Skip to content

Iptables

1. Rendre les règles persistentes

Package iptables-persistent

2. Utiliser des scripts bash et des variables

Bash
#!/bin/bash

# Variables
server1 = 0.0.0.0
server2 = 0.0.0.0
interfaceInternet = ens32
interfaceIntranet = ens33
portTomcat = 8080

3. Reset du firewall

Bash
# Reset firewall
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

# Reset stats
sudo iptables -Z
Bash
sudo iptables -nvL
sudo iptables-save

4. On ne s'enferme pas dehors

Bash
echo Fermeture des flux
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
Bash
echo Garde en vie les connexions déjà ouvertes
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT
Bash
# Timing avant reset
sleep 5m

5. Règles simples

Bash
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT

sudo iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -i eth0 --dport 22 -j ACCEPT

6. Règles NAT et avancés

Bash
# Routage http tcp
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p tcp --dport 80 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p tcp --dport 80 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p tcp --dport 80 -j MASQUERADE

# Routage ntp
sudo iptables -t filter -A FORWARD -i $interfaceIntranet -p udp --dport 123 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceInternet -p udp --dport 123 -j MASQUERADE

7. Alléger les règles

Bash
# Sans les -m state
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
Bash
# Avec les -m state
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
  • ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions.

  • NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions.

  • RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

8. Se protéger des scans et ttl

Bash
echo Filtrage scans
# Force Fragments packets check
sudo iptables -t filter -A INPUT -f -j DROP
# Force SYN packets check
sudo iptables -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# XMAS packets
sudo iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
sudo iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

sudo iptables -t mangle -A FORWARD -j TTL --ttl-set 64

Exemples

Bash
#!/bin/bash

netGSA=0.0.0.1
appGSA=0.0.0.2
interfaceInternet=ens32
interfaceIntranet=ens33
portTomcat=8080

echo Nettoyage règles iptables
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

echo Reset compteur firewall
sudo iptables -Z

echo Garde en vie les connexions déjà ouvertes
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

echo Ouverture boucle locale
sudo iptables -A INPUT -i lo -j ACCEPT

echo Filtrage scans
# Force Fragments packets check
sudo iptables -A INPUT -f -j DROP
# Force SYN packets check
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# XMAS packets
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

echo Ouverture DNS
sudo iptables -t filter -A OUTPUT -o $interfaceInternet -p tcp --dport 53 -m state --state NEW -j ACCEPT
sudo iptables -t filter -A OUTPUT -o $interfaceInternet -p udp --dport 53 -m state --state NEW -j ACCEPT

echo Ouverture HTTP pour APT
sudo iptables -t filter -A OUTPUT -o $interfaceInternet -p tcp --dport 80 -m state --state NEW -j ACCEPT

echo Ouverture SSH
sudo iptables -t filter -A INPUT -i $interfaceInternet -p tcp --dport 2022 -m state --state NEW -j ACCEPT
sudo iptables -t filter -A OUTPUT -o $interfaceIntranet -p tcp --dport 22 -m state --state NEW -j ACCEPT

echo Ouverture ICMP
sudo iptables -t filter -A OUTPUT -o $interfaceIntranet -p icmp -m state --state NEW -j ACCEPT

echo Ouverture NTP
sudo iptables -t filter -A OUTPUT -o $interfaceIntranet -p udp --dport 123 -m state --state NEW -j ACCEPT
sudo iptables -t filter -A OUTPUT -o $interfaceIntranet -p tcp --dport 123 -m state --state NEW -j ACCEPT

echo Routage ICMP AppGSA
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p icmp -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p icmp -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -d $appGSA -o $interfaceIntranet -p icmp -j MASQUERADE

echo Routage SSH AppGSA
sudo iptables -t nat -A PREROUTING -d $netGSA  -i $interfaceInternet -p tcp --dport 22 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p tcp --dport 22 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -d $appGSA -o $interfaceIntranet -p tcp --dport 22 -j MASQUERADE

echo Routage DNS AppGSA
# TCP
sudo iptables -t filter -A FORWARD -i $interfaceIntranet -p tcp --dport 53 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceInternet -p tcp --dport 53 -j MASQUERADE
# UDP
sudo iptables -t filter -A FORWARD -i $interfaceIntranet -p udp --dport 53 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceInternet -p udp --dport 53 -j MASQUERADE

echo Routage HTTP apt AppGSA
sudo iptables -t filter -A FORWARD -i $interfaceIntranet -p tcp --dport 80 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceInternet -p tcp --dport 80 -j MASQUERADE

echo Routage HTTP AppGSA
# TCP
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p tcp --dport 80 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p tcp --dport 80 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p tcp --dport 80 -j MASQUERADE
# UDP pour HTTP/3
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p udp --dport 80 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p udp --dport 80 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p udp --dport 80 -j MASQUERADE

echo Routage HTTPS AppGSA
# TCP
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p tcp --dport 443 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p tcp --dport 443 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p tcp --dport 443 -j MASQUERADE
# UDP pour HTTP/3
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p udp --dport 443 -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p udp --dport 443 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p udp --dport 443 -j MASQUERADE

echo Routage Tomcat AppGSA
sudo iptables -t nat -A PREROUTING -d $netGSA -i $interfaceInternet -p tcp --dport $portTomcat -j DNAT --to-destination $appGSA
sudo iptables -t filter -A FORWARD -d $appGSA -p tcp --dport $portTomcat -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceIntranet -p tcp --dport $portTomcat -j MASQUERADE

echo Routage NTP AppGSA
sudo iptables -t filter -A FORWARD -i $interfaceIntranet -p udp --dport 123 -m state --state NEW -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $appGSA -o $interfaceInternet -p udp --dport 123 -j MASQUERADE

echo Fermeture des flux
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROPqsd