[tuto][linux][novice] Firewall avec iptables
Attention à ne pas faire n'importe quoi ici, vous risqueriez de ne plus avoir la main sur votre propre système !
Mise en place du firewall avec iptables
Code : Tout sélectionner
apt install iptables
Créer un fichier /etc/iptables-rules.sh :
Code : Tout sélectionner
nano /etc/iptables-rules.sh
Modifier bien le port SSH configuré dans /etc/ssh/sshd_config (ici : 2222)
Code : Tout sélectionner
#!/bin/bash
#
# iptables-rules.sh - filter incoming and outgoing packets.
#
# Réinitialise les règles
iptables -t filter -F
iptables -t filter -X
# Bloque tout le trafic
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# Autoriser localhost
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH
iptables -t filter -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 2222 -j ACCEPT
# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP (horloge du serveur)
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# Ouverture port HTTP 80 et HTTPS 443 pour serveur web
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# Mail SMTP and SMTPS
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
# Mail POP and POPS
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# Mail IMAP and IMAPS
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
# Ouverture port DHCP 68
iptables -t filter -A OUTPUT -p udp --dport 68 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 68 -j ACCEPT
# Anti Flood / Deni de service / scan de port
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# All other connections are registered in syslog
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -j REJECT
iptables -P OUTPUT DROP
# Other network protections
# (some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Supprimer les règles "ACCEPT all"
iptables -t filter -D INPUT 1
iptables -t filter -D OUTPUT 1
Script original : https://github.com/jeremiedecock/iptables-scripts
Code : Tout sélectionner
#!/bin/bash
# iptables-rules.sh - filter incoming and outgoing packets.
# Copyright (c) 2007,2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# For more information, see https://github.com/jeremiedecock/iptables-scripts
#
# To display the curent Netfilter rules, type the following commands in a Linux
# console (from the administrator account):
#
# iptables -L -n -v
# ip6tables -L -n -v
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
[ -x $IP4TABLES ] || { echo "Error: $IP4TABLES not found" ; exit 1 ; }
[ -x $IP6TABLES ] || { echo "Error: $IP6TABLES not found" ; exit 1 ; }
# Kernel params ###############################################################
#modprobe ip_conntrack_ftp
# IPv6 ########################################################################
# Flush rules
$IP6TABLES -F
$IP6TABLES -X
# Default rule: reject every packet (incoming, outgoing and forwarded)
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# Accept everything on the loopback interface
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
# IPv4 ########################################################################
# Flush rules
$IP4TABLES -F
$IP4TABLES -X
# Default rule: reject every packet (incoming, outgoing and forwarded)
$IP4TABLES -P INPUT DROP
$IP4TABLES -P OUTPUT DROP
$IP4TABLES -P FORWARD DROP
# Accept everything on the loopback interface
$IP4TABLES -A INPUT -i lo -j ACCEPT
$IP4TABLES -A OUTPUT -o lo -j ACCEPT
# Reject invalid incoming packets
$IP4TABLES -A INPUT -m state --state INVALID -j DROP
# Reject invalid incoming TCP packets (i.e. with flags not equals to "ALL" or "SYN")
$IP4TABLES -A INPUT -m state --state NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j DROP
# Reject (and notify) incoming connexions on port 113/TCP ("authentication tap ident")
$IP4TABLES -A INPUT -p tcp --destination-port auth -j REJECT --reject-with tcp-reset
# DNS #################################
# DNS_IP contains the list of trusted DNS servers (IPs allowed for DNS
# resolution). For instance:
#
# DNS_IP=(192.168.0.1 192.168.0.2 8.8.8.8 8.8.4.4)
# or:
# DNS_IP=(192.168.0.1)
# or:
# DNS_IP=()
#
# DNS_PROTOCOL contains the list of allowed DNS protocols. For instance:
#
# DNS_PROTOCOL=(tcp udp)
# or:
# DNS_PROTOCOL=(tcp)
DNS_IP=()
DNS_PROTOCOL=(tcp udp)
for IP in ${DNS_IP[@]}; do
for PROTOCOL in ${DNS_PROTOCOL[@]}; do
$IP4TABLES -A INPUT -p $PROTOCOL -s $IP --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p $PROTOCOL -d $IP --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
