Bonjour j’ai un dédié chez ovh avec un serveur de jeu dessu. Mais un mec s’amuse a me faire lagué le serveur a mort je pense qu’il fait une part les port. Comment puis-je securiser un maximum mon dédier. J’ai arno-iptables-firewall et iptables.
L’ip du dédier est ns28236.ovh.net
ma conf de ce logiciel est:
[quote]
###############################################################################
You should put this config-file in /etc/arno-iptables-firewall/
###############################################################################
--------------------------- Configuration file ------------------------------
-= Arno’s iptables firewall =-
Single- & multi-homed firewall script with DSL/ADSL support
© Copyright 2001-2006 by Arno van Amersfoort
Homepage : rocky.eld.leidenuniv.nl/
Freshmeat : freshmeat.net/projects/iptables- … pic_id=151
Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
(note: you must remove all spaces and substitute the @ and the .
at the proper locations!)
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more details.
You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation Inc., 59 Temple
Place - Suite 330, Boston, MA 02111-1307, USA.
-----------------------------------------------------------------------------
Location of the iptables-binary (use ‘locate iptables’ or ‘whereis iptables’
to manually locate it).
-----------------------------------------------------------------------------
IPTABLES="/sbin/iptables"
###############################################################################
External (internet) interface settings
###############################################################################
The external interface(s) that will be protected (and used as internet
connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
modems otherwise it’s probably “ethX” (eg. eth0). Multiple interfaces should
be space separated.
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
EXT_IF=“eth0”
Enable if THIS machines (dynamically) obtains its IP through DHCP (from your
ISP).
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP
(EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should
only use this if you for example have a corporate network and/or running a
DHCP server on your external(!) interface. Home users should normally NOT
touch this setting. Multiple subnets should be space separated.
Don’t forget to specify a proper subnet masker (eg. /24, /16 or /Cool!
-----------------------------------------------------------------------------
EXTERNAL_NET=""
(EXPERT SETTING!) Here you can specify the IP address used for broadcasts
on your external subnet. You only need to set this option if you want to use
the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
address (not .255.255.255, ..255.255 or ...255)! So normally leaving
this empty should work fine. Multiple addresses (if you have more than one
external interface) should be space separated.
-----------------------------------------------------------------------------
EXT_NET_BCAST_ADDRESS=""
Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on
the external(!) interface. Note that you don’t need this for internal
subnets, as for these nets everything is accepted by default. Don’t forget to
configure the EXTERNAL_NET variable, to make this work.
-----------------------------------------------------------------------------
EXTERNAL_DHCP_SERVER=0
###############################################################################
(ADSL) Modem settings
The MODEM_xxx options should (only) be used when you have an ((A)DSL)
modem which works with a ppp-connection between the modem and the
host the modem is connected to.
You can check whether this applies for your (hardware) setup with
‘ifconfig’ (a ‘ppp’ device is shown).
This means that if your modem is bridging or an NAT router) or the
network interface the modem is connected to doesn’t have an IP, you
should leave the MODEM_xxx options disabled (=default)!
###############################################################################
The physical(!) network interface your ADSL modem is connected to (this is
not ppp0!).
-----------------------------------------------------------------------------
#MODEM_IF=“eth1”
(optional) The IP of the network interface (MODEM_IF) your ADSL modem is
connected to (IP shown for the modem interface (MODEM_IF) in ‘ifconfig’).
-----------------------------------------------------------------------------
#MODEM_IF_IP=“10.0.0.150”
(optional) The IP of your (A)DSL modem itself.
-----------------------------------------------------------------------------
#MODEM_IP=“10.0.0.138”
(EXPERT SETTING!). Here you can specify the hosts/local net(s) that should
have access to the (A)DSL modem itself (manage modem settings, if supported
by your modem!). The default setting ("$INTERNAL_NET") allows access from
everybody on your LAN.
-----------------------------------------------------------------------------
#MODEM_INTERNAL_NET="$INTERNAL_NET"
###############################################################################
Internal (LAN) interface settings
###############################################################################
Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
should be space separated. Remark this if you don’t have any internal network
interfaces. Note that by default ALL traffic is accepted from these
interfaces.
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
INT_IF="$DC_INT_IF"
Specify here the internal subnet which is connected to the internal interface
(INT_IF). For multiple interfaces(!) you can either specify multiple subnets
here or specify one big subnet for all internal interfaces. Note that this
variable is mainly used for antispoofing.
