View previous topic :: View next topic |
Author |
Message |
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Mon May 16, 2011 9:29 pm Post subject: [Iptables] Ralentissement |
|
|
J'utilise mon ancien pc de bureau comme serveur/passerelle réseau.
Au début, j'ai fais des règles simples le temps que je comprenne le pavé iptables ^^
J'ai utilisé un script de base et modifié pour qu'il corresponde à mon réseau.
Cependant, certaines page vont extrêmement rapide d'autres non.
Genre facebook, impossible de naviguer, autant avec doodle. Par contre youtube c'est rapide mais il ne télécharge pas les vidéos.
enfin vous voyez le problème...
Je vous fais parvenir mon script :
Code: |
#!/bin/sh
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="ppp0"
# Local Interface Information
LOCAL_IFACE="ethX"
LOCAL_IP="IP_Passerelle"
LOCAL_NET="IP_Reseau_locale"
LOCAL_BCAST="Broadcast_locale"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK. There is no need to run
# every time, however.
# /sbin/depmod -a
# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules. Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default. Uncomment if you have any problems or if
# you have disabled module autoload. Note that some modules must
# be loaded by another kernel module.
# core netfilter module
/sbin/modprobe ip_tables
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# filter table module
/sbin/modprobe iptable_filter
# mangle table module
/sbin/modprobe iptable_mangle
# nat table module
/sbin/modprobe iptable_nat
# LOG target module
/sbin/modprobe ipt_LOG
# This is used to limit the number of packets per sec/min/hr
/sbin/modprobe ipt_limit
# masquerade target module
/sbin/modprobe ipt_MASQUERADE
# filter using owner as part of the match
/sbin/modprobe ipt_owner
# REJECT target drops the packet and returns an ICMP response.
# The response is configurable. By default, connection refused.
/sbin/modprobe ipt_REJECT
# This target allows packets to be marked in the mangle table
/sbin/modprobe ipt_mark
# This target affects the TCP MSS
/sbin/modprobe ipt_tcpmss
# This match allows multiple ports instead of a single port or range
/sbin/modprobe multiport
# This match checks against the TCP flags
/sbin/modprobe ipt_state
# This match catches packets with invalid flags
/sbin/modprobe ipt_unclean
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
#/sbin/modprobe ip_conntrack_irc
###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.
# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
else
$SYSCTL net.ipv4.ip_dynaddr="1"
fi
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent? It's recommended for single-homed
# systems and routers on stub networks. Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi
# The following kernel settings were suggested by Alex Weeks. Thanks!
# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
$SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi
# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
# --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "fp=icmp_packets:2 a=ACCEPT "
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.
# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections. Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default. To get here, the
# packets would have to be part of a new request received by the
# Internet interface. You would have to manually add rules to
# accept these. I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines. These rules drop those packets
# quickly and without logging them. This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Network Time Protocol (NTP) Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
# External DHCP Server
# Allow DHCP client request packets inbound from external network
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 \
-j ACCEPT
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# Web Server
# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
#$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
# Passive FTP
#
# With passive FTP, the server provides a port to the client
# and allows the client to initiate the connection rather
# than initiating the connection with the client from the data port.
# Web browsers and clients operating behind a firewall generally
# use passive ftp transfers. A general purpose FTP server
# will need to support them.
#
# However, by default an FTP server will select a port from the entire
# range of high ports. It is not particularly safe to open all
# high ports. Fortunately, that range can be restricted. This
# firewall presumes that the range has been restricted to a specific
# selected range. That range must also be configured in the ftp server.
#
# Instructions for specifying the port range for the wu-ftpd server
# can be found here:
# http://www.wu-ftpd.org/man/ftpaccess.html
# (See the passive ports option.)
#
# Instructions for the ProFTPD server can be found here:
# http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html
# Sample Rule
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:64000 -j ACCEPT
# Email Server (SMTP)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (IMAP4)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# SSL Email Server (POP3)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
# SSL Email Server (IMAP4)
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
# MSN Messenger File Transfers
#
# Messenger supports file transfers. For transfers initiated by
# remote systems to function, the system must allow
# new connections initiated from remote systems a specific port range.
# This option defaults to the port range 6891 through 6900.
# Unless the MSN Messenger client can be configured to specify any
# port range, don't change the default.
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6891:6900 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT
# Block SSH
#$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT
# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT
# Block FTP Access
# Control
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 21 -j REJECT
# Data
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 20 -j REJECT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
-j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
###############################################################################
#
# mangle table
#
###############################################################################
# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.
echo "Load rules for mangle table ..."
