-X -F -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP # on autorise les boucles locales -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS -A OUTPUT -p udp --dport domain -j ACCEPT # https -A INPUT -i eth0 -p tcp -m multiport --dports http,https -j ACCEPT -A OUTPUT -p tcp -m multiport --sports http,https -j ACCEPT -A OUTPUT -p tcp --dport https -j ACCEPT #-A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport https -j ACCEPT #-A OUTPUT -m state --state ESTABLISHED -p tcp --sport https -j ACCEPT ## http pour maj -A OUTPUT -m owner --uid-owner root -p tcp --dport http -j ACCEPT -A OUTPUT -m owner --uid-owner www-data -p tcp --dport http -j ACCEPT -A OUTPUT -m owner --uid-owner sms -p tcp --dport http -j ACCEPT -A OUTPUT -m owner --uid-owner action -p tcp --dport http -j ACCEPT #OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1913 DF PROTO=TCP SPT=49487 DPT=8080 WINDOW=43690 RES=0x00 SYN URGP=0 -A OUTPUT -p tcp --destination 127.0.0.1 --dport http-alt -j ACCEPT #OUTPUT denied: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DP -A OUTPUT -p tcp --destination 127.0.0.1 --sport http-alt -j ACCEPT # SSH uniquement depuis 192.168.1.51 -A INPUT -i eth0 -m state --state NEW,ESTABLISHED -p tcp --dport ssh --source 192.168.1.51 -j ACCEPT -A OUTPUT -m state --state ESTABLISHED -p tcp --sport ssh --destination 192.168.1.51 -j ACCEPT # envoi de courrier pour les membres du groupe mail (sélection par la conf de ssmtp) -A OUTPUT -m state --state NEW,ESTABLISHED -p tcp --dport ssmtp -j ACCEPT -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --dport ssmtp -j ACCEPT # NTP -A OUTPUT -m state --state NEW,ESTABLISHED -p udp --sport ntp -j ACCEPT # SaMBa -A OUTPUT -p tcp --destination 192.168.1.51,192.168.1.254 -m multiport --dports microsoft-ds,netbios-ssn -j ACCEPT # XMPP -A INPUT -p tcp --source 192.168.1.52,192.168.1.55 --dport xmpp-client -j ACCEPT -A OUTPUT -p tcp --destination 192.168.1.52,192.168.1.55 --sport xmpp-client -j ACCEPT -A INPUT -p tcp --source 192.168.1.52 --sport xmpp-client -j ACCEPT -A OUTPUT -p tcp --destination 192.168.1.52 --dport xmpp-client -j ACCEPT # log iptables denied calls (access via 'dmesg' command) #-A INPUT -p tcp -j LOG --log-prefix "INPUT denied: " --log-level 7 #-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT denied: " --log-level 7 #-A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix "INPUT denied: " --log-level 7 #-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "OUTPUT denied: " --log-level 7 # tout le reste dehors -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j DROP