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
INTERNAL_NET="$DC_INTERNAL_NET"
(EXPERT SETTING!) Here you can specify the IP address used for broadcasts
on your internal subnet. You only need to set this option if you want to use
the MAC filter AND you use a non-standard broadcast address
(not .255.255.255, ..255.255 or ...255)! So normally leaving
this empty should work fine. Multiple addresses (if you have multiple
internal nets) should be space separated.
-----------------------------------------------------------------------------
INT_NET_BCAST_ADDRESS=""
Uncomment & specify here the location of the file that contains the MAC
addresses of INTERNAL hosts that are allowed. The MAC addresses should be
written like 00:11:22:33:44:55
Note that the last line of this
file should always contain a carriage-return (enter)!
-----------------------------------------------------------------------------
#MAC_ADDRESS_FILE=/etc/arno-iptables-firewall/mac-addresses
###############################################################################
DMZ (aka DeMilitarized Zone) settings
###############################################################################
Put in the following variable the network interfaces that are DMZ-classified.
You can also use this interface if you want to shield your Wireless network
from your LAN.
-----------------------------------------------------------------------------
DMZ_IF=""
Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
For multiple interfaces(!) you can either specify multiple subnets here or
specify one big subnet for all DMZ interfaces.
-----------------------------------------------------------------------------
DMZ_NET=""
###############################################################################
NAT (Masquerade, SNAT, DNAT) settings
###############################################################################
Enable this if you want to perform NAT (masquerading) for your internal
network (LAN) (eg. share your internet connection with your internal
net(s) connected to eg. INT_IF).
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
NAT=$DC_NAT
(EXPERT SETTING!). In case you would like to use SNAT instead of
MASQUERADING then uncomment and set the IP or IP’s here of your static
external address(es). Note that when multiple IP’s are specified, SNAT
multiroute is enabled (load balancing over multiple external (internet)
interfaces, check the README file for more info). Note that the order of IP’s
should match the order of interfaces (they belong to) in $EXT_IF!
-----------------------------------------------------------------------------
#NAT_STATIC_IP=“193.2.1.1”
(EXPERT SETTING!). Use this variable only if you want specific subnets or
hosts to be able to access the internet. When no value is specified, your
whole internal net will have access. In both cases it’s obviously only
meaningful when NAT is enabled. Note that you can also use this variable if
you want to use NAT for your DMZ.
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
NAT_INTERNAL_NET="$DC_NAT_INTERNAL_NET"
NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
an internal client through (D)NAT. Note that you can also use these
variables to forward ports to DMZ hosts.
TCP/UDP form:
"{SRCIP1,SRCIP2,…:}PORT1,PORT2-PORT3,…>DESTIP1{:port} \
{SRCIP3,…:}PORT3,…>DESTIP2:port}"
IP form:
"{SRCIP1,SRCIP2,…:}PROTO1,PROTO2,…>DESTIP1 \
{SRCIP3:}PROTO3,PROTO4,…>DESTIP2"
TCP/UDP port forward examples:
Simple (forward port 80 to internal host 192.168.0.10):
NAT_xxx_FORWARD=“80>192.168.0.10”
Advanced (forward port 20 & 21 to 192.168.0.10 and
forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
NAT_xxx_FORWARD=“20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80”
IP protocol forward example:
(forward protocols 47 & 48 to 192.168.0.10)
NAT_IP_FORWARD=“47,48>192.168.0.10”
NOTE 1: {:port} is optional. Use it to redirect a specific port to a
different port on the internal client.
NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
(inet) IP addresses.
-----------------------------------------------------------------------------
NAT_TCP_FORWARD="“
NAT_UDP_FORWARD=”“
NAT_IP_FORWARD=”"
###############################################################################
General settings
###############################################################################
Most people don’t want to get any firewall logs being spit to the console.
This option makes the kernel ring buffer only log messages with level
“panic”.
-----------------------------------------------------------------------------
DMESG_PANIC_ONLY=1
Enable this if you want TOS mangling (RFC) (recommended).
-----------------------------------------------------------------------------
MANGLE_TOS=1
Enable this if you want to set the maximum packet size via the
Maximum Segment Size(through MSS field) (recommended).
-----------------------------------------------------------------------------
SET_MSS=1
Enable this if you want to increase the TTL value by one in the prerouting
chain. This hides the firewall when performing eg. traceroutes to internal
hosts.
-----------------------------------------------------------------------------
TTL_INC=0
(EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
(2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
support. Don’t mess with this unless you really know what you are doing!