# Set the TTL in outbound packets to the same consistent value.
# A value around 128 is a good value. Do not set this too high as
# it will adversely affect your network. It is also considered bad
# form on the Internet.
$IPT -t mangle -A OUTPUT -o $INET_IFACE -j TTL --ttl-set 128 |
Dans l'espoir de trouver ce qui me ralentis autant les téléchargements en générale...
Merci ! |
|
Back to top |
|
|
razer l33t
Joined: 08 Oct 2004 Posts: 893 Location: Paris - France
|
Posted: Tue May 17, 2011 7:07 am Post subject: Re: [Iptables] Ralentissement |
|
|
mysix wrote: |
Cependant, certaines page vont extrêmement rapide d'autres non.
Genre facebook, impossible de naviguer |
Pour beaucoup, moi compris, ce n'est pas un bug, c'est une fonctionnalité
Plus sérieusement, je ne peux pas vraiment répondre, cela fait au moins 5 ans que je n'ai pas rédigé la moindre règle iptables, j'utilise shorewall qui fait çà bien mieux (sur une debian, avec un bon vieux celeron qui répond sans soucis au monstrueux débit de ma FTTH free) |
|
Back to top |
|
|
Poussin l33t
Joined: 08 Jun 2007 Posts: 659 Location: Liège
|
Posted: Tue May 17, 2011 7:49 am Post subject: |
|
|
si tu pouvais plutot donner tes sorties iptables -L -n -v (-t cequetuasmodifié), ce serait beaucoup plus facile à lire que le script |
|
Back to top |
|
|
guilc Bodhisattva
Joined: 15 Nov 2003 Posts: 3326 Location: Paris - France
|
Posted: Tue May 17, 2011 8:22 am Post subject: |
|
|
Poussin wrote: | si tu pouvais plutot donner tes sorties iptables -L -n -v (-t cequetuasmodifié), ce serait beaucoup plus facile à lire que le script |
+1
Et juste une note comme ça : iptables augmente certes la charge et diminue la capacité à traiter du réseau mais *sur les très fortes charges* seulement. Sur un débit d'ADSL, on est très très loin d'en voir l'effet... _________________ Merci de respecter les règles du forum.
Mon site perso : https://www.xwing.info
Mon PORTDIR_OVERLAY : https://gentoo.xwing.info ou layman -a xwing |
|
Back to top |
|
|
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Tue May 17, 2011 7:03 pm Post subject: |
|
|
Voilà quelque chose de plus facile à travailler
Code: | Chain INPUT (policy DROP 1 packets, 443 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
133 9988 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
121 8566 ACCEPT all -- eth0 * 72.97.96.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 72.97.96.255
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
10 939 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 tcp_inbound tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1 443 udp_inbound udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 icmp_packets icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1 443 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
89 18753 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
46 9549 tcp_outbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 udp_outbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
43 9204 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=FORWARD:99 a=DROP '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
83 67386 ACCEPT all -- * * 72.97.96.97 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
12 865 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP '
Chain bad_packets (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- ppp0 * 72.97.96.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=bad_packets:2 a=DROP '
0 0 DROP all -- ppp0 * 72.97.96.0/24 0.0.0.0/0
1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP '
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
200 26664 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
221 28701 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
pkts bytes target prot opt in out source destination
153 16985 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
47 9679 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -f * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=icmp_packets:1 a=DROP '
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 reject-with icmp-port-unreachable
46 9549 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_inbound (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
1 443 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_outbound (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 |
L'autre config qui marche parfaitement mais qui n'est pas du tout complet :
Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
25 1914 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
10 1454 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:873
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:873
5 515 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:80
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 2004 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
363 54267 ACCEPT all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
355 328K ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 4 packets, 304 bytes)
pkts bytes target prot opt in out source destination
2 343 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
14 1970 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
10 622 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED,UNTRACKED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:873
5 359 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
|
|
|
Back to top |
|
|
Poussin l33t
Joined: 08 Jun 2007 Posts: 659 Location: Liège
|
Posted: Wed May 18, 2011 12:21 pm Post subject: |
|
|
Sans avoir encore identifier ton problème, en ayant juste regardé ce qui se passe pour le FORWARD, il y a des choses que je trouve étranges.
