AS201281 Wiki

Your check engine light is on!

User Tools

Site Tools

Trace:
gnu_linux_server:network_configuration:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
gnu_linux_server:network_configuration:firewall [2011/09/19 21:39] – créée guillaumegnu_linux_server:network_configuration:firewall [2021/01/04 20:41] (current) – external edit 127.0.0.1
Line 12: Line 12:
 <code bash> <code bash>
 deny_everything() { deny_everything() {
-    log_action_begin_msg "Denying all connections"+    print_debug "Denying all connections"
  
     iptables -t filter -P INPUT   DROP     iptables -t filter -P INPUT   DROP
Line 18: Line 18:
     iptables -t filter -P OUTPUT  DROP     iptables -t filter -P OUTPUT  DROP
  
-    log_action_end_msg $?+    end_debug $?
 } }
 </code> </code>
Line 25: Line 25:
 <code bash> <code bash>
 cleanup_tables() { cleanup_tables() {
-    log_action_begin_msg "Cleaning up tables"+    print_debug "Cleaning up tables"
  
     iptables -t filter -F     iptables -t filter -F
     iptables -t filter -X     iptables -t filter -X
  
-    log_action_end_msg $?+    end_debug $?
 } }
 </code> </code>
Line 37: Line 37:
 <code bash> <code bash>
 dont_break_connections() { dont_break_connections() {
-    log_action_begin_msg "Keeping active connections"+    print_debug "Keeping active connections"
  
     iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT     iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
 </code> </code>
Line 49: Line 49:
 <code bash> <code bash>
 allow_loopback() { allow_loopback() {
-    log_action_begin_msg "Allowing loopback"+    print_debug "Allowing loopback"
  
     iptables -t filter -A INPUT  -i lo -j ACCEPT     iptables -t filter -A INPUT  -i lo -j ACCEPT
     iptables -t filter -A OUTPUT -o lo -j ACCEPT     iptables -t filter -A OUTPUT -o lo -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
 </code> </code>
Line 66: Line 66:
 Maintenant vous devriez pouvoir comprendre ce script. Il utilise des fonctions pour configurer **iptables**. Maintenant vous devriez pouvoir comprendre ce script. Il utilise des fonctions pour configurer **iptables**.
 <code bash> <code bash>
 +### BEGIN INIT INFO
 +# Provides:          firewall
 +# Required-Start:    $local_fs $network
 +# Required-Stop:     $local_fs $network
 +# Default-Start:     2 3 4 5
 +# Default-Stop:      0 1 6
 +# Short-Description: Configure iptables (IPv4)
 +# Description:       Setup basic rules for iptables (IPv4)
 +### END INIT INFO
 +
 #!/bin/bash #!/bin/bash
  
 . /lib/lsb/init-functions . /lib/lsb/init-functions
 +
 +# In debug mode there will be more outputs
 +# 0 to disable
 +# 1 to enable
 +DEBUG=0
 +
 +# Print message only in debug mode
 +# Usage: print_debug ${message} ${return_code}
 +# ${return_code} is optional
 +print_debug() {
 +    [ ${DEBUG} -eq 0 ] && return 0
 +    [ $# -ne 1 ]       && return 1
 +
 +    log_action_begin_msg ${1}
 +}
 +
 +end_debug() {
 +    [ ${DEBUG} -eq 0 ] && return 0
 +    [ $# -ne 1 ]       && return 1
 +
 +    log_action_end_msg ${1}
 +}
  
 deny_everything() { deny_everything() {
-    log_action_begin_msg "Denying connections"+    print_debug "Denying connections"
  
     iptables -t filter -P INPUT   DROP     iptables -t filter -P INPUT   DROP
Line 77: Line 109:
     iptables -t filter -P OUTPUT  DROP     iptables -t filter -P OUTPUT  DROP
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 accept_everything() { accept_everything() {
-  log_action_begin_msg "Accepting all connections"+    print_debug "Accepting all connections"
  
-  iptables -t filter -P INPUT   ACCEPT +    iptables -t filter -P INPUT   ACCEPT 
-  iptables -t filter -P FORWARD ACCEPT +    iptables -t filter -P FORWARD ACCEPT 
-  iptables -t filter -P OUTPUT  ACCEPT+    iptables -t filter -P OUTPUT  ACCEPT
  
-  log_action_end_msg $?+    end_debug $?
 } }
- 
  
 cleanup_tables() { cleanup_tables() {
-    log_action_begin_msg "Cleaning up tables"+    print_debug "Cleaning up tables"
  
     iptables -t filter -F     iptables -t filter -F
     iptables -t filter -X     iptables -t filter -X
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 dont_break_connections() { dont_break_connections() {
-    log_action_begin_msg "Keeping active connections"+    print_debug "Keeping active connections"
  
     iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT     iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 allow_loopback() { allow_loopback() {
-    log_action_begin_msg "Allowing loopback"+    print_debug "Allowing loopback"
  
     iptables -t filter -A INPUT  -i lo -j ACCEPT     iptables -t filter -A INPUT  -i lo -j ACCEPT
     iptables -t filter -A OUTPUT -o lo -j ACCEPT     iptables -t filter -A OUTPUT -o lo -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 deny_spoofing() { deny_spoofing() {
-    log_action_begin_msg "Denying spoofing"+    print_debug "Denying spoofing"
  
     iptables -N SPOOFED     iptables -N SPOOFED
Line 128: Line 159:
     iptables -A SPOOFED -s 10.0.0.0/    -j DROP     iptables -A SPOOFED -s 10.0.0.0/    -j DROP
  
