So it is a server GNU/Linux Debian 5.0 Etch-to-date, the firewall is built right into the kernel (netfilter) I "use no software to configure" (just iptables conf)
For examples I do not put my whole script, just part of the mail, my script is dirty, I recognized him but works for my other services (for example, monit on port 9475 is actually available or not available when I run the script)
I'll see what you are talking (fw generator, etc. ..) thank you for the info.
I'll post my full script here that works
So is my iptables.up.rules launched in niger with #:/etc/sh iptables.up.rules
Code:
#!/bin/bash
# Configuration
PORTSSH = xxxxx
# Enable the various filters needed
# No spoofing! It avoids being stung our Public IP ...
if [-e / proc/sys/net/ipv4/conf/all/rp_filter]
then
for filter in / proc/sys/net/ipv4/conf / * / rp_filter
do
echo 0> filter
done
fi
# No ICMP! ... It prohibits the ICMP (ping, traceroute, ...)
if
# I want to respond to ping [-e / proc/sys/net/ipv4/icmp_echo_ignore_all] & &
[-e / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts] & &
[-e / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses]
then
# I want to respond to the ping echo 1> / proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1> / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1> / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Disable ICMP redirects!
for filter in / proc/sys/net/ipv4/conf / * / accept_redirects
do
echo 0> filter
done
for filter in / proc/sys/net/ipv4/conf / * / send_redirects
do
echo 0> filter
done
# Disable Source Route Packets
for filter in / proc/sys/net/ipv4/conf / * / accept_source_route
do
echo 0> filter
done
# Log Spoofs Packets, Source Routes, redirect!
for filter in / proc/sys/net/ipv4/conf / * / log_martians
do
echo 1> filter
done
# Protection syncookies
if [-e / proc/sys/net/ipv4/tcp_syncookies]
then
echo 1> / proc/sys/net/ipv4/tcp_syncookies
fi
# Reduces the possibility of DoS attack (Denial Of Service)
# # By reduction of timeouts
if [-e / proc/sys/net/ipv4/tcp_fin_timeout] & &
[-E / proc/sys/net/ipv4/tcp_windows_scaling] & &
[-E / proc/sys/net/ipv4/tcp_timestamps] & &
[-E / proc/sys/net/ipv4/tcp_sack] & &
[-E / proc/sys/net/ipv4/tcp_max_syn_backlog]
then
echo 30> / proc/sys/net/ipv4/tcp_fin_timeout
echo 0> / proc/sys/net/ipv4/tcp_windows_scaling
echo 0> / proc/sys/net/ipv4/tcp_timestamps
echo 0> / proc/sys/net/ipv4/tcp_sack
echo 1024> / proc/sys/net/ipv4/tcp_max_syn_backlog
fi
###### Debut Initialization ######
# Flush the tables present
iptables-t filter-F
iptables-t filter-X
echo - Dump: [OK]
# Prohibit any incoming connection
iptables-t filter-P INPUT DROP
iptables-t filter-P FORWARD DROP
echo - Prohibit any incoming connection: [OK]
# Prohibit any outgoing connection
iptables-t filter-P OUTPUT DROP
echo - Prohibit any outgoing connection: [OK]
# Allow SSH
iptables-t filter-A INPUT-p tcp - dport $ PORTSSH-j ACCEPT
echo - Allow SSH: [OK]
# Do not break established connections
iptables-t filter-A INPUT-m state - state RELATED, ESTABLISHED-j ACCEPT
iptables-t filter-A OUTPUT-m state - state RELATED, ESTABLISHED-j ACCEPT
echo - Do not break established connections: [OK]
###### End Initialization ######
##### ###### Debut Rules
# Allow DNS queries, HTTP, HTTPS, NTP, released in WHOIS
# iptables-t filter-A INPUT-p tcp - dport 80-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 443-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 53-j ACCEPT
# iptables-t filter-A INPUT-p udp - dport 53-j ACCEPT
# iptables-t filter-A INPUT-p udp - dport 123-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 43-m state - state NEW-j ACCEPT
# echo - Allow DNS queries, HTTP, HTTPS, NTP WHOIS: [OK]
# Allow FTP requests
# iptables-t filter-A INPUT-p tcp - dport 21-j ACCEPT
# iptables-t filter-A INPUT-p tcp - sport 21-m state - state ESTABLISHED-j ACCEPT
# echo - Allow FTP requests: [OK]
# Active FTP
# iptables-t filter-A INPUT-p tcp - dport 20-m state - state ESTABLISHED-j ACCEPT
# iptables-t filter-A INPUT-p tcp - sport 20-m state - state ESTABLISHED, RELATED-j ACCEPT
# echo - Allow requests FTP active mode: [OK]
# Passive FTP
# modprobe ip_conntrack_ftp
# iptables-t filter-A INPUT-p tcp - sport 1024: - dport 1024:-m state - state RELATED, ESTABLISHED-j ACCEPT
# iptables-t filter-A INPUT-p tcp - sport 1024: - dport 1024:-m state - state ESTABLISHED-j ACCEPT
# echo - Allow FTP requests (passive mode): [OK]
# Monit
iptables-t filter-A INPUT-p tcp - dport 9475-j ACCEPT
# Allow loopback
iptables-t filter-A INPUT-i lo-j ACCEPT
