[Iptables] Erreur de script

PengouinPdt · Février 21, 2016, 9:50pm

Bonsoir,

Je soumets ici une sauvegarde d’iptables, généré par script ; c’est un script de test pour station - mon problème est que je n’arrive pas à sortir :

Generated by iptables-save v1.4.21 on Mon Aug 17 18:53:16 2015

*raw
REROUTING ACCEPT [40:4558]
:OUTPUT ACCEPT [44:3507]
COMMIT

Completed on Mon Aug 17 18:53:16 2015

Generated by iptables-save v1.4.21 on Mon Aug 17 18:53:16 2015

*mangle
REROUTING ACCEPT [40:4558]
:INPUT ACCEPT [38:4450]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3507]
OSTROUTING ACCEPT [40:3271]
COMMIT

Completed on Mon Aug 17 18:53:16 2015

Generated by iptables-save v1.4.21 on Mon Aug 17 18:53:16 2015

*nat
REROUTING ACCEPT [5:342]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:236]
OSTROUTING ACCEPT [0:0]
COMMIT

Completed on Mon Aug 17 18:53:16 2015

Generated by iptables-save v1.4.21 on Mon Aug 17 18:53:16 2015

*filter
:INPUT DROP [3:234]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:236]
:badtcp - [0:0]
:badudp - [0:0]
:blacklist - [0:0]
:icmpv4in - [0:0]
:icmpv4out - [0:0]
:intcp - [0:0]
:inudp - [0:0]
:logbad - [0:0]
:martians - [0:0]
:newnotsyn - [0:0]
:nospoof - [0:0]
:spamhaus - [0:0]
:tcpout - [0:0]
:udpout - [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -d 192.168.0.17/32 -i wlan0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d 192.168.0.17/32 -i wlan0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -d 192.168.0.17/32 -i wlan0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -d 192.168.0.17/32 -i wlan0 -p icmp -m limit --limit 1/sec -j icmpv4in
-A INPUT -d 192.168.0.17/32 -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j intcp
-A INPUT -d 192.168.0.17/32 -i wlan0 -p udp -m limit --limit 1/sec -j inudp
-A INPUT -d 192.168.0.17/32 -i wlan0 -m recent --update --seconds 84600 --rttl --name BLACKLIST --mask 255.255.255.255 --rsource
-A FORWARD -d 192.168.0.17/32 -i wlan0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.17/32 -i wlan0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A FORWARD -d 192.168.0.17/32 -i wlan0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.17/32 -o wlan0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.17/32 -o wlan0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A FORWARD -s 192.168.0.17/32 -o wlan0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.17/32 -o wlan0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.0.17/32 -o wlan0 -p tcp -m conntrack --ctstate RELATED -j ACCEPT
-A OUTPUT -s 192.168.0.17/32 -o wlan0 -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p icmp -j icmpv4out
-A OUTPUT -s 192.168.0.17/32 -o wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j tcpout
-A OUTPUT -s 192.168.0.17/32 -o wlan0 -p udp -j udpout
-A blacklist -m recent --set --name BLACKLIST --mask 255.255.255.255 --rsource -j DROP
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -m comment --comment “ICMP Echo reply” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED -m comment --comment “ICMP Destination Net Unreachable” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED -m comment --comment “ICMP Destination Host Unreachable” -j ACCEPT
-A icmpv4in -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 3/3 -m conntrack --ctstate RELATED -m comment --comment “ICMP Destination Port Unreachable” -j ACCEPT
-A icmpv4in -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment “ICMP Echo mssg” -j ACCEPT
-A icmpv4in -s 192.168.0.254/32 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -m comment --comment “ICMP Router Advert” -j ACCEPT
-A icmpv4in -s 192.168.0.254/32 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -m comment --comment “ICMP Router Select” -j ACCEPT
-A icmpv4in -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -m comment --comment “ICMP Time exceeded” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -m comment --comment “ICMP Param pb” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 13 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment “ICMP Timestamp mssg” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 14 -m conntrack --ctstate ESTABLISHED -m comment --comment “ICMP Timestamp reply” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 17 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment “ICMP Addr Mask mssg” -j ACCEPT