Dans ta chaîne tcp_outbound, tu interdis explicitement le traffic telnet, et ftp et newsgroup. Je ne remets pas en cause tes choix (quoique le ftp, je le laisserais, portage peut aimer ça), mais par contre, tout le reste, tu autorises! Il serait bien plus prudent de tout refuser par défaut (ce qui est fait par la politique par défaut de FORWARD) et d'autoriser explicitement le traffic que tu autorises.
Je mettrais un truc comme ceci
Code: |
DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- eth1 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- eth1 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- eth1 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- eth1 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:21
ACCEPT udp -- eth1 * 192.168.0.0/24 0.0.0.0/0 udp dpt:123
(DROP le reste)
|
On vire ce qui n'est pas valide. Tout ce qui se rapporte à des connexions établies précédemment, on garde. On autorise la création de connexion pour les ports précisés, avec les protocols de transports précisés (là c'est peut-être un peu barbare, je n'ai pas autorisé le ping, mais c'est pour l'exemple)
Maintenant, il faut voir la confiance que tu as dans ton LAN, ce que tu laisses faires à tes hôtes. Visiblement, tu ne fais pas de port forwarding, donc aucun service hébergé actuellement derrière ta passerelle, donc il n'est pas nécessaire de jouer avec les protections de synflood au niveau du FORWARD, et des choses comme ça.
Je ne suis pas certain que tu aies bien compris le système. J'ai l'impression que tu as pris des morceaux de scripts tout faits, et du coup des règles sembles inutiles ou inappropriées.
Tiens, tilt, j'ai peut-être une idée pour ton soucis. Ta machine à l'air de gérer directement la connexion internet via modem (pas de box/routeur) en PPPoE. Donc tu as peut-etre bien un problème de MTU trop grand sur tes machines de ton LAN (1500 si j'ai bon souvenir). La règle que « corrige » (bidouille serait un terme plus approprié) est présente dans ton FORWARD première version (meme si je mettrais plutôt ça dans le postrouting de la table mangle). Plus d'infos ici: http://www.linuxtopia.org/Linux_Firewall_iptables/x4700.html |
|
Back to top |
|
|
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Fri May 20, 2011 12:05 pm Post subject: |
|
|
Non non, j'ai bien étudié le script Ce n'est pas des bouts de scripts récupérés...
Je l'ai créer avec un générateur: http://easyfwgen.morizot.net/gen/
Avant d'ajouter plus de restriction, je voulais que le script fonctionne. C'est dans l'ordre des choses.
Je ne veux pas non plus me rajouter des problèmes
Effectivement, au début j'avais ajouté la règle TCPMSS parce que j'avais des problèmes de connexion.
A présent je l'ai rajouté dans la table mangle dans le POSTROUTING.
Le problème est toujours d'actualité. Ca ne fonctionne toujours pas. Même après de nombreux tests.
Il y a surement quelque chose qui m'échappe.
Dans mes logs, j'ai quelques paquets qui ne sont pas passés :
Code: | May 20 13:39:20 st4rs3rv3ur kernel: [27522.254310] fp=bad_packets:1 a=DROP IN=eth0 OUT=ppp0 SRC=72.97.96.14 DST=209.85.229.100 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=57418 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
May 20 13:40:48 st4rs3rv3ur kernel: [27610.334641] fp=bad_packets:1 a=DROP IN=ppp0 OUT= MAC= SRC=69.63.190.18 DST=83.77.78.184 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=58953 DF PROTO=TCP SPT=80 DPT=37069 WINDOW=4909 RES=0x00 ACK RST URGP=0
May 20 13:40:50 st4rs3rv3ur kernel: [27612.139148] fp=bad_packets:1 a=DROP IN=ppp0 OUT= MAC= SRC=69.63.190.18 DST=83.77.78.184 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=40544 DF PROTO=TCP SPT=80 DPT=37070 WINDOW=4926 RES=0x00 ACK RST URGP=0
May 20 13:41:01 st4rs3rv3ur kernel: [27623.106649] fp=bad_packets:1 a=DROP IN=ppp0 OUT= MAC= SRC=69.63.190.18 DST=83.77.78.184 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=49939 DF PROTO=TCP SPT=80 DPT=37086 WINDOW=5070 RES=0x00 ACK RST URGP=0
|
Dans ce log, il y a une chose qui a retenue toute mon attention. C'est le port de destination (DTP), durant mes précédent tests, il y avait également des ports élevés entre les interfaces. Tous des ports dont je n'ai pas spécifiquement accepté.
Cependant, dans mon ancienne règle, je l'ai avais spécifier:
Code: |
Pour l'OUTPUT
ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW,RELATED,ESTABLISHED,UNTRACKED
Pour l'INPUT
ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 state RELATED,ESTABLISHED |
et là j'ignore encore pourquoi j'ai un spt/dpt 53.
Pourquoi 53 ?
Je redonne mes rules :
Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 69 5666 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
4 58 4262 ACCEPT all -- eth0 * 72.97.96.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 72.97.96.255
6 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
7 11 1404 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 0 0 tcp_inbound tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
9 0 0 udp_inbound udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
10 0 0 icmp_packets icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
12 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 145 34017 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
2 92 15870 tcp_outbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 udp_outbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 52 18107 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
6 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=FORWARD:99 a=DROP '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4 50 5792 ACCEPT all -- * * 72.97.96.97 0.0.0.0/0
5 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
6 12 826 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
7 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP '
Chain bad_packets (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- ppp0 * 72.97.96.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=bad_packets:2 a=DROP '
2 0 0 DROP all -- ppp0 * 72.97.96.0/24 0.0.0.0/0
3 1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP '
4 1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 153 34589 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 213 39643 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 101 16482 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP '
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
4 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP '
5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
6 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP '
7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
8 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP '
9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
10 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP '
11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
12 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP '
13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
14 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP '
15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
16 52 18107 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG icmp -f * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=icmp_packets:1 a=DROP '
2 0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_inbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
4 79 15090 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
8 13 780 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain udp_inbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
5 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_outbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
|
La table MANGLE:
Code: |
Chain PREROUTING (policy ACCEPT 66 packets, 5180 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 52 packets, 3959 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 14 packets, 1221 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 40 packets, 12866 bytes)
pkts bytes target prot opt in out source destination
6 423 TTL all -- * ppp0 0.0.0.0/0 0.0.0.0/0 TTL set to 128
Chain POSTROUTING (policy ACCEPT 45 packets, 13276 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU |
La table NAT:
Code: | Chain PREROUTING (policy ACCEPT 164 packets, 26902 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 90 packets, 9215 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 3272 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
63 4330 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0 |
Dans l'espoir qu'on puisse m'aider
Merci d'avance ! |
|
Back to top |
|
|
guilc Bodhisattva
Joined: 15 Nov 2003 Posts: 3326 Location: Paris - France
|
|
Back to top |
|
|
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Sun May 22, 2011 7:37 pm Post subject: |
|
|
Je l'ai fais sans résultat
Oh oh, ayant marre, j'ai modifié mon script pour que tout passe sans passer par les inbound et outbound. Cela fonctionne.
Ensuite en activant tcp_outbound dans le FORWARD et en rajoutant une règle : $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
Plus rien passe. Pourtant cette règle est sensé tous accepter les paquets TCP non ? |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Mon May 23, 2011 8:53 am Post subject: |
|
|
juste pour information, lorsque vous voulez montrer vos règles iptables, utilisez plutôt la commande iptables-save qui ne se limite pas à la table demandée/par défaut
voili-voilou! _________________ The End of the Internet! |
|
Back to top |
|
|
Poussin l33t
Joined: 08 Jun 2007 Posts: 659 Location: Liège
|
Posted: Mon May 23, 2011 11:44 am Post subject: |
|
|
mysix wrote: | Je l'ai fais sans résultat
Oh oh, ayant marre, j'ai modifié mon script pour que tout passe sans passer par les inbound et outbound. Cela fonctionne.