done
# ALLOWED_OUTGOING_UDP_SERVICES #######
# ALLOWED_REMOTE_UDP_SERVICES contains the list of reachable UDP outgoing services.
# For instance:
#
# ALLOWED_REMOTE_UDP_SERVICES=(123 514)
# or:
# ALLOWED_REMOTE_UDP_SERVICES=(123)
# or:
# ALLOWED_REMOTE_UDP_SERVICES=()
#
# Here is a list of common UDP services:
#
# 123 : NTP
# 514 : SYSLOG
#
# The full list is available in /etc/services
ALLOWED_REMOTE_UDP_SERVICES=(123)
for SERVICE in ${ALLOWED_REMOTE_UDP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p udp --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p udp --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
# ALLOWED_OUTGOING_TCP_SERVICES #######
# ALLOWED_REMOTE_TCP_SERVICES contains the list of reachable TCP outgoing services.
# For instance:
#
# ALLOWED_REMOTE_TCP_SERVICES=(80 443)
# or:
# ALLOWED_REMOTE_TCP_SERVICES=(80)
# or:
# ALLOWED_REMOTE_TCP_SERVICES=()
#
# Here is a list of common TCP services:
#
# 22 : SSH
# 23 : TELNET
# 25 : SMTP
# 80 : HTTP
# 110 : POP3
# 123 : NTP
# 194 : IRC
# 443 : HTTPS
# 465 : SMTP over SSL (POP)
# 515 : Line printer spooler
# 587 : SMTP over TSL (IMAP)
# 993 : IMAP over SSL
# 995 : POP3 over SSL
# 3690 : SVN
# 5222 : XMPP
# 5223 : XMPP over SSL
# 6667 : IRCD
# 9418 : GIT
#
# The full list is available in /etc/services
ALLOWED_REMOTE_TCP_SERVICES=(80 443)
for SERVICE in ${ALLOWED_REMOTE_TCP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p tcp --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p tcp --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
# ALLOWED_INCOMING_TCP_SERVICES #######
# TRUSTED_IP contains the list of trusted IPs (IPs allowed to connect to this
# computer). For instance:
#
# TRUSTED_IP=(192.168.0.1 192.168.0.2)
# or:
# TRUSTED_IP=(192.168.0.1)
# or:
# TRUSTED_IP=()
#
# ALLOWED_LOCAL_TCP_SERVICES contains the list of services made available for
# trusted IPs. For instance:
#
# ALLOWED_LOCAL_TCP_SERVICES=(80 443)
# or:
# ALLOWED_LOCAL_TCP_SERVICES=(80)
# or:
# ALLOWED_LOCAL_TCP_SERVICES=()
TRUSTED_IP=()
ALLOWED_LOCAL_TCP_SERVICES=()
for IP in ${TRUSTED_IP[@]}; do
for SERVICE in ${ALLOWED_LOCAL_TCP_SERVICES[@]}; do
$IP4TABLES -A INPUT -p tcp -s $IP --dport $SERVICE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IP4TABLES -A OUTPUT -p tcp -d $IP --sport $SERVICE -m state --state ESTABLISHED,RELATED -j ACCEPT
done
done
# USERS RULES #########################
#$IP4TABLES -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner john -j DROP
#$IP4TABLES -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner alice -j DROP
# DEFAUT ##############################
#$IP4TABLES -A INPUT -m limit --limit 4/s -j LOG --log-prefix "NETFILTER (IN) : "
#$IP4TABLES -A OUTPUT -m limit --limit 4/s -j LOG --log-prefix "NETFILTER (OUT) :
Code : Tout sélectionner
DNS_IP=(192.168.0.1 192.168.0.2 8.8.8.8 8.8.4.4)
Code : Tout sélectionner
cat /etc/resolv.conf
Code : Tout sélectionner
DNS_PROTOCOL=(tcp udp)
Code : Tout sélectionner
ALLOWED_REMOTE_UDP_SERVICES=(123)
Code : Tout sélectionner
cat /etc/services
Ajouter votre port SSH (ici : 2222)
Code : Tout sélectionner
ALLOWED_REMOTE_TCP_SERVICES=(2222 80 443)
2. Configurer le service
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Créer un fichier /etc/systemd/system/iptables-rules.service :
Code : Tout sélectionner
nano /etc/systemd/system/iptables-rules.service
Code : Tout sélectionner
[Unit]
Description=Iptables rules
DefaultDependencies=no
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/iptables-rules.sh
ExecStop=/etc/iptables-off.sh
[Install]
WantedBy=multi-user.target
Code : Tout sélectionner
chown root:root /etc/systemd/system/iptables-rules.service
chmod 644 /etc/systemd/system/iptables-rules.service
