API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 20th, 2014
179
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.21 KB | None | 0 0
raw download clone embed print report
  1. 19 Dec 2014 21:45:41:202 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  2. 19 Dec 2014 21:45:41:069 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  3. 19 Dec 2014 21:45:41:135 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  4. 19 Dec 2014 21:45:41:069 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  5. 19 Dec 2014 21:45:41:171 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  6. 19 Dec 2014 21:45:41:226 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  7. 19 Dec 2014 21:45:41:341 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  8. 19 Dec 2014 21:45:41:092 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  9. 19 Dec 2014 21:45:41:254 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  10. 19 Dec 2014 21:45:41:153 GMT my.ip.addr.ess:35323 other.ip.addr.ess:30000 40 UDP
  11.  
  12. #! /bin/bash
  13. ### BEGIN INIT INFO
  14. # Provides: firewall
  15. # Short-Description: Regles iptables
  16. # Required-Start: $remote_fs $syslog
  17. # Required-Stop: $remote_fs $syslog
  18. # Default-Start: 2 3 4 5
  19. # Default-Stop: 0 1 6
  20. # Short-Description: start/stop firewall
  21. # Description: Charge la configuration du pare-feu iptables
  22. ### END INIT INFO
  23. #### Merci a Buddy pour l'aide apportee
  24. ###
  25. #### adapter selon vos besoins et services actifs sur le serveur
  26. ###
  27. case "$1" in
  28. start)
  29.  
  30. ## purge
  31. /sbin/iptables -F
  32. /sbin/iptables -X
  33.  
  34. # Bloque tout le trafic
  35. /sbin/iptables -t filter -P INPUT DROP
  36. /sbin/iptables -t filter -P FORWARD DROP
  37. /sbin/iptables -t filter -P OUTPUT DROP
  38.  
  39.  
  40. # Autorise les connexions deja etablies et localhost
  41. /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  42. /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  43. /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
  44. /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
  45.  
  46. # ICMP (Ping)
  47. # on bloque la demande de ping et on autorise ovh pour le monitoring
  48. #/sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT
  49.  
  50. #on garde la possibilite de faire des ping depuis le serveur
  51. /sbin/iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  52.  
  53. ##RTM et ping OVH
  54. /sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
  55. /sbin/iptables -A INPUT -p icmp --source proxy.p19.ovh.net -j ACCEPT
  56. /sbin/iptables -A INPUT -p icmp --source proxy.rbx.ovh.net -j ACCEPT
  57. /sbin/iptables -A INPUT -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
  58. /sbin/iptables -A INPUT -p icmp --source proxy.gra.ovh.net -j ACCEPT
  59. /sbin/iptables -A INPUT -p icmp --source a2.ovh.net -j ACCEPT
  60. /sbin/iptables -A INPUT -p icmp --source proxy.sbg.ovh.net -j ACCEPT
  61. /sbin/iptables -A INPUT -p icmp --source proxy.bhs.ovh.net -j ACCEPT
  62. /sbin/iptables -A INPUT -p icmp --source ping.ovh.net -j ACCEPT
  63. /sbin/iptables -A INPUT -p icmp --source proxy.ovh.net -j ACCEPT
  64. /sbin/iptables -A OUTPUT -p udp --dport 6100:6200 -j ACCEPT
  65.  
  66. #Mettre le debut IP du serveur a la place des xxx
  67. /sbin/iptables -A INPUT -p icmp --source my.ip.addr.250 -j ACCEPT
  68. /sbin/iptables -A INPUT -p icmp --source my.ip.addr.251 -j ACCEPT
  69.  
  70. # SSH port 22
  71. # SSH standard
  72. # si vous n'avez pas d'IP fixe
  73. /sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  74. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  75.  
  76. # Elasticsearch debugging
  77. /sbin/iptables -t filter -A INPUT -p tcp --dport 9200 -j ACCEPT
  78. # En cas d'IP fixe, vous pouvez n'autoriser le port 22 que sur vos IP
  79. # Commentez les lignes standard et decommentez celles-ci apres avoir mis votre/vos IP fixes
  80. #/sbin/iptables -t filter -i eth0 --source VOTRE_IP1 -A INPUT -p TCP --dport 22 -j ACCEPT
  81. #/sbin/iptables -t filter -i eth0 --source VOTRE_IP2 -A INPUT -p TCP --dport 22 -j ACCEPT
  82. #/sbin/iptables -t filter -A OUTPUT -p tcp --dport 22 -j DROP
  83.  