-----------------------------------------------------------------------------
#PACKET_TTL=“64”
Enable this to resolve names of DNS IP’s etc.
-----------------------------------------------------------------------------
RESOLV_IPS=0
Enable this to support the IRC-protocol.
-----------------------------------------------------------------------------
USE_IRC=0
(EXPERT SETTING!). Loosen the forward chain for the external interface(s).
Enable it to allow the use of protocols like UPnP. Note that it could be
less secure.
-----------------------------------------------------------------------------
LOOSE_FORWARD=0
(EXPERT SETTING!). Enable this if you want to drop packets originating from a
private address.
-----------------------------------------------------------------------------
DROP_PRIVATE_ADDRESSES=0
(EXPERT SETTING!). Protect this machine from being abused for a DRDOS-attack
(“Distributed Reflection Denial Of Service”-attack). (STILL EXPERIMENTAL!)
-----------------------------------------------------------------------------
DRDOS_PROTECT=0
Enable this if you want to allow/enable IPv6 traffic. Note that my firewall
does NOT filter IPv6 traffic (yet), and thus NO checking is performed on it!
-----------------------------------------------------------------------------
IPV6_SUPPORT=0
This option fixes problems with SMB broadcasts when using nmblookup
-----------------------------------------------------------------------------
NMB_BROADCAST_FIX=0
(EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP
traffic should be ACCEPTED. (multiple(!) interfaces should be space
separated). Be warned that anything TO and FROM these interfaces is allowed
(ACCEPTED) so make sure it’s NOT routable(accessible) from the outside world
(internet)!
-----------------------------------------------------------------------------
TRUSTED_IF=""
(EXPERT SETTING!). Put here the (internal) interfaces that should trust
(accept forward traffic) each other.
-----------------------------------------------------------------------------
INT_IF_TRUST=""
Location of the custom iptables rules file (if any).
-----------------------------------------------------------------------------
CUSTOM_RULES=/etc/arno-iptables-firewall/custom-rules
###############################################################################
Logging options - All logging is rate limited to prevent log flooding
###############################################################################
Enable logging for explicitly blocked hosts.
-----------------------------------------------------------------------------
BLOCKED_HOST_LOG=1
Enable logging for various stealth scans (reliable).
-----------------------------------------------------------------------------
SCAN_LOG=1
Enable logging for possible stealth scans (less reliable).
-----------------------------------------------------------------------------
POSSIBLE_SCAN_LOG=1
Enable logging for TCP-packets with bad flags.
-----------------------------------------------------------------------------
BAD_FLAGS_LOG=1
Enable logging of invalid packets. Keep disabled (0) by default to reduce
INVALID packets being logged because of lost (legimate) connections. When
debugging any problems, you should enable it (temporarily)!
-----------------------------------------------------------------------------
INVALID_PACKET_LOG=0
Enable logging of source IP’s with reserved addresses.
-----------------------------------------------------------------------------
RESERVED_NET_LOG=1
Enable logging of fragmented packets.
-----------------------------------------------------------------------------
FRAG_LOG=1
Enable logging of denied local (OUTPUT) connections.
-----------------------------------------------------------------------------
OUTPUT_DENY_LOG=1
Enable logging of denied LAN output (FORWARD) connections.
-----------------------------------------------------------------------------
LAN_OUTPUT_DENY_LOG=1
Enable logging of denied LAN INPUT connections.
-----------------------------------------------------------------------------
LAN_INPUT_DENY_LOG=1
Enable logging of denied DMZ output (FORWARD) connections.
-----------------------------------------------------------------------------
DMZ_OUTPUT_DENY_LOG=1
Enable logging of denied DMZ input (FORWARD) connections.
-----------------------------------------------------------------------------
DMZ_INPUT_DENY_LOG=1
Enable logging of dropped ICMP-request packets (ping).
-----------------------------------------------------------------------------
ICMP_REQUEST_LOG=1
Enable logging of dropped “other” ICMP packets.
-----------------------------------------------------------------------------
ICMP_OTHER_LOG=1
Enable logging of normal connection attempts to privileged TCP ports.
-----------------------------------------------------------------------------
PRIV_TCP_LOG=1
Enable logging of normal connection attempts to privileged UDP ports.
-----------------------------------------------------------------------------
PRIV_UDP_LOG=1
Enable logging of normal connection attempts to unprivileged TCP ports.
-----------------------------------------------------------------------------
UNPRIV_TCP_LOG=1
Enable logging of normal connection attempts to unprivileged UDP ports.
