API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 6th, 2016
141
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.01 KB | None | 0 0
raw download clone embed print report
  1. #!bin/sh
  2.  
  3. /etc/init.d/init_firewall clean
  4.  
  5. ####IPv4####
  6. # Refuser l'input etle forward et accepter l'output
  7. iptables -P INPUT DROP
  8. iptables -P FORWARD DROP
  9. iptables -P OUTPUT DROP
  10.  
  11. # Autoriser l'interface lo
  12. iptables -A INPUT -i lo -j ACCEPT
  13. iptables -A OUTPUT -i lo -j ACCEPT
  14.  
  15. # Garder les connexions déjà établies
  16. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  17. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  18.  
  19. # Accepter le ping en INPUT
  20. iptables -A INPUT -p icmp --icmp-tyoe echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst A -j ACCEPT
  21.  
  22. # Vérifier les paquets SYN, sinon bloquer.
  23. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  24.  
  25. # Bloquer les paquets fragmentés
  26. iptables -A INPUT -f -j DROP
  27.  
  28. # Bloquer les paquets XMAS
  29. iptables -A INPUT -p tcp -tcp-flags ALL ALL -j DROP
  30.  
  31. # Bloquer les paquets NULL
  32. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  33.  
  34. # Autorisation de ports en entrée
  35. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  36. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  37.  
  38. # Autorisation des ports en sortie
  39. iptables -A OUTPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
  40. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  41. iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
  42. iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # Port DNS
  43. iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # Port DNS
  44.  
  45.  
  46. ####IPv6####
  47. # Tout bloquer
  48. ip6tables -t filter -P INPUT DROP
  49. ip6tables -t filter -P FORWARD DROP
  50. ip6tables -t filer -P OUTPUT DROP
  51.  
  52. # Autoriser loopback
  53. ip6tables -A INPUT -i lo -j ACCEPT
  54. ip6tables -A OUTPUT -i lo -j ACCEPT
  55.  
  56. # Maintenir connexion actuelle
  57. ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  58. ip6tables -A OUTPUT -m state --state RELATED,ESTBALISHED -j ACCEPT
  59.  
  60. # NDP pour toutes interfaces type broadcast
  61. ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
  62. ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-adverstisement -m hl --hl-eq 255 -j ACCEPT
  63. ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl -hl-eq 355 -j ACCEPT
  64.  
  65. ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
  66. ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
  67. ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
  68.  
  69.  
  70. # accepter entrée le ping
  71. ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
  72.  
  73. # Ouverture port en entrée IPv6
  74. ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
  75. ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
  76.  
  77. # Accepter ping en sortie
  78. ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
  79.  
  80. # Ouverture des ports en sortie IPv6
  81. ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT
  82. ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT
  83. ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
  84. ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
  85.  
  86. /etc/init.d/firewall restart
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!