Ensuite en activant tcp_outbound dans le FORWARD et en rajoutant une règle : $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
Plus rien passe. Pourtant cette règle est sensé tous accepter les paquets TCP non ? |
Je te conseille, quand tu fais un changement et que tu veux nous en faire part, le nous coller la nouvelle config vue par iptables (après avoir fait un test de connexion qui échoue afin d'incrémenter les compteurs) |
|
Back to top |
|
|
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Fri May 27, 2011 12:05 pm Post subject: |
|
|
Iptables qui fonctionne actuellement :
Code: | # Generated by iptables-save v1.4.10 on Fri May 27 13:50:43 2011
*nat
:PREROUTING ACCEPT [61444:8014424]
:INPUT ACCEPT [24478:1952835]
:OUTPUT ACCEPT [25803:1737581]
:POSTROUTING ACCEPT [181:38493]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri May 27 13:50:43 2011
# Generated by iptables-save v1.4.10 on Fri May 27 13:50:43 2011
*mangle
:PREROUTING ACCEPT [1396395:899864018]
:INPUT ACCEPT [125226:35052658]
:FORWARD ACCEPT [1253257:859863716]
:OUTPUT ACCEPT [88247:24195416]
:POSTROUTING ACCEPT [1332103:883568636]
COMMIT
# Completed on Fri May 27 13:50:43 2011
# Generated by iptables-save v1.4.10 on Fri May 27 13:50:43 2011
*filter
:INPUT DROP [1367:78604]
:FORWARD DROP [6274:253240]
:OUTPUT DROP [3127:237412]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --sport 873 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --sport 873 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --sport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -o ppp0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp0 -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp --dport 873 -j ACCEPT
-A OUTPUT -o ppp0 -p udp -m udp --dport 873 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 80 -j ACCEPT
COMMIT
# Completed on Fri May 27 13:50:43 2011
|
Mon nouveau script mais en mettant tous eu mode permissif (ACCEPT)
Et en plaçant aucune règle dans tcp_outbound
Résultat : Fonctionne
iptables-save:
Code: |
# Generated by iptables-save v1.4.10 on Fri May 27 13:59:17 2011
*nat
:PREROUTING ACCEPT [2:274]
:INPUT ACCEPT [2:274]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri May 27 13:59:17 2011
# Generated by iptables-save v1.4.10 on Fri May 27 13:59:17 2011
*mangle
:PREROUTING ACCEPT [57:3775]
:INPUT ACCEPT [26:2074]
:FORWARD ACCEPT [31:1701]
:OUTPUT ACCEPT [13:1324]
:POSTROUTING ACCEPT [44:3025]
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May 27 13:59:17 2011
# Generated by iptables-save v1.4.10 on Fri May 27 13:59:17 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 72.97.96.0/24 -i eth0 -j ACCEPT
-A INPUT -d 72.97.96.255/32 -i eth0 -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_inbound
-A INPUT -i ppp0 -p udp -j udp_inbound
-A FORWARD -i eth0 -p tcp -j tcp_outbound
-A FORWARD -i eth0 -p udp -j udp_outbound
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 72.97.96.97/32 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A bad_packets -s 72.97.96.0/24 -i ppp0 -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
-A bad_packets -s 72.97.96.0/24 -i ppp0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 123 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 22 -j ACCEPT
-A udp_inbound -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Fri May 27 13:59:18 2011
|
En rajoutant la règle :
iptables -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
Résultat : ECHEC
Code: |
# Generated by iptables-save v1.4.10 on Fri May 27 14:01:40 2011
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri May 27 14:01:40 2011
# Generated by iptables-save v1.4.10 on Fri May 27 14:01:40 2011
*mangle
:PREROUTING ACCEPT [12:1957]
:INPUT ACCEPT [7:508]
:FORWARD ACCEPT [5:1449]
:OUTPUT ACCEPT [4:464]
:POSTROUTING ACCEPT [9:1913]
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May 27 14:01:40 2011
# Generated by iptables-save v1.4.10 on Fri May 27 14:01:40 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 72.97.96.0/24 -i eth0 -j ACCEPT
-A INPUT -d 72.97.96.255/32 -i eth0 -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_inbound
-A INPUT -i ppp0 -p udp -j udp_inbound
-A FORWARD -i eth0 -p tcp -j tcp_outbound
-A FORWARD -i eth0 -p udp -j udp_outbound
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 72.97.96.97/32 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A bad_packets -s 72.97.96.0/24 -i ppp0 -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
-A bad_packets -s 72.97.96.0/24 -i ppp0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 123 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 22 -j ACCEPT
-A udp_inbound -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Fri May 27 14:01:40 2011
|
Enfin bref, pourtant il me semble que les services pour ces règles sont activés...