-----------------------------------------------------------------------------
UNPRIV_UDP_LOG=1
Enable logging of normal connection attempts to “other-IP”-protocols (non
TCP/UDP/ICMP).
-----------------------------------------------------------------------------
OTHER_IP_LOG=1
Enable logging for ICMP flooding.
-----------------------------------------------------------------------------
ICMP_FLOOD_LOG=1
Enable logging for not-allowed MAC addresses (if used).
-----------------------------------------------------------------------------
MAC_ADDRESS_LOG=1
(EXPERT SETTING!). The location of the dedicated firewall log file. When
enabled the firewall script will also log start/stop etc. info to this file
as well. Note that in order to make this work, you should also configure
syslogd to log firewall messages to this file (see LOGLEVEL below for further
info).
-----------------------------------------------------------------------------
#FIREWALL_LOG=/var/log/firewall
(EXPERT SETTING!). Current log-level (“info”: default kernel syslog level)
“debug”: can be used to log to /var/log/firewall.log, but you have to configure
syslogd accordingly (see included syslogd.conf examples).
-----------------------------------------------------------------------------
LOGLEVEL=info
Put in the following variables which hosts you want to log certain incoming
connection attempts for.
TCP/UDP port format (LOG_HOST_xxx_INPUT):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (LOG_HOST_IP_INPUT):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
-----------------------------------------------------------------------------
LOG_HOST_TCP_INPUT="“
LOG_HOST_UDP_INPUT=”“
LOG_HOST_IP_INPUT=”"
Put in the following variables which hosts you want to log certain outgoing
connection attempts for.
TCP/UDP port format (LOG_HOST_xxx_OUTPUT):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (LOG_HOST_IP_OUTPUT):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
-----------------------------------------------------------------------------
LOG_HOST_TCP_OUTPUT="“
LOG_HOST_UDP_OUTPUT=”“
LOG_HOST_IP_OUTPUT=”"
Put in the following variables which services you want to log incoming
connection attempts for.
-----------------------------------------------------------------------------
LOG_TCP_INPUT="“
LOG_UDP_INPUT=”“
LOG_IP_INPUT=”"
Put in the following variables which services you want to log outgoing
connection attempts for.
-----------------------------------------------------------------------------
LOG_TCP_OUTPUT="“
LOG_UDP_OUTPUT=”“
LOG_IP_OUTPUT=”"
Put in the following variable which hosts you want to log incoming connection
(attempts) for.
-----------------------------------------------------------------------------
LOG_HOST_INPUT=""
Put in the following variable which hosts you want to log outgoing connection
(attempts) to.
-----------------------------------------------------------------------------
LOG_HOST_OUTPUT=""
###############################################################################
/proc based settings (EXPERT SETTINGS!)
###############################################################################
Enable for synflood protection (through /proc/…/tcp_syncookies).
-----------------------------------------------------------------------------
SYN_PROT=1
Enable this to reduce the ability of others DOS’ing your machine.
-----------------------------------------------------------------------------
REDUCE_DOS_ABILITY=1
Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
-----------------------------------------------------------------------------
ECHO_IGNORE=0
Enable to log packets with impossible addresses to the kernel log.
-----------------------------------------------------------------------------
LOG_MARTIANS=0
Only disable this if you’re NOT using forwarding (required for NAT etc.) for
increased security.
-----------------------------------------------------------------------------
IP_FORWARDING=1
Enable if you want to accept ICMP redirect messages. Should be set to “0” in
case of a router.
-----------------------------------------------------------------------------
ICMP_REDIRECT=0
Enable/modify this if you want to be a able to handle a larger (or smaller)
number of simultaneous connections. For high traffic machines I recommend to
use a value of at least 16384 (note that a higher value (obviously) also uses
more memory).
-----------------------------------------------------------------------------
CONNTRACK=16384
You may need to enable this to get some internet games to work, but note that
it’s less secure.
-----------------------------------------------------------------------------
LOOSE_UDP_PATCH=0
Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
as some routers are still not compatible with this.
-----------------------------------------------------------------------------
ECN=0
Enable to drop connections from non-routable IP’s, eg. prevent source
routing. By default the firewall itself also provides rules against source
routing. Note than when you use eg. VPN (Freeswan), you should probably
disable this setting.
-----------------------------------------------------------------------------
RP_FILTER=1
Protect against source routed packets. Attackers can use source routing to
generate traffic pretending to be from inside your network, but which is
routed back along the path from which it came, namely outside, so attackers
can compromise your network. Source routing is rarely used for legitimate
purposes, so normally you should always leave this enabled(1)!
-----------------------------------------------------------------------------
SOURCE_ROUTE_PROTECTION=1
Here we set the local port range (ports from which connections are
initiated from our site). Don’t mess with this unless you really know what
you are doing!
-----------------------------------------------------------------------------
LOCAL_PORT_RANGE=“32768 61000”
Here you can change the default TTL used for sending packets. The value
should be between 10 and 255. Don’t mess with this unless you really know
what you are doing!
-----------------------------------------------------------------------------
DEFAULT_TTL=64
In most cases pmtu discovery is ok, but in some rare cases (when having
problems) you might want to disable it.
-----------------------------------------------------------------------------
NO_PMTU_DISCOVERY=0
###############################################################################
(Transparent) proxy settings (EXPERT SETTINGS!)
###############################################################################
#HTTP_PROXY_PORT=“3128"
HTTPS_PROXY_PORT=”“
FTP_PROXY_PORT=”“
SMTP_PROXY_PORT=”“
POP3_PROXY_PORT=”"
###############################################################################
Firewall policies for the LAN (EXPERT SETTINGS!)
###############################################################################
###############################################################################
LAN_xxx = LAN->localhost(this machine) input access rules
Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the
default policy for this chain is accept (unless denied through
LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)!
###############################################################################
Enable this to allow for ICMP-requests(ping) from your LAN
-----------------------------------------------------------------------------
LAN_OPEN_ICMP=1
Put in the following variables the TCP/UDP ports or IP protocols TO
(remote end-point) which the LAN hosts are permitted to connect to.
-----------------------------------------------------------------------------
LAN_OPEN_TCP="“
LAN_OPEN_UDP=”“
LAN_OPEN_IP=”"
Put in the following variables the TCP/UDP ports or IP protocols TO (remote
end-point) which LAN hosts are NOT permitted to connect to.
-----------------------------------------------------------------------------
LAN_DENY_TCP="“
LAN_DENY_UDP=”“
LAN_DENY_IP=”"
Put in the following variables the TCP/UDP ports or IP
protocols TO (remote end-point) which certain LAN hosts are
permitted to connect to.
TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
“host1,host2>proto1,proto2 host3,host4>proto3,proto4 …”
-----------------------------------------------------------------------------
LAN_HOST_OPEN_TCP="“
LAN_HOST_OPEN_UDP=”“
LAN_HOST_OPEN_IP=”"
Put in the following variables the TCP/UDP ports or IP protocols TO (remote
end-point) which certain LAN hosts are NOT permitted to connect to.
TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (LAN_INPUT_HOST_DENY_xxx):
“host1,host2>proto1,proto2 host3,host4>proto3,proto4 …”
-----------------------------------------------------------------------------
LAN_HOST_DENY_TCP="“
LAN_HOST_DENY_UDP=”“
LAN_HOST_DENY_IP=”"
###############################################################################
LAN_INET_xxx = LAN->internet access rules (forward)
Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT
used, the default policy for this chain is accept (unless denied
through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)!
###############################################################################
Enable this to allow for ICMP-requests(ping) for LAN->INET
-----------------------------------------------------------------------------
LAN_INET_OPEN_ICMP=1
Put in the following variables the TCP/UDP ports or IP
protocols TO (remote end-point) which the LAN hosts are
permitted to connect to via the external (internet) interface.
-----------------------------------------------------------------------------
LAN_INET_OPEN_TCP="“
LAN_INET_OPEN_UDP=”“
LAN_INET_OPEN_IP=”"
Put in the following variables the TCP/UDP ports or IP protocols TO (remote
end-point) which the LAN hosts are NOT permitted to connect to
via the external (internet) interface. Examples of usage are for blocking
IRC (TCP 6666:6669) for the internal network.