  84. # DNS
  85. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  86. /sbin/iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  87. /sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  88. /sbin/iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  89.  
  90. # HTTP IPv4
  91. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  92. /sbin/iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  93. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT
  94. /sbin/iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  95. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  96. /sbin/iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  97.  
  98. # mySQL : mis pour memoire mais il est en general activation inutile
  99. #/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT
  100.  
  101. # FTP
  102. #/sbin/iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
  103. #/sbin/iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
  104.  
  105. ##
  106. # Commentez les lignes si pas de service mail sur le serveur
  107. ##
  108. # Mail SMTP
  109. /sbin/iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  110. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  111.  
  112. /sbin/iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  113. /sbin/iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  114.  
  115. # /sbin/iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  116. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
  117.  
  118. # Mail POP3
  119. # /sbin/iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  120. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
  121.  
  122. # Mail POP3S
  123. # /sbin/iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  124. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  125.  
  126. # Mail IMAP
  127. # /sbin/iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  128. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
  129.  
  130. # Mail IMAP SSL
  131. # /sbin/iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
  132. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
  133.  
  134. # Rsync decommenter si besoin
  135. # /sbin/iptables -t filter -A OUTPUT -p tcp --dport rsync -j ACCEPT
  136. # /sbin/iptables -t filter -A INPUT -p tcp --dport rsync -j ACCEPT
  137.  
  138. # Panels sur le port 10000 : Webmin et Virtualmin
  139. # configuration standard (commenter la ligne ci-dessous si vous utilisez la configuration avec IP fixe)
  140. # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
  141.  
  142. # configuration si IP fixe, decommentez les lignes ci-dessous
  143. # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 --source VOTRE_IP-FIXE1 -j ACCEPT
  144. # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 10000 --source VOTRE_IP_FIXE2 -j ACCEPT
  145.  
  146. # NTP (horloge du serveur)
  147. /sbin/iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  148.  
  149. # on limite le nombre de demandes de connexions
  150. /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
  151. /sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
  152. /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
  153. /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  154.  
  155. #munin, si vous utilisez decommentez les lignes
  156. # /sbin/iptables -A OUTPUT -p tcp --sport 4949 -j ACCEPT
  157. # /sbin/iptables -A INPUT -p tcp --dport 4949 -s A.B.C.D -j ACCEPT
  158.  
  159. ### Configuration pour IPv6, decommentez si vous utilisez
  160. # ipv6 on bloque
  161. #/sbin/ip6tables -t filter -P INPUT DROP
  162. #/sbin/ip6tables -t filter -P FORWARD DROP
  163. #/sbin/ip6tables -t filter -P OUTPUT DROP
  164.  
  165. # Autorise les connexions deja etablies et localhost
  166. #/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  167. #/sbin/ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  168. #/sbin/ip6tables -t filter -A INPUT -i lo -j ACCEPT
  169. #/sbin/ip6tables -t filter -A OUTPUT -o lo -j ACCEPT
  170.  
  171. # ping ipv6
  172. #/sbin/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
  173. #/sbin/ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
  174.  
  175. # port 80 en sortie IPv6 ( apt-get entre autre )
  176. #/sbin/ip6tables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT
  177.  
  178. # NTP ipv6 (horloge du serveur) sortie uniquement
  179. /sbin/ip6tables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  180.  
  181. # DNS en sortie IPv6
  182. #/sbin/ip6tables -A OUTPUT -p tcp --dport domain -j ACCEPT
  183. #/sbin/ip6tables -A OUTPUT -p udp --dport domain -j ACCEPT
  184.  
  185. exit 0
  186. ;;
  187.  
  188. stop)
  189. /sbin/iptables -F
  190. /sbin/iptables -X
  191.  
  192. exit 0
  193. ;;
  194. *)
  195. echo "Usage: /etc/init.d/firewall {start|stop}"
  196. exit 1
  197. ;;
  198. esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!