ACCEPT
|
20
|
|
--A OUTPUT -p tcp --destination 127.0.0.1 --dport 8888 -j ACCEPT
|
21
|
|
--A OUTPUT -p tcp --source 127.0.0.1 --sport 8888 -j ACCEPT
|
22
|
|
-#-A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport https -j ACCEPT
|
23
|
|
-#-A OUTPUT -m state --state ESTABLISHED -p tcp --sport https -j ACCEPT
|
|
19
|
+-A INPUT -p tcp -m multiport --dports http,https -j ACCEPT
|
|
20
|
+-A INPUT -p tcp -m multiport --sports http,https -j ACCEPT
|
|
21
|
+-A OUTPUT -p tcp -m multiport --sports http,https -j ACCEPT
|
|
22
|
+-A OUTPUT -p tcp -m multiport --dports http,https -j ACCEPT
|
|
23
|
+#-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports http,https -j ACCEPT
|
|
24
|
+#-A INPUT -p tcp -m state --state ESTABLISHED -m multiport --sports http,https -j ACCEPT
|
|
25
|
+#-A OUTPUT -p tcp -m state --state ESTABLISHED -m multiport --sports http,https -j ACCEPT
|
|
26
|
+#-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports http,https -j ACCEPT
|
24
|
27
|
|
25
|
|
-## http pour maj
|
26
|
|
-#-A OUTPUT -m owner --uid-owner root -p tcp -m multiport --dports http,https -j ACCEPT
|
27
|
|
-
|
28
|
|
-#-A OUTPUT -m owner --uid-owner www-data -p tcp -m multiport --dport http,https -j ACCEPT
|
29
|
|
-#-A OUTPUT -m owner --uid-owner sms -p tcp -m multiport --dport http -j ACCEPT
|
30
|
|
-#-A OUTPUT -m owner --uid-owner action -p tcp -m multiport --dport http -j ACCEPT
|
31
|
|
-
|
32
|
|
-#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1913 DF PROTO=TCP SPT=49487 DPT=8080 WINDOW=43690 RES=0x00 SYN URGP=0
|
33
|
28
|
-A OUTPUT -p tcp --destination 127.0.0.1 --dport http-alt -j ACCEPT
|
34
|
|
-#OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DP
|
35
|
29
|
-A OUTPUT -p tcp --destination 127.0.0.1 --sport http-alt -j ACCEPT
|
36
|
30
|
|
37
|
|
-# SSH uniquement depuis 192.168.1.51
|
38
|
|
--A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport ssh --source 192.168.1.51 -j ACCEPT
|
39
|
|
--A OUTPUT -m state --state ESTABLISHED -p tcp --sport ssh --destination 192.168.1.51 -j ACCEPT
|
40
|
|
-
|
41
|
|
-# envoi de courrier pour les membres du groupe mail (sélection par la conf de ssmtp)
|
42
|
|
--A OUTPUT -m state --state NEW,ESTABLISHED -p tcp --dport ssmtp -j ACCEPT
|
43
|
|
--A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --dport ssmtp -j ACCEPT
|
|
31
|
+-A INPUT -p tcp --dport ssh --source 192.168.1.51,192.168.1.52,78.193.238.123 -j ACCEPT
|
|
32
|
+-A OUTPUT -p tcp --dport ssh --destination 192.168.1.51,192.168.1.52 -j ACCEPT
|
|
33
|
+-A OUTPUT -p tcp --sport ssh --destination 192.168.1.51,192.168.1.52,78.193.238.123 -j ACCEPT
|
|
34
|
+-A OUTPUT -p tcp --dport 2202 --destination 78.193.238.123 -j ACCEPT
|
44
|
35
|
|
45
|
|
-# NTP
|
46
|
|
--A OUTPUT -m state --state NEW,ESTABLISHED -p udp --sport ntp -j ACCEPT
|
|
36
|
+-A OUTPUT -m state --state NEW,ESTABLISHED -p tcp -m multiport --dports ssmtp,imaps -j ACCEPT
|
|
37
|
+-A INPUT -m state --state ESTABLISHED -p tcp -m multiport --sports ssmtp,imaps -j ACCEPT
|
47
|
38
|
|
48
|
|
-# SaMBa
|
49
|
|
--A OUTPUT -p tcp --destination 192.168.1.51,192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT
|
|
39
|
+-A OUTPUT -m state --state NEW,ESTABLISHED -p udp --dport ntp -j ACCEPT
|
50
|
40
|
|
51
|
|
-# XMPP
|
52
|
|
--A INPUT -p tcp --source 192.168.1.52,192.168.1.55 --dport xmpp-client -j ACCEPT
|
53
|
|
--A OUTPUT -p tcp --destination 192.168.1.52,192.168.1.55 --sport xmpp-client -j ACCEPT
|
|
41
|
+-A OUTPUT -p tcp --destination 80.67.160.80 -j ACCEPT
|
|
42
|
+-A INPUT -p tcp --source 80.67.160.80 -j ACCEPT
|
54
|
43
|
|
55
|
|
--A INPUT -p tcp --source 192.168.1.52 --sport xmpp-client -j ACCEPT
|
56
|
|
--A OUTPUT -p tcp --destination 192.168.1.52 --dport xmpp-client -j ACCEPT
|
|
44
|
+-A OUTPUT -p tcp --destination 192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT
|
57
|
45
|
|
58
|
|
-# log iptables denied calls (access via 'dmesg' command)
|
59
|
|
-#-A INPUT -p tcp -j LOG --log-prefix "INPUT denied: " --log-level 7
|
60
|
|
-#-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT denied: " --log-level 7
|
61
|
|
-#-A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix "INPUT denied: " --log-level 7
|
62
|
|
-#-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "OUTPUT denied: " --log-level 7
|
|
46
|
+-A OUTPUT -m udp -p udp --destination 192.168.1.54 --dport snmp -j ACCEPT
|
63
|
47
|
|
64
|
|
-# tout le reste dehors
|
65
|
48
|
-A INPUT -j DROP
|
66
|
49
|
-A FORWARD -j DROP
|
67
|
50
|
-A OUTPUT -j DROP
|