[Précédent (date)] [Suivant (date)] [Précédent (sujet)] [Suivant (sujet)] [Index par date] [Index par sujet]
Re: [lq:aide] passerelle linux, iptables et courriel sympatico
- To:
- Subject: Re: [lq:aide] passerelle linux, iptables et courriel sympatico
- From: Patrick Serru <>
- Date: Fri, 18 Nov 2005 12:48:07 -0500
-
In-reply-to: <[email protected]>
- User-agent: KMail/1.8.2
Salut Nicolas, salut la Liste,
Voici ci-joint, ce que fait Suse 10.0 pour démarrer (firewall_on.sh)
et arrêter (firewall_off.sh) le firewal d'une passerelle qui n'héberge
aucun service et n'en utilise pas non plus, je crois :-). Reste donc à
peaufiner...
Je joins également les résultat des commandes root:
# ./firewall_on.sh ; iptables -L > iptables_-L_on.txt
# ./firewall_off.sh ; iptables -L > iptables_-L_off.txt
Bon courage à chacun,
Patrick
------------------------------------------------------------
Le Jeudi 17 Novembre 2005 08:29, Nicolas Ouellette a écrit :
> Bonjour. Voilà maintenant 2 ans que je suis sous linux. J'ai installé
> récemment une passerelle pour mon réseau local. J'utilise Mandriva
> 2006 parce que je veux que ma passerelle agisse comme serveur
> d'impression (vous direz que çaa peut poser des problèmes de sécurité
> et je suis d'accord avec vous).
>
> Mon problème, c'est iptables. Je suis incapable de configurer
> correctement le firewall pour pouvoir aller chercher mes courriels
> sympatico avec kmail. C'est un serveur smtp distant (donc port 25).
> J'ai beau avoir essayé toutes les configurations possibles de iptables
> pour ouvrir le port 25, rien à faire. Je suis pourtant capable
> d'ouvrir les bons ports et activer le nat pour d'autes services comme
> ICQ, Yahoo (mais pas MSN...), mldonkey, bittorrent, pop3, https.
> ...
> SVP, j'aimerais avoir de l'aide car je n'y comprends pas grand chose à
> iptables.
>
> Merci!
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N reject_func
iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -N reject_func
iptables -A reject_func -p tcp -j REJECT --reject-with tcp-reset
iptables -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A reject_func -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -N input_int
iptables -N input_ext
iptables -N forward_int
iptables -N forward_ext
iptables -A input_int -j ACCEPT
iptables -A input_ext -m pkttype --pkt-type broadcast -j DROP
iptables -A input_ext -j ACCEPT -p icmp --icmp-type source-quench
iptables -A input_ext -j ACCEPT -p icmp --icmp-type echo-request
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
iptables -A input_ext -s 0/0 -p tcp --dport 113 -m state --state NEW -j reject_func
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A forward_int -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type echo-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type destination-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type time-exceeded
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type parameter-problem
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type timestamp-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type address-mask-reply
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type protocol-unreachable
iptables -A forward_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p icmp --icmp-type redirect
iptables -A forward_int -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o eth0
iptables -A forward_int -d 0/0 -i eth0 -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A forward_ext -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 0/0 -o eth0
iptables -A forward_ext -d 0/0 -i eth0 -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A POSTROUTING -j MASQUERADE -t nat -s 0/0 -o eth0
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p tcp --syn
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p icmp
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT -p udp
iptables -A input_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-INext-DROP-DEFLT-INV -m state --state INVALID
iptables -A input_ext -j DROP
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p tcp --syn
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p icmp
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT -p udp
iptables -A forward_int -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDint-DROP-DEFLT-INV -m state --state INVALID
iptables -A forward_int -j DROP
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p tcp --syn
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p icmp
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT -p udp
iptables -A forward_ext -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWDext-DROP-DEFLT-INV -m state --state INVALID
iptables -A forward_ext -j DROP
iptables -A INPUT -j input_int -i eth2
iptables -A INPUT -j input_ext -i eth0
iptables -A INPUT -j input_ext
iptables -A FORWARD -j forward_int -i eth2
iptables -A FORWARD -j forward_ext -i eth0
iptables -A INPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-IN-ILL-TARGET
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-FWD-ILL-ROUTING
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j LOG -m limit --limit 3/minute --log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2-OUT-ERROR
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET'
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING'
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR'
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT'
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT'
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT'
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV'
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT'
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT'
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT'
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV'
DROP all -- anywhere anywhere
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT'
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT'
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT'
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV'
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable