Installation et configuration de FireWall.
Nous allons utilisé un outil permettant la persistance des configuration iptables
sudo apt-get install -y iptables-persistent
Dans le fichier /etc/iptables/rules.v6
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT
Dans le fichier /etc/iptables/rules.v4
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [687:218631] # Allow internal traffic on the loopback device -A INPUT -i lo -j ACCEPT # Continue connections that are already established or related to an established connection -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop non-conforming packets, such as malformed headers, etc. -A INPUT -m conntrack --ctstate INVALID -j DROP # SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # DHCP used by OVH -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT # DNS (bind) -A OUTPUT -p tcp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 53 -j ACCEPT -A INPUT -p tcp --dport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT # HTTP + HTTPS -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT # Email (postfix + devecot) # 25 = smtp (internal only), 587 = submission and 993 = IMAPS -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # Chain for preventing ping flooding - up to 6 pings per second from a single # source, again with log limiting. Also prevents us from ICMP REPLY flooding # some victim when replying to ICMP ECHO from a spoofed source. -N ICMPFLOOD -A ICMPFLOOD -m recent --name ICMP --set --rsource -A ICMPFLOOD -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " -A ICMPFLOOD -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP -A ICMPFLOOD -j ACCEPT # Permit useful IMCP packet types. # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. # Blocking these can make diagnosing of even simple faults much more tricky. # Real security lies in locking down and hardening all services, not by hiding. -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT # Drop all incoming malformed NULL packets -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Drop syn-flood attack packets -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP # Drop incoming malformed XMAS packets -A INPUT -p tcp --tcp-flags ALL ALL -j DROP COMMIT
Pour rafraîchir le firewall
sudo service netfilter-persistent restart
Pour désactiver le firewall, écrire le fichier /tmp/stop_firewall
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
sudo bash /tmp/stop_firewall