Bonsoir,
je viens de me lancer dans un petit script pour configurer mon firewall avec des services classiques (http/dns/ssh) tout en étant protégé contre les DOS.
Ma configuration doit accepté l’icmp “avec modération” cependant tous les paquets se font jetés ! Une idée ?
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 6.0.2 (squeeze)
Release: 6.0.2
Codename: squeeze
$ uname -a
Linux kimsufi 2.6.39.1-last-grsec-xxxx-std-ipv6-64 #2 SMP Sat Jun 18 14:53:00 CEST 2011 x86_64 GNU/Linux
Script basé sur
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
# Services que le systèmes offrira au réseau
# SSH : 22
# DNS : 53
# WEB : 80 443 8080
TCP_SERVICES="22 53 80 443 8080"
# DNS 53
# DHCP 67 68
UDP_SERVICES="53 67 68 138"
# Services que le système utilisera du réseau
# DNS 53
# WEB 80 443
REMOTE_TCP_SERVICES="22 53 80 443"
# DNS 31
# DHCP 67 68 138
# ntp
REMOTE_UDP_SERVICES="53 67 68 123 138"
if ! [ -x /sbin/iptables ]; then
exit 0
fi
fw_start () {
# Nettoyage
/sbin/iptables --flush
# Création de la chaine LOGDROP : Suppression+LOG
/sbin/iptables -N LOGDROP > /dev/null 2> /dev/null
/sbin/iptables -F LOGDROP
/sbin/iptables -A LOGDROP -m limit -j LOG --log-prefix "[DROP-IN] "
/sbin/iptables -A LOGDROP -j DROP
# Création de la chaine LOGDROP : Suppression+LOG
/sbin/iptables -N DROPFLOOD > /dev/null 2> /dev/null
/sbin/iptables -F DROPFLOOD
/sbin/iptables -A DROPFLOOD -m limit -j LOG --log-prefix "[DROP-FLOOD] "
/sbin/iptables -A DROPFLOOD -j DROP
############################# TRAFFIC ENTRAN ################################
# Traffic local
sbin/iptables -A INPUT -i lo -j ACCEPT
# Session déjà établie
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Services TCP
if [ -n "$TCP_SERVICES" ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
# Services UDP
if [ -n "$UDP_SERVICES" ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# A Virer en prod (test vmware)
/sbin/iptables -A INPUT -s 172.16.52.1 -p udp --dport 17500 -j ACCEPT
############ Protection contre le flood
# Chaine ICMP flood
/sbin/iptables -N icmp-flood
# On entre dans la chaine pour l'icmp
/sbin/iptables -A INPUT -p icmp -j icmp-flood
# Get out of chain if packet rate for the same IP is below 4 per second with a burst of 8 per second
/sbin/iptables -A icmp-flood -m limit --limit 4/s --limit-burst 8 -m comment --comment "[DROP-IN-ICMP-FLOOD][Limit ICMP rate] " -j RETURN
# Log as flood when rate is higher
/sbin/iptables -A icmp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "[DROP-IN-ICMP-FLOOD] "
# Blacklist IP for 3 minutes
/sbin/iptables -A icmp-flood -m recent --name blacklist_180 --set -m comment --comment "[DROP-IN-ICMP-FLOOD][Blacklist source IP] " -j DROPFLOOD
# Chaine UDP flood
/sbin/iptables -N udp-flood
/sbin/iptables -F udp-flood
# Jump to chain if UDP
/sbin/iptables -A INPUT -p udp -j udp-flood
# Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!)
