Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SCRIPT] firewall.sh
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index French
View previous topic :: View next topic  
Author Message
profy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Jun 2005
Posts: 96
Location: Sophia Antipolis

PostPosted: Fri Jul 01, 2005 10:55 pm    Post subject: [SCRIPT] firewall.sh Reply with quote

Salut,

Bon si ca interresse du monde je vais essayer de le commenter.

Prérequis :

Dans le kernel faut aller dans networks option et mettre tout ce qui concerne netfilter, en particulier ip_conntrack pour le state et ftp_conntrack pour la partie ftp.

Utilisation :

Pour ajouter des regles et les définir soit même faut regarder les logs pour trouver ce qui bloque quand on veut ajouter un nouveau protocole.

Personnellement je m'y prend ainsi.

-> Je surveille mes logs avec :
Code:
dialog --backtitle "Administration du firewall" --title "Logs systèmes" --tailbox /var/log/messages 18 60

-> quand ca bloque j'ajoute les regles correspondantes et je réesaye.

Hésitez pas si vous avez des question, ou des propositions d'ajout à faire je les ajouterai dans le script.

Mon script de firewall pour vous servir d'example.
Code:

#!/bin/sh

#******************************************* REGLES DE BASES ************************

#Définition des variables
EXTINT=ppp0
INTINT=eth0
LANIP=192.168.0.0/24

#on efface l'existant
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
#on crée la chaine LOG_DROP
iptables -N LOG_DROP
iptables -N LOG_FORWARD_DROP

#on met la cible LOG a LOG_DROP elle est non determinante (une autre cible peut suivre)
iptables -A LOG_DROP -j LOG --log-prefix '[iptables_drop] : '
iptables -A LOG_FORWARD_DROP -j LOG --log-prefix '[iptables_forward_drop] : '
#on definit la cible suivante
iptables -A LOG_DROP -j DROP
iptables -A LOG_FORWARD_DROP -j DROP


#on autorise le loopback
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

#on s'autorise
iptables -A INPUT -i lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT

#on autorise le reseau local
#iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

#ping (serveur+client)
#iptables -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#protection contre le flood sur tcp
#iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/second -j ACCEPT
#iptables -A OUPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/minute -j ACCEPT
#client oracle reseau local <-> internet
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 1529 -j ACCEPT

#************************************* PING *****************************************************

#protection contre le flood (ryhtme des pings)
iptables -A INPUT -i ppp0 -p icmp -m state --state NEW  -m limit --limit 5/minute -j ACCEPT

#ping internet <-> serveur (le serveur peut pinger mais on peut pas le pinger)
iptables -A OUTPUT -o ppp0 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i ppp0 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#ping serveur <-> reseau local
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


#ping reseau local <-> internet (le reseau peut pinger mais pas etre pinge)
iptables -A FORWARD -i eth0 -o ppp0 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

#*********************************************** DNS **********************************************

#DNS serveur <-> internet
iptables -A INPUT -i ppp0 --protocol udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol udp --dport 53 -j ACCEPT
#iptables -A INPUT -i ppp0 --protocol tcp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 53 -j ACCEPT

#DNS reseau local <-> internet
iptables -A FORWARD -i ppp0 -o eth0 --protocol udp --source-port 53 -j ACCEPT
#iptables -A FORWARD -i ppp0 -o eth0 --protocol tcp --source-port 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 --protocol udp --destination-port 53 -j ACCEPT
#iptables -A FORWARD -i eth0 -o ppp0 --protocol tcp --destination-port 53 -m state --state ESTABLISHED -j ACCEPT

#*********************************************** HTTP - HTTPS ***************************************

#HTTPS serveur <-> internet (client) necessaire pour msn
iptables -A OUTPUT -o ppp0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#HTTPS reseau local <-> internet (client) necessaire pour msn
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

#HTTP serveur(client) <-> internet(serveur)
iptables -A INPUT -i ppp0 --protocol tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

#HTTPS serveur(client) <-> internet(serveur)
iptables -A INPUT -i ppp0 --protocol tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