-A icmpv4in -s 192.168.0.254/32 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 18 -m conntrack --ctstate ESTABLISHED -m comment --comment “ICMP Addr Mask reply” -j ACCEPT
-A icmpv4in -s 192.168.0.0/24 -d 192.168.0.17/32 -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED -m comment --comment “ICMP Traceroute” -j ACCEPT
-A icmpv4in -p icmp -j logbad
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 3/0 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 3/1 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -p icmp -m icmp --icmp-type 3/3 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.254/32 -p icmp -m icmp --icmp-type 9 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.254/32 -p icmp -m icmp --icmp-type 10 -m conntrack --ctstate NEW -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate RELATED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 13 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 14 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 17 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.254/32 -p icmp -m icmp --icmp-type 18 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A icmpv4out -s 192.168.0.17/32 -d 192.168.0.0/24 -p icmp -m icmp --icmp-type 30 -m conntrack --ctstate NEW,RELATED -j ACCEPT
-A icmpv4out -p icmp -j logbad
-A intcp -p tcp -m multiport --dports 135,137,138,139,445 -m conntrack --ctstate NEW -m recent --set --name CIFS --mask 255.255.255.255 --rsource
-A intcp -p tcp -m multiport --dports 135,137,138,139,445 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name CIFS --mask 255.255.255.255 --rsource -j LOG --log-prefix "IPv4 BAD CIFS: "
-A intcp -p tcp -m multiport --dports 135,137,138,139,445 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name CIFS --mask 255.255.255.255 --rsource -j badtcp
-A intcp -p tcp -m multiport --dports 135,137,138,139,445 -m comment --comment “Microsoft Netbios, SMB/CIFS” -j ACCEPT
-A intcp -p tcp -j logbad
-A inudp -p udp -m udp --sport 68:67 --dport 68:67 -j ACCEPT
-A inudp -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -m comment --comment “Gestion AVAHI udp” -j ACCEPT
-A inudp -p udp -j logbad
-A logbad -f -m limit --limit 3/min -j LOG --log-prefix "IPv4 Scan FRAG: " --log-tcp-options --log-ip-options
-A logbad -p icmp -m limit --limit 3/min -j LOG --log-prefix "IPv4 Scan ICMP: " --log-tcp-options --log-ip-options
-A logbad -p icmp -j REJECT --reject-with icmp-host-prohibited
-A logbad -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A logbad -p tcp -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPv4 Scan TCP: " --log-tcp-options --log-ip-options
-A logbad -p tcp -j blacklist
-A logbad -p udp -m limit --limit 10/min -j LOG --log-prefix "IPv4 Scan UDP: " --log-tcp-options --log-ip-options
-A logbad -j DROP
-A newnotsyn -p tcp -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPv4 NEW NOT SYN: " --log-tcp-options --log-ip-options
-A newnotsyn -p tcp -j blacklist
-A tcpout -p tcp -m tcp --sport 1024:65535 -m multiport --dports 53,80,20,21,143,110,11371,25,43 -m conntrack --ctstate NEW -m comment --comment “TCP ports authorized” -j ACCEPT
-A tcpout -p tcp -m tcp --sport 1024:65535 -m multiport --dports 443,993,995,465 -m conntrack --ctstate NEW -m comment --comment “TCP Secure ports authorized” -j ACCEPT
-A tcpout -p tcp -m tcp --sport 1024:65535 -m multiport --dports 135,137,138,139,445 -m conntrack --ctstate NEW -m comment --comment “Microsoft Netbios, SMB/CIFS” -j ACCEPT
-A tcpout -p tcp -m tcp --sport 1024:65535 -m multiport --dports 515,631,9100 -m conntrack --ctstate NEW -m comment --comment “LDP, Cups, JetDirect…” -j ACCEPT
-A udpout -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A udpout -p udp -m multiport --dports 53,5353 -m conntrack --ctstate NEW -m comment --comment “UDP (DNS, mDNS) ports authorized” -j ACCEPT
-A udpout -p udp -m multiport --dports 123 -m conntrack --ctstate NEW -m comment --comment “Others UDP ports authorized” -j ACCEPT
-A udpout -p udp -m multiport --dports 135,137,138,139,1900 -m conntrack --ctstate NEW -m comment --comment “Microsoft Netbios, SMB/CIFS” -j ACCEPT
-A udpout -p udp -m multiport --dports 515,631 -m conntrack --ctstate NEW -m comment --comment “LDP, Cups, JetDirect…” -j ACCEPT
COMMIT

Completed on Mon Aug 17 18:53:16 2015

PengouinPdt · Février 21, 2016, 9:51pm

Personne pour m’aiguiller ?!