-----------------------------------------------------------------------------
LAN_INET_DENY_TCP="“
LAN_INET_DENY_UDP=”“
LAN_INET_DENY_IP=”"
Put in the following variables which LAN hosts you want to allow to certain
hosts/services on the internet. By default all services are allowed.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple:
(Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
LAN_INET_HOST_OPEN_xxx=“0/0>1.2.3.4:80”
Advanced:
(Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
LAN_INET_HOST_OPEN_xxx=“0/0>1.2.3.4:20,21 192.168.0.10>80”
IP protocol example:
(Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
LAN_INET_HOST_OPEN_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
LAN_INET_HOST_OPEN_TCP="“
LAN_INET_HOST_OPEN_UDP=”“
LAN_INET_HOST_OPEN_IP=”"
Put in the following variables which DMZ hosts you want to deny to certain
hosts/services on the internet.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
LAN_INET_HOST_DENY_xxx=“0/0>1.2.3.4:80”
Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
LAN_INET_HOST_DENY_xxx=“0/0>1.2.3.4:20,21 192.168.0.10>1.2.3.4:80”
IP protocol example:
(Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
LAN_INET_HOST_DENY_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
LAN_INET_HOST_DENY_TCP="“
LAN_INET_HOST_DENY_UDP=”“
LAN_INET_HOST_DENY_IP=”"
###############################################################################
Firewall policies for the DMZ (EXPERT SETTINGS!)
###############################################################################
###############################################################################
DMZ_xxx = DMZ->localhost(this machine) input access rules
###############################################################################
Enable this to allow ICMP-requests(ping) from the DMZ
-----------------------------------------------------------------------------
DMZ_OPEN_ICMP=1
Put in the following variables which DMZ hosts are permitted to connect to
certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
services are blocked for DMZ hosts.
-----------------------------------------------------------------------------
DMZ_OPEN_TCP="“
DMZ_OPEN_UDP=”“
DMZ_OPEN_IP=”"
Put in the following variables which DMZ hosts you want to allow for certain
services. By default all (local) services are blocked for DMZ hosts.
TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (DMZ_HOST_OPEN_IP):
“host1,host2>proto1,proto2 host3,host4>proto3,proto4 …”
-----------------------------------------------------------------------------
DMZ_HOST_OPEN_TCP="“
DMZ_HOST_OPEN_UDP=”“
DMZ_HOST_OPEN_IP=”"
###############################################################################
INET_DMZ_xxx = Internet->DMZ access rules (forward)
Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT
used, the default policy for this chain is accept (unless denied
through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)!
###############################################################################
Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
-----------------------------------------------------------------------------
INET_DMZ_OPEN_ICMP=0
Put in the following variables which INET hosts are permitted to connect to
certain the TCP/UDP ports or IP protocols in the DMZ.
-----------------------------------------------------------------------------
INET_DMZ_OPEN_TCP="“
INET_DMZ_OPEN_UDP=”“
INET_DMZ_OPEN_IP=”"
Put in the following variables which INET hosts are NOT permitted to connect
to certain the TCP/UDP ports or IP protocols in the DMZ.
-----------------------------------------------------------------------------
INET_DMZ_DENY_TCP="“
INET_DMZ_DENY_UDP=”“
INET_DMZ_DENY_IP=”"
Put in the following variables which INET hosts you want to allow to certain
hosts/services on the DMZ net. By default all services are allowed.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
INET_DMZ_HOST_OPEN_xxx=“0/0>1.2.3.4:80”
Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
INET_DMZ_HOST_OPEN_xxx=“0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80”
IP protocol example:
(Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
INET_DMZ_HOST_OPEN_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
INET_DMZ_HOST_OPEN_TCP="“
INET_DMZ_HOST_OPEN_UDP=”“
INET_DMZ_HOST_OPEN_IP=”"
Put in the following variables which INET hosts you want to deny to certain
hosts/services on the DMZ net.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
INET_DMZ_HOST_DENY_xxx=“0/0>1.2.3.4:80”
Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
INET_DMZ_HOST_DENY_xxx=“0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80”
IP protocol example:
(Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
INET_DMZ_HOST_DENY_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
INET_DMZ_HOST_DENY_TCP="“
INET_DMZ_HOST_DENY_UDP=”“
INET_DMZ_HOST_DENY_IP=”"
###############################################################################
DMZ_INET_xxx = DMZ->internet access rules (forward)
Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT
used, the default policy for this chain is accept (unless denied
through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)!
###############################################################################
Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
-----------------------------------------------------------------------------
DMZ_INET_OPEN_ICMP=1
Put in the following variables the TCP/UDP ports or IP
protocols TO (remote end-point) which the DMZ hosts are
permitted to connect to via the external (internet) interface.
-----------------------------------------------------------------------------
DMZ_INET_OPEN_TCP="“
DMZ_INET_OPEN_UDP=”“
DMZ_INET_OPEN_IP=”"
Put in the following variables the TCP/UDP ports or IP protocols TO (remote
end-point) which the DMZ hosts are NOT permitted to connect to
via the external (internet) interface. Examples of usage are for blocking
IRC (TCP 6666:6669) for the internal network.
