voici le fichier /etc/init.d/iptables
[code]#
BEGIN INIT INFO
Provides: iptables
Required-Start: $network $syslog
Required-Stop: $network $syslog
Default-Start: 2 3 4 5
Default-Stop: 0 1 6
Short-Description: Control iptables firewall.
END INIT INFO
This init.d script is used to control iptables, based on
/etc/init.d/iptables on Red Hat Enterprise Linux 5.3, modified
by Zhang Huangbin (zhb at iredmail.org), iRedMail project
config: /etc/default/iptables
config: /etc/default/iptables-config
Source function library.
. /lib/lsb/init-functions
IPTABLES='iptables’
IPTABLES_DATA="/etc/default/$IPTABLES"
IPTABLES_CONFIG="/etc/default/${IPTABLES}-config"
IPV="${IPTABLES%tables}" # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES="/proc/net/${IPV}_tables_names"
VAR_SUBSYS_IPTABLES="/var/lock/subsys/$IPTABLES"
[ -d $(dirname ${VAR_SUBSYS_IPTABLES}) ] || mkdir -p $(dirname ${VAR_SUBSYS_IPT$
if [ ! -x /sbin/$IPTABLES ]; then
log_daemon_msg “/sbin/$IPTABLES does not exist.” "iptables"
exit 0
fi
if lsmod 2>/dev/null | grep -q ipchains ; then
log_daemon_msg “ipchains and $IPTABLES can not be used together.” "iptable$
exit 0
fi
Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools
&& NEW_MODUTILS=1
|| NEW_MODUTILS=0
Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC=“yes”
Load firewall configuration.
[ -f “$IPTABLES_CONFIG” ] && . “$IPTABLES_CONFIG”
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
let ret+=$?;
fi
return $ret
}
flush_n_delete() {
# Flush firewall rules and delete chains.
[ -e “$PROC_IPTABLES_NAMES” ] || return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
log_daemon_msg "Flushing firewall rules" "iptables"
ret=0
# For all tables
for i in $tables; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
log_daemon_msg "Setting chains to policy $policy"
ret=0
for i in $tables; do
echo -n " $i"
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
return $ret
}
start() {
# Do not start if there is no config file.
[ -f “$IPTABLES_DATA” ] || return 1
log_daemon_msg "Applying $IPTABLES firewall rules"
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
log_end_msg 0
else
log_end_msg 1; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n "Loading additional $IPTABLES modules"
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
fi
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ -e “$PROC_IPTABLES_NAMES” ] || return 1
flush_n_delete
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n "Unloading $IPTABLES modules"
ret=0
rmmod_r ${IPV}_tables
let ret+=$?;
rmmod_r ${IPV}_conntrack
let ret+=$?;
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
[ ! -e “$PROC_IPTABLES_NAMES” ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
echo -n "Saving firewall rules to $IPTABLES_DATA"
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
|| ret=1
fi
fi
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
echo
rm -f $TMP_FILE
return $ret
}
status() {
tables=cat $PROC_IPTABLES_NAMES 2>/dev/null
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable module is loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
echo "Firewall is stopped."
return 1
fi
# Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo "Firewall is not configured. "
return 1
fi
if [ -z "$tables" ]; then
echo "Firewall is not configured. "
return 1
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $tables; do
echo "Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
restart() {
[ “x$IPTABLES_SAVE_ON_RESTART” = “xyes” ] && save
stop
start
}
case “$1” in
start)
stop
start
RETVAL=$?
;;
stop)
[ “x$IPTABLES_SAVE_ON_STOP” = “xyes” ] && save
stop
RETVAL=$?
;;
restart)
restart
RETVAL=$?
;;
condrestart)
[ -e “$VAR_SUBSYS_IPTABLES” ] && restart
;;
status)
status
RETVAL=$?
;;
panic)
flush_n_delete
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
;;
esac
exit $RETVAL
[/code]
le fichier /etc/init.d/firewall.sh
[code]PATH=/bin:/sbin:/usr/bin:/usr/sbin
Services that the system will offer to the network
TCP_SERVICES=“22 666 8080” # SSH
UDP_SERVICES=""
Services the system will use from the network
REMOTE_TCP_SERVICES=“80 443 993 465 443 25 8080” # web browsing
REMOTE_UDP_SERVICES=“53” # DNS
FTP backups
Allow backups to an external FTP
FTP_BACKUPS=""
if ! [ -x /sbin/iptables ]; then
exit 0
fi
##########################
Start the Firewall rules
##########################
fw_start () {
Input traffic:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.0.254 -d 192.168.0.33 --dport 8080 -j$
Services
if [ -n “$TCP_SERVICES” ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n “$UDP_SERVICES” ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
Ftp backups
if [ -n “$FTP_BACKUPS” ] ; then
# The following two rules allow the inbound FTP connection
/sbin/iptables -A INPUT -p tcp --sport ${FTP_BACKUPS} -m state --state $
/sbin/iptables -A OUTPUT -p tcp --dport ${FTP_BACKUPS} -m state --state$
# The next 2 lines allow active ftp connections
#/sbin/iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED$
#/sbin/iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHE$
# These last two rules allow for passive transfers
/sbin/iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --s$
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --$
fi
Remote testing
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -j LOG
Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ICMP is permitted:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
So are security package updates:
Note: You can hardcode the IP address here to prevent DNS spoofing
and to setup the rules even if DNS does not work but then you
will not “see” IP changes for this service:
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
As well as the services we have defined:
if [ -n “$REMOTE_TCP_SERVICES” ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n “$REMOTE_UDP_SERVICES” ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
All other connections are registered in syslog
/sbin/iptables -A OUTPUT -j LOG
/sbin/iptables -A OUTPUT -j REJECT
/sbin/iptables -P OUTPUT DROP
Other network protections
(some will only work with some kernel versions)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
##########################
Stop the Firewall rules
##########################
fw_stop () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
##########################
Clear the Firewall rules
##########################
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
############################
Restart the Firewall rules
############################
fw_restart () {
fw_stop
fw_start
}
##########################
Test the Firewall rules
##########################
fw_save () {
/sbin/iptables-save > /etc/iptables.backup
}
fw_restore () {
if [ -e /etc/iptables.backup ]; then
/sbin/iptables-restore < /etc/iptables.backup
fi
}
fw_test () {
fw_save
fw_restart
sleep 30
fw_restore
}
case “$1” in
start|restart)
echo -n "Starting firewall…"
fw_restart
echo “done.”
;;
stop)
echo "\033[31;01mBE VERY CAREFUL !!! The incoming and outgoing connection (incl$
read -r -p "Stop all connections ? [Y/n] " response
case $response in
[yY][eE][sS]|[yY])
echo -n "Stopping firewall…"
fw_stop
echo “done.”
;;
*)
echo “canceled”
;;
esac
;;
clear)
echo -n "Clearing firewall rules…"
fw_clear
echo “done.”
;;
test)
echo -n "Test Firewall rules…"
echo -n "Previous configuration will be restore in 30 seconds"
fw_test
echo -n “Configuration as been restored”
;;
*)
echo "Usage: $0 {start|stop|restart|clear|test}"
echo "Be aware that stop drop all incoming/outgoing traffic !!!"
exit 1
;;
esac
exit 0
[/code]