iptables-t filter-A OUTPUT-o lo-j ACCEPT
echo - Allow loopback: [OK]
# Allow ping
iptables-t filter-A INPUT-p icmp-j ACCEPT
iptables-t filter-A INPUT-p icmp-j ACCEPT
echo - Allow ping: [OK]
# NTP Out
iptables-t filter-A INPUT-p udp - dport 123-j ACCEPT
# HTTP
iptables-t filter-A INPUT-p tcp - dport 80-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 443-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 8443-j ACCEPT
echo - Allow Apache server: [OK]
# FTP
# modprobe ip_conntrack_ftp
# iptables-t filter-A INPUT-p tcp - dport 20-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 21-j ACCEPT
# iptables-t filter-A INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT
# echo - Allow FTP server: [OK]
# Mail
# iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT
iptables-t filter-A INPUT-p tcp - dport 25-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 110-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT
echo - Allow outgoing SMTP server OK: [OK]
# Mail SMTP: 465
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT
iptables-t filter-A INPUT-p tcp - dport 465-j ACCEPT
#IMAP Mail : 143
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT
# iptables-t filter-A INPUT-p tcp - dport 143-j ACCEPT
#IMAPS Mail : 993
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT
iptables-t filter-A INPUT-p tcp - dport 993-j ACCEPT
# DMA Monitoring Dedibox
iptables-t filter-A INPUT-s 88.191.254.0/24-p tcp - dport 161-m state - state NEW, ESTABLISHED-j ACCEPT
iptables-t filter-A INPUT-s 88.191.254.0/24-p tcp - dport 161-m state - state NEW, ESTABLISHED-j ACCEPT
iptables-t filter-A OUTPUT-d 88.191.254.0/24-p tcp - sport 161-m state - state ESTABLISHED-j ACCEPT
iptables-t filter-A OUTPUT-d 88.191.254.0/24-p tcp - sport 161-m state - state ESTABLISHED-j ACCEPT
echo - Enable DMA Monitoring Dedibox: [OK]
# Log dropped packets in / var / log / messages
# echo + Rules of log dropped packets ([IN / FP / OU_PKTS_DROP ]==>)
# iptables-A INPUT-j LOG - log-prefix = "[IN_PKTS_DROP] ==>"
# iptables-A FORWARD-j LOG - log-prefix = "[FO_PKTS_DROP] ==>"
# iptables-A INPUT-j LOG - log-prefix = "[OU_PKTS_DROP] ==>"
# echo - Turn on the log dropped packets: [OK]
###### End Rules ######
iptables-A FORWARD-p tcp - syn-m limit - limit 1/second-j ACCEPT
iptables-A FORWARD-p udp-m limit - limit 1/second-j ACCEPT
echo - Limiting Syn-Flood: [OK]
# Rules of Destruction!
#
# Destroys the connections on the interface <- Internet that would IP_addr those of a private class!
# # A variation of 'no-spoofing!
iptables-N Spoofed
iptables-A spoofed-s 127.0.0.0 / 8-j DROP # loopback addr
iptables-A spoofed-s 10.0.0.0 / 8-j DROP # Class A private addr
iptables-A spoofed-s 169.254.0.0/12-j DROP # addr Link Local Network
iptables-A spoofed-s 172.16.0.0/12-j DROP # Class B private addr
iptables-A spoofed-s 192.0.2.0/24-j DROP # addr TEST-NET
iptables-A spoofed-s 192.168.0.0/24-j DROP # Class C adr Privee
iptables-A spoofed-s 224.0.0.1 / 4-j DROP # Class D multicast addr
iptables-A spoofed-s 240.0.0.0 / 4-j DROP # Class E Reserveer adr
echo - Block Spoofing: [OK]
# Dump of rules for all tables
# ip6tables-F
# Allows erasure of all channels that are not in default
# Filter table
# ip6tables-X
# IPV6
# ip6tables-P INPUT DROP
# ip6tables-P OUTPUT DROP
# ip6tables-P FORWARD DROP
# echo Flushing rules (ip6)
# ip6tables - flush
# ip6tables - flush INPUT
# ip6tables - flush OUTPUT
# ip6tables - flush FORWARD
# ip6tables - flush-t mangle
# ip6tables - delete-chain
# echo - Prohibit IPv6: [OK]
# To avoid rotting my logs
# ip6tables-t filter-A INPUT-p-j DROP icmpv6
# Log dropped packets in / var / log / messages
# echo + Rules of log dropped packets ([IN/FO/OU_PKTS_DROP_IP6 ]==>)
# ip6tables-A INPUT-j LOG - log-prefix = "[IN_PKTS_DROP_IP6] ==>"
# ip6tables-A FORWARD-j LOG - log-prefix = "[FO_PKTS_DROP_IP6] ==>"
# ip6tables-A INPUT-j LOG - log-prefix = "[OU_PKTS_DROP_IP6] ==>"
# echo - Enable log on IPv6 packets rejected: [OK]
/ home etc/init.d/fail2ban
echo "+ ======================== END SCRIPT! ========================="
echo "+ show the configuration of the filter table: iptables-L-n-v '"
echo "Or + 'iptables-L-n-v-t nat or mangle' table to the other"
echo "+ show the configuration of the filter table: 'ip6tables-L-n-v'"
echo "+ or 'ip6tables-L-n-v-t nat or mangle' table to the other"
echo "+ =================================================================="
So this script works, but does not have a groupware to communicate with gmail, even when SMTP and IMAP open IN and OUT ....
Bookmarks