-----------------------------------------------------------------------------
DMZ_INET_DENY_TCP="“
DMZ_INET_DENY_UDP=”“
DMZ_INET_DENY_IP=”"
Put in the following variables which DMZ hosts you want to allow to certain
hosts/services on the internet. By default all services are allowed.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
DMZ_INET_HOST_OPEN_xxx=“0/0>1.2.3.4:80”
Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
DMZ_INET_HOST_OPEN_xxx=“0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80”
IP protocol example:
(Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
DMZ_INET_HOST_OPEN_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
DMZ_INET_HOST_OPEN_TCP="“
DMZ_INET_HOST_OPEN_UDP=”“
DMZ_INET_HOST_OPEN_IP=”"
Put in the following variables which DMZ hosts you want to deny to certain
hosts/services on the internet.
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
DMZ_INET_HOST_DENY_xxx=“0/0>1.2.3.4:80”
Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
DMZ_INET_HOST_DENY_xxx=“0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80”
IP protocol example:
(Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
DMZ_INET_HOST_DENY_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
DMZ_INET_HOST_DENY_TCP="“
DMZ_INET_HOST_DENY_UDP=”“
DMZ_INET_HOST_DENY_IP=”"
###############################################################################
DMZ_LAN_xxx = DMZ->LAN access rules (forward)
###############################################################################
Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
-----------------------------------------------------------------------------
DMZ_LAN_OPEN_ICMP=0
Put in the following variables which DMZ hosts you want to allow to certain
hosts/services on the LAN (net).
TCP/UDP form:
"SRCIP1,SRCIP2,…>DESTIP1:port \
SRCIP3,…>DESTIP2:port"
IP form:
"SRCIP1,SRCIP2,…>DESTIP1:protocol \
SRCIP3,…>DESTIP2:protocol"
TCP/UDP examples:
Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
DMZ_LAN_HOST_OPEN_xxx=“0/0>1.2.3.4:80”
Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
1.2.3.4):
DMZ_LAN_HOST_OPEN_xxx=“0/0>1.2.3.4:20,21 5.6.7.8>1.2.3.4:80”
IP protocol example:
(Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
DMZ_LAN_HOST_OPEN_IP=“0/0>1.2.3.4:47,48”
NOTE 1: If no SRCIPx is specified, any source host is used
NOTE 2: If no DESTIPx is specified, any destination host is used
NOTE 3: If no port is specified, any port is used
-----------------------------------------------------------------------------
DMZ_LAN_HOST_OPEN_TCP="“
DMZ_LAN_HOST_OPEN_UDP=”“
DMZ_LAN_HOST_OPEN_IP=”"
###############################################################################
Firewall policies for the external (inet) interface (default policy = drop)
###############################################################################
Put in the following variable which hosts (subnets) you want have full access
via your internet (EXT_IF) connection(!). This is especially meant for
networks/servers which use NIS/NFS, as these protocols require all ports
to be open.
NOTE: Don’t mistake this variable with the one used for internal nets.
-----------------------------------------------------------------------------
FULL_ACCESS_HOSTS=""
Enable this to make the default policy allow for ICMP(ping) for INET access
-----------------------------------------------------------------------------
THIS SETTING IS HANDLED BY DEBCONF! DO NOT CHANGE ANYTHING HERE UNLESS YOU
KNOW WHAT YOU ARE DOING.
Use ‘dpkg-reconfigure arno-iptables-firewall’ instead.
OPEN_ICMP=$DC_OPEN_ICMP
Put in the following variables which ports or IP protocols you want to leave
open to the whole world.
-----------------------------------------------------------------------------
OPEN_TCP and OPEN_UDP are handled by Debconf. If you want to add more open TCP
or UDP ports use ‘dpkg-reconfigure arno-iptables-firewall’. For more complex
setup add them (space separated) after $DC_OPEN_PORTS.
OPEN_TCP=“21 22 25 53 80 110 873 3306 443 5121 6900 6121"
OPEN_UDP=“53"
OPEN_IP=””
Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
everyone (and logged). Also use these variables if you want to log connection
attempts to these ports from everyone (also trusted/full access hosts).
In principle you don’t need these variables, as everything is already blocked
(denied) by default, but just exists for consistency.
-----------------------------------------------------------------------------
DENY_TCP="56 84"
DENY_UDP=“56 84”
Put in the following variables which ports you want to DENY(DROP) for
everyone but NOT logged. This is very useful if you have constant probes on
the same port(s) over and over again (code red worm) and don’t want your logs
flooded with it.