Là j'avoue que ca me dépasse... |
|
Back to top |
|
|
Poussin l33t
Joined: 08 Jun 2007 Posts: 659 Location: Liège
|
Posted: Fri May 27, 2011 2:00 pm Post subject: |
|
|
Rien à faire, je n'aime pas la sortie d'iptables-save... ça pique les yeux.
Tous tes bad_*_paquets, je replacerais ça par -m state --state INVALID -j DROP (De plus, as-tu vraiment besoin d'un LOG différent pour toutes les combinaisons de malformation de paquet TCP? Un seul suffit largement je pense).
Ensuite, où je ne suis pas du tout d'accord, c'est avec tes -i ppp0 --sport 80 -j ACCEPT
Ce qui signifie -> tout ce qui vient d'un port 80, c'est mon ami. Or toi, je suis presque certain qui tu préfèrerais "tout ce qui est une réponse à une requête de ma part sur un port 80 est mon ami. Et c'est totalement différent!
Tu dois accepter tout ce qui est réponse en fait -> (sur tous les ports de transport tant qu'à faire) -m state --state RELATED,ESTABLISHED -j ACCEPT (Ce n'est pas du stateless!)
A ça, tu fais suivre les requêtes que tu t'autorises à effecter (-i $LAN_ETH -p tcp --dport http -j ACCEPT)
tout ce qui ne correspond pas, sera drop par le -P DROP
Ensuite, je te rappelle que certain site passe en SSL le temps d'auth. la connexion, il serait de bon gout d'ajouter https dans les protocoles utilisés |
|
Back to top |
|
|
mysix Apprentice
Joined: 26 Mar 2010 Posts: 183
|
Posted: Fri May 27, 2011 2:22 pm Post subject: |
|
|
Pour l'instant, je ne pense pas que les logs sont mes problèmes.
Ni la sécurité.
J'aimerais juste savoir pourquoi j'ai des problèmes de connexion avec mes nouvelles règles.
Et pour le port 80 et 443 je les acceptes seulement si une connexion est en relation ou établie.
Si tu veux l’intégralité de mes rules voilà :
Code: | Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 69 5666 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.1
4 58 4262 ACCEPT all -- eth0 * 72.97.96.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 72.97.96.255
6 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
7 11 1404 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 0 0 tcp_inbound tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
9 0 0 udp_inbound udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
10 0 0 icmp_packets icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
12 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 145 34017 bad_packets all -- * * 0.0.0.0/0 0.0.0.0/0
2 92 15870 tcp_outbound tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 udp_outbound udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 52 18107 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
6 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=FORWARD:99 a=DROP '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4 50 5792 ACCEPT all -- * * 72.97.96.97 0.0.0.0/0
5 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
6 12 826 ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
7 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP '
Chain bad_packets (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- ppp0 * 72.97.96.0/24 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=bad_packets:2 a=DROP '
2 0 0 DROP all -- ppp0 * 72.97.96.0/24 0.0.0.0/0
3 1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP '
4 1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 153 34589 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 213 39643 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 101 16482 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP '
3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
4 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP '
5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
6 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP '
7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
8 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP '
9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
10 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP '
11 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
12 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP '
13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
14 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP '
15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
16 52 18107 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp_packets (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG icmp -f * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `fp=icmp_packets:1 a=DROP '
2 0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_inbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcp_outbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
4 79 15090 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
8 13 780 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain udp_inbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
5 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp_outbound (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
|
Mon post précédent démontrait que même en appliquant tous en ACCEPT et en ajoutant SEULEMENT la règle tcp_outbound cité plus haut, la connexion était un échec.
Il faut savoir qu'avec cette table, je peux aller facilement établir une connexion avec google, mais impossible d'établir de connexion avec les sites internet en générale.
J'aimerais aussi spécifier que j'ai dnsmasq actuellement. Mais je doute que c'est ca le problème... |
|
Back to top |
|
|
Poussin l33t
Joined: 08 Jun 2007 Posts: 659 Location: Liège
|
Posted: Fri May 27, 2011 2:41 pm Post subject: |
|
|
t'es têtu. Essaie de mettre ton -m state --state RELATED,ESTABLISHED Entre ton pseudo INVALID, et ton tcp_out |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|