#HTTP reseau local <-> internet
iptables -A FORWARD -i ppp0 -o eth0 --protocol tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 --protocol tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

#******************************************** emerge sync *******************************************

#reseau local(client) <-> internet(serveur)
iptables -A FORWARD -i ppp0 -o eth0 --protocol tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 --protocol tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT

#******************************************** no-ip *************************************************

#serveur(client) <-> internet(serveur)
iptables -A INPUT -i ppp0 --protocol tcp --sport 8245 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol tcp --dport 8245 -m state --state NEW,ESTABLISHED -j ACCEPT

#******************************************** SQUID *************************************************

#SQUID serveur(serveur) <-> reseau local (client) Obligatoire si on veut faire de l'authentification sur squid (proxy non transparent)
iptables -A INPUT -i eth0 --protocol tcp --sport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol tcp --dport 3128 -m state --state ESTABLISHED -j ACCEPT

#****************************************** SSH ****************************************************

#SSH (client)
#iptables -A INPUT -i ppp0 --protocol tcp --source-port 22 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 22 -m state --state NEW,ESTABLISHED -j ACCEPT

#SSH serveur <-> internet (client)
#t#iptables -A INPUT -i ppp0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#t#iptables -A OUTPUT -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

#SSH serveur <-> internet (serveur)
#t#iptables -A INPUT -i ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#t#iptables -A OUTPUT -o ppp0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SSH serveur <-> reseau local (client)
#t#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#t#iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

#SSH reseau local(client) <-> internet(serveur)
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#SSH serveur(serveur) <-> reseau local (client)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#*********************************** MESSAGERIE INSTANTANNEE ********************************

#YAHOO serveur(client) <-> internet(serveur)
#iptables -A OUTPUT -o ppp0 -p tcp --dport 5050 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --sport 5050 -m state --state ESTABLISHED -j ACCEPT

#MSN serveur(client) <-> internet (serveur)
#iptables -A OUTPUT -o ppp0 -p tcp --dport 1863 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --sport 1863 -m state --state ESTABLISHED -j ACCEPT


#YAHOO reseau local(client) <-> internet (serveur)
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 5050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p tcp --sport 5050 -m state --state ESTABLISHED -j ACCEPT

#MSN reseau local(client) <-> internet (serveur) (Nécessite l'HTTPS)
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 1863 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p tcp --sport 1863 -m state --state ESTABLISHED -j ACCEPT

#**************************************** Serveur X ***********************************************

#X2X serveur (serveur)<-> reseau local (client)
#iptables -A INPUT -i eth0 -p tcp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 6000 -m state --state ESTABLISHED -j ACCEPT   

#X2X serveur(client) <-> reseau local (serveur)
#iptables -A OUTPUT -o eth0 -p tcp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 6000 -m state --state ESTABLISHED -j ACCEPT   


#***************************************** Jeux ***************************************************

#FREECIV
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 5555 -j ACCEPT

#ensimud
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 4500 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth0 -i ppp0 -p tcp --dport 4500 -m state --state ESTABLISHED -j ACCEPT

#xpilot local <-> internet (client)
#permet l'affichage de la liste des serveurs
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 4401 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p tcp --sport 4401 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p udp --dport 15345 -m state --state NEW,ESTABLISHED -j ACCEPT
#pour se connecter au serveur ip107.centonline.com
iptables -A FORWARD -i eth0 -o ppp0 -p udp --dport 24570 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p udp --sport 24570 -m state --state ESTABLISHED -j ACCEPT
#pour jouer, gogogo !!!
iptables -A FORWARD -i eth0 -o ppp0 -p udp --sport 32700:32899 --dport 32500:50000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p udp --dport 32700:32899 --sport 32500:50000 -m state --state ESTABLISHED -j ACCEPT
#warcraft serveur <-> reseau local
#iptables -A INPUT -i eth0 -p udp --dport 6112 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p udp --sport 6112 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --dport 6112 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --dport 6112 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 6112 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 6112 -j ACCEPT

#******************************************* RSYNC **********************************************************

#RSYNC serveur <-> internet (client)
iptables -A INPUT -i ppp0 --protocol tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 --protocol tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT

#RSYNC serveur <-> reseau local (serveur:serveur)
iptables -A INPUT -i eth0 --protocol tcp --sport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol tcp --dport 873 -m state --state ESTABLISHED -j ACCEPT

#******************************************* DISTCC **********************************************************

#DISTCC serveur <-> reseau local
iptables -A INPUT -i eth0 --protocol tcp --sport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol tcp --dport 3632 -m state --state NEW,ESTABLISHED -j ACCEPT

#****************************************** PEER TO PEER ******************************************************

#admin mldonkey sur serveur distant reseau local
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 4080 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i ppp0 -o eth0 -p tcp --sport 4080 -m state --state ESTABLISHED -j ACCEPT

#bittorrent
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --sport 30000:65000 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth0 -i ppp0 -p tcp --dport 30000:65000 -m state --state ESTABLISHED -j ACCEPT

#redirection des ports pour mldonkey
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.13
#iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.0.13

#****************************************** DHCP *************************************************************

#DHCP serveur <-> reseau local
iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

#******************************************* NTP *************************************************************

#NTP reseau local <-> internet (client)
iptables -A FORWARD -i eth0 -o ppp0 -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p udp --sport 123 -j ACCEPT

#******************************************* MAILS ***********************************************************

#MAIL reseau local <-> internet (client)
#POP3
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i ppp0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
#SMTP
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
#IMAP
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

#**************************************************** FTP *******************************************************

#regles client ftp
#FTP reseau local(client) <-> internet(serveur)
#iptables -A FORWARD -p tcp -i eth0 -o ppp0 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp -o eth0 -i ppp0 --sport 21 -m state --state ESTABLISHED -j ACCEPT

#iptables -A FORWARD -p tcp -s 192.168.3.2 -d 192.168.2.2 --dport 20 -m state --state ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.3.2 -s 192.168.2.2 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -p tcp -s 192.168.3.2 -d 192.168.2.2 --sport 1024:65000 --dport 1024:65000 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.3.2 -s 192.168.2.2 --sport 1024:65000 --dport 1024:65000 -m state --state ESTABLISHED -j ACCEPT

#FTP reseau local(client) <-> serveur(serveur)
iptables -A INPUT -p tcp -i eth0 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 21 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --sport 1024:65000 --dport 1024:65000 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1024:65000 --dport 1024:65000 -m state --state RELATED,ESTABLISHED -j ACCEPT

#FTP reseau local(client) <-> serveur(serveur)
#en cours ...
#le but la c'est de spécifier la source pour autoriser que a son pot ki un nom de domaine ou une ip fixe
#iptables -A INPUT -p tcp -i -s 213.246.55.72 ppp0 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -o ppp0 --sport 21 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp -i ppp0 --dport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -o ppp0 --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp -i ppp0 --sport 1024:65000 --dport 1024:65000 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -o ppp0 --sport 1024:65000 --dport 1024:65000 -m state --state RELATED,ESTABLISHED -j ACCEPT

#******************************************* SKYPE ***********************************************************

#iptables -t filter -A FORWARD -i $INTINT -o $EXTINT -s $LANIP -p udp --sport 1099 -m state --state ! INVALID -j ACCEPT
#iptables -t filter -A FORWARD -i $EXTINT -o $INTINT -d $LANIP -p udp --dport 1099 -m state --state RELATED,ESTABLISHED -j ACCEPT


#******************************************* DIVERS **********************************************************
#stream radio
#iptables -A FORWARD -i eth0 -o ppp0 -p tcp --dport 7144 -m state --state ESTABLISHED -j ACCEPT
#iptables -A FORWARD -o eth0 -i ppp0 -p tcp --dport 30000:65000 -m state --state ESTABLISHED -j ACCEPT

#Partage de connexion
#iptables -F FORWARD
#iptables -A FORWARD -i ppp0 -o eth0  -j ACCEPT
#iptables -A FORWARD -i eth0 -o ppp0  -j ACCEPT