-----------------------------------------------------------------------------
DENY_TCP_NOLOG="“
DENY_UDP_NOLOG=”"
Put in the following variables the TCP/UDP ports you want to REJECT (instead
of DROP) for everyone (and logged).
-----------------------------------------------------------------------------
REJECT_TCP="“
REJECT_UDP=”"
Put in the following variables the TCP/UDP ports you want to REJECT (instead
of DROP) for everyone but NOT logged.
-----------------------------------------------------------------------------
REJECT_TCP_NOLOG="“
REJECT_UDP_NOLOG=”"
Put in the following variables which hosts you want to allow for certain
services.
TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (HOST_OPEN_IP):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
ICMP protocol format (HOST_OPEN_ICMP):
“host1 host2 …”
-----------------------------------------------------------------------------
HOST_OPEN_TCP="“
HOST_OPEN_UDP=”“
HOST_OPEN_IP=”“
HOST_OPEN_ICMP=”"
Put in the following variables which hosts you want to DENY(DROP) for certain
services (and logged).
to DENY(DROP) for certain hosts.
TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (HOST_DENY_IP):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
ICMP protocol format (HOST_DENY_ICMP):
“host1 host2 …”
-----------------------------------------------------------------------------
HOST_DENY_TCP="“
HOST_DENY_UDP=”“
HOST_DENY_IP=“213.186.33.13"
HOST_DENY_ICMP=””
Put in the following variables which hosts you want to DENY(DROP) for certain
services but NOT logged.
TCP/UDP port format (HOST_DENY_xxx_NOLOG):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (HOST_DENY_IP_NOLOG):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
ICMP protocol format (HOST_DENY_ICMP_NOLOG):
“host1 host2 …”
-----------------------------------------------------------------------------
HOST_DENY_TCP_NOLOG="“
HOST_DENY_UDP_NOLOG=”“
HOST_DENY_IP_NOLOG=”“
HOST_DENY_ICMP_NOLOG=”"
Put in the following variables which hosts you want to REJECT (instead of
DROP) for certain TCP/UDP ports.
TCP/UDP port format (HOST_REJECT_xxx):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
-----------------------------------------------------------------------------
HOST_REJECT_TCP="“
HOST_REJECT_UDP=”"
Put in the following variables which hosts you want to REJECT (instead of
DROP) for certain services but NOT logged.
TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
-----------------------------------------------------------------------------
HOST_REJECT_TCP_NOLOG="“
HOST_REJECT_UDP_NOLOG=”"
Put in the following variables which services THIS machine is NOT
permitted to connect TO (remote end-point) via the external (internet)
interface. For example for blocking IRC (tcp 6666:6669).
-----------------------------------------------------------------------------
DENY_TCP_OUTPUT="“
DENY_UDP_OUTPUT=”“
DENY_IP_OUTPUT=”"
Put in the following variables to which hosts THIS machine is NOT
permitted to connect TO for certain services (remote end-point)
via the external (internet) interface. In principle you can also
use this to put your machine in a “virtual-DMZ” by blocking all traffic
to your local subnet.
TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
“host1,host2>port1,port2 host3,host4>port3,port4 …”
IP protocol format (HOST_DENY_IP_OUTPUT):
“host1,host2>proto1,proto2 host3,host4>proto4,proto4 …”
-----------------------------------------------------------------------------
HOST_DENY_TCP_OUTPUT="“
HOST_DENY_UDP_OUTPUT=”“
HOST_DENY_IP_OUTPUT=”"
Put in the following variable which TCP/UDP ports you don’t want to
see broadcasts from (ie. DHCP (67/6Cool on your EXTERNAL interface. Note that
to make this properly work you also need to set “EXTERNAL_NET”!
-----------------------------------------------------------------------------
BROADCAST_TCP_NOLOG=""
#BROADCAST_UDP_NOLOG=“67 68”
Put in the following variable which hosts you want to block (blackhole,
dropping every packet from the host).
-----------------------------------------------------------------------------
BLOCK_HOSTS=""
Uncomment & specify here the location of the file that contains a list of
hosts(IP’s) that should be BLOCKED. IP ranges can (only) be specified as
w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this file
should always contain a carriage-return (enter)!
-----------------------------------------------------------------------------
#BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts[/quote]
Comment puige l’ameliorer par Example blocker tout mes port sauf ceux que jutilise. Je suis en debian 4.
msn: villersm@hotmail.com
… c’est pour quel jeu ton serveur?.. Neverwinter Nights? 
