Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!bin/sh
- /etc/init.d/init_firewall clean
- ####IPv4####
- # Refuser l'input etle forward et accepter l'output
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- # Autoriser l'interface lo
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -i lo -j ACCEPT
- # Garder les connexions déjà établies
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Accepter le ping en INPUT
- iptables -A INPUT -p icmp --icmp-tyoe echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst A -j ACCEPT
- # Vérifier les paquets SYN, sinon bloquer.
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- # Bloquer les paquets fragmentés
- iptables -A INPUT -f -j DROP
- # Bloquer les paquets XMAS
- iptables -A INPUT -p tcp -tcp-flags ALL ALL -j DROP
- # Bloquer les paquets NULL
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # Autorisation de ports en entrée
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- # Autorisation des ports en sortie
- iptables -A OUTPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
- iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # Port DNS
- iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # Port DNS
- ####IPv6####
- # Tout bloquer
- ip6tables -t filter -P INPUT DROP
- ip6tables -t filter -P FORWARD DROP
- ip6tables -t filer -P OUTPUT DROP
- # Autoriser loopback
- ip6tables -A INPUT -i lo -j ACCEPT
- ip6tables -A OUTPUT -i lo -j ACCEPT
- # Maintenir connexion actuelle
- ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- ip6tables -A OUTPUT -m state --state RELATED,ESTBALISHED -j ACCEPT
- # NDP pour toutes interfaces type broadcast
- ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
- ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-adverstisement -m hl --hl-eq 255 -j ACCEPT
- ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl -hl-eq 355 -j ACCEPT
- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
- # accepter entrée le ping
- ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
- # Ouverture port en entrée IPv6
- ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
- ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
- # Accepter ping en sortie
- ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
- # Ouverture des ports en sortie IPv6
- ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT
- ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT
- ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
- ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
- /etc/init.d/firewall restart
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement