Firewall pour server web
Par jean le vendredi, mai 13 2005, 08:52 - Divers - Lien permanent
Voici un script de firewall pouvant être installé sur une machine servant de serveur HTTP (apache et apache-ssl) et pouvant etre administré par SSH
###
# FireWall for Web server
#
INTERF_LOOPBACK="lo"
INTERF_INTERNET="eth0"
IPTABLES="/sbin/iptables"
#
# drop all packet
#
drop_all() {
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
}
#
# Log all packet
#
log_packet() {
# Drop
$IPTABLES -N LOG_DROP
$IPTABLES -A LOG_DROP -j LOG --log-level 3 --log-prefix '[REFUSE] : '
$IPTABLES -A LOG_DROP -j DROP
# Accept
$IPTABLES -N LOG_ACCEPT
$IPTABLES -A LOG_ACCEPT -j LOG --log-level 3 --log-prefix '[ACCEPT] : '
$IPTABLES -A LOG_ACCEPT -j ACCEPT
}
#
# Wan connection
#
wan() {
# SSH
$IPTABLES -A INPUT -i $INTERF_INTERNET -p TCP --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERF_INTERNET -p TCP --sport 22 -j ACCEPT
# HTTP
$IPTABLES -A INPUT -i $INTERF_INTERNET -p TCP --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERF_INTERNET -p TCP --sport 80 -j ACCEPT
# HTTPS
$IPTABLES -A INPUT -i $INTERF_INTERNET -p TCP --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERF_INTERNET -p TCP --sport 443 -j ACCEPT
}
#
# loopback
#
lo() {
$IPTABLES -A INPUT -i $INTERF_LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERF_LOOPBACK -j ACCEPT
}
#
# Security
#
security() {
# no spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# no icmp
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
}
#
# Log all packet
#
end() {
$IPTABLES -A FORWARD -j LOG_DROP
$IPTABLES -A INPUT -j LOG_DROP
$IPTABLES -A OUTPUT -j LOG_DROP
}
#
# Start firewall
#
firewall_start() {
drop_all
security
log_packet
lo
wan
end
}
#
# Stop firewall
#
firewall_stop() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
case "$1" in
start)
echo "Starting firewall"
firewall_start
;;
stop)
echo "Stoping firewall"
firewall_stop
;;
restart)
echo "Stoping firewall"
firewall_stop
echo "Starting firewall"
firewall_start
;;
*)
echo "Usage :/etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac
exit 0