Differences

This shows you the differences between two versions of the page.

--- gnu_linux_server:network_configuration:firewall [2012/01/28 20:20] – Script (ajout init info + debug + correction syntaxe) guillaume
+++ gnu_linux_server:network_configuration:firewall [2021/01/04 20:41] (current) – external edit 127.0.0.1
@@ Line 12: / Line 12: @@
 <code bash>
 deny_everything() {
-    log_action_begin_msg "Denying all connections"
+    print_debug "Denying all connections"
     iptables -t filter -P INPUT   DROP
@@ Line 18: / Line 18: @@
     iptables -t filter -P OUTPUT  DROP
-    log_action_end_msg $?
+    end_debug $?
 }
 </code>
@@ Line 25: / Line 25: @@
 <code bash>
 cleanup_tables() {
-    log_action_begin_msg "Cleaning up tables"
+    print_debug "Cleaning up tables"
     iptables -t filter -F
     iptables -t filter -X
-    log_action_end_msg $?
+    end_debug $?
 }
 </code>
@@ Line 37: / Line 37: @@
 <code bash>
 dont_break_connections() {
-    log_action_begin_msg "Keeping active connections"
+    print_debug "Keeping active connections"
     iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 </code>
@@ Line 49: / Line 49: @@
 <code bash>
 allow_loopback() {
-    log_action_begin_msg "Allowing loopback"
+    print_debug "Allowing loopback"
     iptables -t filter -A INPUT  -i lo -j ACCEPT
     iptables -t filter -A OUTPUT -o lo -j ACCEPT
-    log_action_end_msg $?
+    end_debug $?
 }
 </code>
@@ Line 158: / Line 158: @@
     iptables -A SPOOFED -s 192.168.0.0/16 -j DROP
     iptables -A SPOOFED -s 10.0.0.0/8     -j DROP
+    end_debug $?
+}
+misc_config() {
+    print_debug "Misc configurations"
+    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+    echo 0 > /proc/sys/net/ipv4/ip_forward
+    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+    echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
+    echo 1 > /proc/sys/net/ipv4/ip_always_defrag
+    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
     end_debug $?
@@ Line 322: / Line 338: @@
     deny_spoofing
+    misc_config
     # Starting fail2ban again