-    log_action_end_msg $?+    end_debug $? 
 +
 + 
 +misc_config() { 
 +    print_debug "Misc configurations" 
 + 
 +    echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
 +    echo 0 > /proc/sys/net/ipv4/ip_forward  
 +    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts  
 +    echo 1 >/proc/sys/net/ipv4/conf/all/log_martians  
 +    echo 1 > /proc/sys/net/ipv4/ip_always_defrag 
 +    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
 +    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 
 +    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 
 +    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 
 + 
 +    end_debug $?
 } }
  
 open_input_port() { open_input_port() {
-    if [ $# -ne 2 ]; then +    [ $# -ne 2 ] && exit 1
-        exit 1 +
-    fi+
  
-    log_action_begin_msg "Opening input port ${2} in ${1}"+    print_debug "Opening input port ${2} in ${1}"
  
     iptables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT     iptables -t filter -A INPUT -p "${1}" --dport "${2}" -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 open_output_port() { open_output_port() {
-    if [ $# -ne 2 ]; then +    [ $# -ne 2 ] && exit 1
-        exit 1 +
-    fi+
  
-    log_action_begin_msg "Opening output port ${2} in ${1}"+    print_debug "Opening output port ${2} in ${1}"
  
     iptables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT     iptables -t filter -A OUTPUT -p "${1}" --dport "${2}" -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 allow_input_protocol() { allow_input_protocol() {
-    if [ $# -ne 1 ]; then +    [ $# -ne 1 ] && exit 1
-        exit 1 +
-    fi+
  
-    log_action_begin_msg "Allowing input protocol ${1}"+    print_debug "Allowing input protocol ${1}"
  
     iptables -t filter -A INPUT -p "${1}" -j ACCEPT     iptables -t filter -A INPUT -p "${1}" -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 allow_output_protocol() { allow_output_protocol() {
-    if [ $# -ne 1 ]; then +    [ $# -ne 1 ] && exit 1
-        exit 1 +
-    fi+
  
-    log_action_begin_msg "Allowing output protocol ${1}"+    print_debug "Allowing output protocol ${1}"
  
     iptables -t filter -A OUTPUT -p "${1}" -j ACCEPT     iptables -t filter -A OUTPUT -p "${1}" -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
 allow_6in4_protocol() { allow_6in4_protocol() {
-    if [ $# -ne 1 ]; then +    [ $# -ne 1 ] && exit 1
-        exit 1 +
-    fi+
  
-    log_action_begin_msg "Allowing IPv6 in IPv4 protocol"+    print_debug "Allowing IPv6 in IPv4 protocol"
  
     iptables -t filter -A INPUT  -s ${1} -p 41 -j ACCEPT     iptables -t filter -A INPUT  -s ${1} -p 41 -j ACCEPT
     iptables -t filter -A OUTPUT -p 41 -j ACCEPT     iptables -t filter -A OUTPUT -p 41 -j ACCEPT
  
-    log_action_end_msg $?+    end_debug $?
 } }
  
Line 196: Line 233:
     # Stop fail to ban before configuring firewall     # Stop fail to ban before configuring firewall
     /etc/init.d/fail2ban stop     /etc/init.d/fail2ban stop
-    echo "Starting firewal configuration"+    log_action_begin_msg "Firewall (IPv4) configuration"
  
     deny_everything     deny_everything
Line 249: Line 286:
     open_output_port tcp 64738     open_output_port tcp 64738
     open_output_port udp 64738     open_output_port udp 64738
-    +
     # Bazaar     # Bazaar
     open_input_port  tcp 4155     open_input_port  tcp 4155
Line 301: Line 338:
  
     deny_spoofing     deny_spoofing
 +    misc_config
  
     # Starting fail2ban again     # Starting fail2ban again
     /etc/init.d/fail2ban start     /etc/init.d/fail2ban start
-    echo "Firewall configuration done." +    log_action_end_msg 0
-    exit 0+
   ;;   ;;
  
   stop)   stop)
-    echo "Stopping firewall configuration"+    log_action_begin_msg "Remove firewall (IPv4) configuration"
  
     accept_everything     accept_everything
     cleanup_tables     cleanup_tables
  
-    echo "Success" +    log_action_end_msg 0
-    exit 0+
   ;;   ;;
  
Line 322: Line 358:
     exit 1     exit 1
   ;;   ;;
 +esac
 +
 +exit 0
 </code> </code>
  
gnu_linux_server/network_configuration/firewall.1316468367.txt.gz · Last modified: 2021/01/04 20:40 (external edit)