Créer un fichier /etc/init.d/iptables-rules :
Code : Tout sélectionner
nano /init.d/iptables-rules
Code : Tout sélectionner
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $syslog
# Required-Stop: $local_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Iptables scripts to setup Netfilter (the Linux firewall)
# Description: Iptables scripts to setup Netfilter (the Linux firewall)
### END INIT INFO
################################################################################
# IPTABLES-SCRIPTS INIT (SYSTEM V)
#
# Copyright (c) 2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# The MIT license
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
################################################################################
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin
DESC="Iptables scripts to setup Netfilter (the Linux firewall)"
NAME=iptables
IPTABLES_CONFIG_FILE=/etc/default/iptables
SCRIPT_NAME=/etc/init.d/iptables-rules
IPTABLES_SCRIPT=/etc/iptables-rules.sh
IPTABLES_OFF_SCRIPT=/etc/iptables-off.sh
# Read configuration variable file if it is present
[ -r ${IPTABLES_CONFIG_FILE} ] && . ${IPTABLES_CONFIG_FILE}
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
[ -x "${IPTABLES_SCRIPT}" ] || exit 2
${IPTABLES_SCRIPT} || exit 1
}
#
# Function that stops the daemon/service
#
do_stop()
{
[ -x "${IPTABLES_OFF_SCRIPT}" ] || exit 2
${IPTABLES_OFF_SCRIPT} || exit 1
}
case "$1" in
start|restart|reload)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1|2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1|2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
*)
echo "Usage: ${SCRIPT_NAME} {start|stop|restart}" >&2
exit 3
;;
esac
exit 0
Code : Tout sélectionner
chown root:root /etc/init.d/iptables-rules
chmod 700 /etc/init.d/iptables-rules
Créer un fichier /etc/iptables-off.sh :
Code : Tout sélectionner
nano /etc/iptables-off.sh
Code : Tout sélectionner
#!/bin/sh
# iptables-off.sh - switch off the firewall (for IPv4 and IPv6).
# Copyright (c) 2007,2015 Jérémie DECOCK <jd.jdhp@gmail.com> (www.jdhp.org)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
# For more information, see https://github.com/jeremiedecock/iptables-scripts
#
# To display the curent Netfilter rules, type the following commands in a Linux
# console (from the administrator account):
#
# iptables -L -n -v
# ip6tables -L -n -v
IP4TABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
[ -x $IP4TABLES ] || { echo "Error: $IP4TABLES not found" ; exit 1 ; }
[ -x $IP6TABLES ] || { echo "Error: $IP6TABLES not found" ; exit 1 ; }
# Setup Netfilter for IPv4 and IPv6
for IPTABLES in "$IP4TABLES" "$IP6TABLES"
do
# Flush rules
$IPTABLES -F
$IPTABLES -X
# Default rule: accept every packet (incoming, outgoing and forwarded)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
done
Code : Tout sélectionner
chown root:root /etc/iptables-*.sh
chmod 700 /etc/iptables-*
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl start iptables-rules.service
systemctl status iptables-rules.service
Code : Tout sélectionner
service iptables-rules start
Avant d'activer le service au démarrage, il est recommandé de tester les paramètres. En effet, en cas d'erreur (surtout SSH) vous pouvez perdre la main complètement sur votre système ! Une fois les paramètres validés, lancer :
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl enable --now iptables-rules.service
Code : Tout sélectionner
update-rc.d iptables-rules defaults
Sur les systèmes compatibles systemd (dernières versions de Debian, Ubuntu, Arch, Fedora, ...)
Code : Tout sélectionner
systemctl stop iptables-rules.service
Code : Tout sélectionner
service iptables-rules stop