/sbin/iptables -A udp-flood -m limit --limit 5/s --limit-burst 20 -m comment --comment "[DROP-IN-UDP-FLOOD][Limit UDP rate] " -j RETURN
# Log
/sbin/iptables -A udp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "[DROP-IN-UDP-FLOOD] "
# 3 minutes ban for flooders
/sbin/iptables -A udp-flood -m recent --name blacklist_180 --set -m comment --comment "[DROP-IN-UDP-FLOOD][Blacklist source IP] " -j DROPFLOOD
# Create syn-flood chain
/sbin/iptables -N syn-flood > /dev/null 2> /dev/null
/sbin/iptables -F syn-flood
# Jump into syn-flood chain when a syn packet is detected
/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
# Limit packet rate to 2 per second with a 6 per second burst
/sbin/iptables -A syn-flood -m limit --limit 2/s --limit-burst 6 -m comment --comment "[DROP-IN-UDP-FLOOD][Limit TCP SYN rate] " -j RETURN
# Log flooders
/sbin/iptables -A syn-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "[DROP-IN-SYN-FLOOD] "
# Ban flooders for 3 minutes
/sbin/iptables -A syn-flood -m recent --name blacklist_180 --set -m comment --comment "[DROP-IN-UDP-FLOOD][Blacklist source IP]" -j DROPFLOOD
# Log des autres paquets qui seront supprimés
/sbin/iptables -A INPUT -j LOGDROP
/sbin/iptables --policy INPUT DROP
################################### SORTIE ################################
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP est permis
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# Ainsi que pour tous les services que nous avons définis
if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$REMOTE_UDP_SERVICES" ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# Toutes les autres connexions sont enregistrées dans syslog
/sbin/iptables -A OUTPUT -j LOG --log-prefix '[DROP-OUT] '
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables --policy OUTPUT DROP
# Autres protections réseau
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
fw_stop () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
case "$1" in
start|restart)
echo -n "Starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "Stopping firewall.."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing firewall rules.."
fw_clear
echo "done."
;;
*)
echo "Usage: $0 {start|stop|restart|clear}"
exit 1
;;
esac
exit 0iptables -L
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- 172.16.52.1 anywhere udp dpt:17500
icmp-flood icmp -- anywhere anywhere
udp-flood udp -- anywhere anywhere
syn-flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOGDROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
LOG all -- anywhere anywhere LOG level warning prefix `[DROP-OUT] '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain DROPFLOOD (3 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `[DROP-FLOOD] '
DROP all -- anywhere anywhere
Chain LOGDROP (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/hour burst 5 LOG level warning prefix `[DROP-IN] '
DROP all -- anywhere anywhere
Chain icmp-flood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 4/sec burst 8 /* [DROP-IN-ICMP-FLOOD][Limit ICMP rate] */
LOG all -- anywhere anywhere limit: avg 6/hour burst 1 LOG level warning prefix `[DROP-IN-ICMP-FLOOD] '
DROPFLOOD all -- anywhere anywhere recent: SET name: blacklist_180 side: source /* [DROP-IN-ICMP-FLOOD][Blacklist source IP] */
Chain syn-flood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 2/sec burst 6 /* [DROP-IN-UDP-FLOOD][Limit TCP SYN rate] */
LOG all -- anywhere anywhere limit: avg 6/hour burst 1 LOG level warning prefix `[DROP-IN-SYN-FLOOD] '
DROPFLOOD all -- anywhere anywhere recent: SET name: blacklist_180 side: source /* [DROP-IN-UDP-FLOOD][Blacklist source IP] */
Chain thyl-icmp-flood (0 references)
target prot opt source destination
Chain thyl-syn-flood (0 references)
target prot opt source destination
Chain thyl-udp-flood (0 references)
target prot opt source destination
Chain udp-flood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 5/sec burst 20 /* [DROP-IN-UDP-FLOOD][Limit UDP rate] */
LOG all -- anywhere anywhere limit: avg 6/hour burst 1 LOG level warning prefix `[DROP-IN-UDP-FLOOD] '
DROPFLOOD all -- anywhere anywhere recent: SET name: blacklist_180 side: source /* [DROP-IN-UDP-FLOOD][Blacklist source IP] */ Paquets jetés :
Jul 14 19:53:59 kimsufi kernel: [DROP-IN] IN=eth0 OUT= MAC=00:0c:29:10:8f:de:00:50:56:c0:00:08:08:00 SRC=172.16.52.1 DST=172.16.52.128 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3334 SEQ=1
Jul 14 19:54:00 kimsufi kernel: [DROP-IN] IN=eth0 OUT= MAC=00:0c:29:10:8f:de:00:50:56:c0:00:08:08:00 SRC=172.16.52.1 DST=172.16.52.128 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3334 SEQ=2
P.S : Oui mon post est une fois de plus long 