Note : iptables est remplacé maintenant par nftables
#!/bin/bash . $(dirname "$0")/lib/common.sh dieIfNotRoot IPTABLES=/sbin/iptables pf=$(getPlateformBasename $HOSTNAME) ### DEBUT config ### INTERFACE=eth0 VLAN='172\.16\.12\.' REGEX_MACHINE='qua.*1|ftp1|gdp1' ### FIN config ### check() { # Verif si $INTERFACE est dans le bon VLAN /sbin/ifconfig $INTERFACE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN" >/dev/null if [ $? -ne 0 ] then echo "ERREUR. L'interface $INTERFACE n'est pas dans le VLAN $(echo $VLAN| sed -e 's!\\.!\.!g')" exit 10 fi # iptables doit etre demarre /etc/init.d/iptables status >/dev/null if [ $? -ne 0 ] then echo "ERREUR. Le service iptables n'est pas demarre" exit 11 fi } flush() { ## On flush $IPTABLES. $IPTABLES -F ## On supprime toutes les chaines utilisateurs. $IPTABLES -X # Regle par defaut (on autorise tout) $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT } filter() { # On whitelist toutes les machines de prod $IPTABLES -N WL_PROD for ip in $(grep -v -e '^#' /etc/hosts |egrep -i -e "$REGEX_MACHINE" |awk '{print $1}') do $IPTABLES -A INPUT -i $INTERFACE -s $ip -j WL_PROD done $IPTABLES -A WL_PROD -j ACCEPT # On autorise tous les packets de retour (quand la connexion est initiee depuis ce serveur) $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Par defaut aucun accees en interne hors des machines explicitement autorisees $IPTABLES -A INPUT -i $INTERFACE -s $(echo $VLAN |tr -d '\' |sed -e 's!$!0/24!') -j REJECT } case $1 in 'start'|'restart') check if [ $? -eq 0 ] then flush filter else echo "ERREUR check" exit $? fi ;; 'stop') flush ;; *) echo "usage: $0 start|stop|restart" ;; esac
#!/bin/bash set -e PATH=$PATH:/sbin SERVERDNS=$(cat /etc/resolv.conf |grep -e '^nameserver' |awk '{print $2}') INTERFACE_OPEN=eth0 INTERFACE_SAFE=eth1 VLAN_OPEN='192\.168\.1\.' VLAN_SAFE='10\.0\.2' IPSERVER=$(ifconfig eth0 |grep -e 'inet adr:' |tr -s ' ' ':' |cut -f 4 -d':') IP_ZABBIX_SERVER="172.16.110.3" /sbin/ifconfig $INTERFACE_OPEN |sed -n -e '2p' |tr -s ' ' ':' | cut -d':' -f4 |grep -e "$VLAN_OPEN" if [ $? -ne 0 ] then echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_OPEN| sed -e 's!\\.!\.!g')" exit 1 fi /sbin/ifconfig $VLAN_SAFE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN_SAFE" if [ $? -ne 0 ] then echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_SAFE| sed -e 's!\\.!\.!g')" exit 2 fi /etc/init.d/iptables status if [ $? -ne 0 ] then echo "ERREUR. Le service iptables n'est pas démarré" exit 3 fi ## On flush iptables. iptables -F ## On supprime toutes les chaînes utilisateurs. iptables -X ## On drop tout le trafic entrant. iptables -P INPUT DROP ## On drop tout le trafic sortant. iptables -P OUTPUT DROP ## On drop le forward. iptables -P FORWARD DROP ## Permettre à une connexion ouverte de recevoir du trafic en entrée. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Permettre à une connexion ouverte de recevoir du trafic en sortie. # SSH, NTP etc... iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT ## On accepte la boucle locale en entrée. iptables -I INPUT -i lo -j ACCEPT # Open bar sur eth1 iptables -I INPUT -i $INTERFACE_SAFE -j ACCEPT # DNS ==> IDEM POUR UDP iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT # SERVER SSH iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # SERVER Agent Zabbix iptables -A INPUT -i $INTERFACE_OPEN -s $IP_ZABBIX_SERVER -p tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT # On restreint des ping http://www.oregontechsupport.com/articles/icmp.txt ? # ou Ping dans tous les sens iptables -A INPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT iptables -A OUTPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT case $HOSTNAME in *web*) echo "Machine WEB" # SERVER HTTP/HTTPS iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # SERVER NFS #iptables -A INPUT -i $INTERFACE_OPEN -p tcp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -i $INTERFACE_OPEN -p udp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT ;; *app*) echo "Machine APP" ### iptables -A INPUT -i $INTERFACE_OPEN -s qua-web3 -p tcp --dport 9960 -m state --state NEW,ESTABLISHED -j ACCEPT ;; *db*) echo "Machine DB" # SERVER Postgres iptables -A INPUT -i $INTERFACE_OPEN -s qua-app3 -p tcp --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT ;; esac
/usr/share/doc/openvpn/examples/sample-config-files/firewall.sh
#!/bin/sh # A Sample OpenVPN-aware firewall. # eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.0.0.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
Source : http://www.linuxjournal.com/content/server-hardening?page=0,1
# make sure forwarding is off and clear everything # also turn off ipv6 cause if you don't need it # turn it off sysctl net.ipv6.conf.all.disable_ipv6=1 sysctl net.ipv4.ip_forward=0 iptables -F iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain #make the default -drop everything iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD DROP #allow all in loopback iptables -A INPUT -i lo -j ACCEPT #allow related iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ssh iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,http,https -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports http,https