#***************************************** PARTAGE DE CONNEXION *********************************************

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

#*************************************** On droppe tout *****************************************************

iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
iptables -A FORWARD -j LOG_FORWARD_DROP

_________________
Plus je connais les hommes, plus j'aime mon pc.


Last edited by profy on Wed Jul 13, 2005 12:10 pm; edited 3 times in total
Back to top
View user's profile Send private message
Adrien
Advocate
Advocate


Joined: 13 Jul 2004
Posts: 2249
Location: Paris - France

PostPosted: Sun Jul 03, 2005 11:40 am    Post subject: Reply with quote

Génial, idéal pour moi qui n'y comprend rien au réseau et à iptables..:wink:
Merci! :)
Back to top
View user's profile Send private message
didzzzz17
Tux's lil' helper
Tux's lil' helper


Joined: 08 Mar 2004
Posts: 127
Location: France - Niort / La Rochelle

PostPosted: Mon Jul 04, 2005 9:51 am    Post subject: Reply with quote

Bonjour,

Je suis en pleine installation d'un firewall, cela me sera sûrement utile, merci!

Cependant il y a quelque ligne que je ne comprend pas trop:

Code:

#on s'autorise
iptables -A INPUT -i lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT

Pourquoi ne pas autoriser seulement l'adresse 127.0.0.1 ?

Le DNS ne fonctionne pas uniquement en UDP ?

Dans la section messagerie instantanée pour skype:
Code:

iptables -t filter -A FORWARD -i $INTINT -o $EXTINT -s $LANIP -p udp --sport 1099 -m state --state ! INVALID -j ACCEPT
iptables -t filter -A FORWARD -i $EXTINT -o $INTINT -d $LANIP -p udp --dport 1099 -m state --state RELATED,ESTABLISHED -j ACCEPT

Cependant le transfert de fichier ne fonctionne pas: voir ce post

Personnellement j'utilise Ulog plutôt que le system de log classic. Cela évite d'être surchargé par tous les logs du noyau et il est possible de l'associer à une base MySQL ou postgre.

C'est tout pour le moment :wink: , je n'ai pas tout regarder mais ça à l'air bien complet.
Back to top
View user's profile Send private message
profy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Jun 2005
Posts: 96
Location: Sophia Antipolis

PostPosted: Mon Jul 04, 2005 12:56 pm    Post subject: Reply with quote

#on s'autorise
iptables -A INPUT -i lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT

Je sais pas trop mais bon si tu fais un ping 127.0.0.5 faut que ca marche aussi en tout cas je vois pas le mal de tout autoriser sur le loopback :)

J'ajoute la partie skype ce soir en rentrant merci :)
_________________
Plus je connais les hommes, plus j'aime mon pc.
Back to top
View user's profile Send private message
didzzzz17
Tux's lil' helper
Tux's lil' helper


Joined: 08 Mar 2004
Posts: 127
Location: France - Niort / La Rochelle

PostPosted: Mon Jul 04, 2005 1:10 pm    Post subject: Reply with quote

Est-il possible pour un pirate de modifier l'interface d'arriver d'un datagramme (eth1 en lo) ? Je sais c'est de la parano :lol:
Mais autant profiter pour mettre 127.0.0.0/8 non ? Certe cela ne fait qu'une petite chose de plus à contourner.
_________________
Master Sécurité des Systèmes d'Informations
Back to top
View user's profile Send private message
profy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Jun 2005
Posts: 96
Location: Sophia Antipolis

PostPosted: Mon Jul 04, 2005 1:14 pm    Post subject: Reply with quote

Je pense que c plus simple pour lui d'effacer les regles iptables ...
_________________
Plus je connais les hommes, plus j'aime mon pc.
Back to top
View user's profile Send private message
chipsterjulien
Guru
Guru


Joined: 08 Jun 2004
Posts: 350
Location: Lille France

PostPosted: Thu Feb 16, 2006 11:11 am    Post subject: Reply with quote

profy wrote:
#on s'autorise
iptables -A INPUT -i lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0 -d 0.0.0.0 -j ACCEPT



Cette partie c'est pour no-ip
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index French All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum