Outils pour utilisateurs

Outils du site


firewall

PareFeu

firewalld

Service de pare-feu dynamique utilisé par Fedora et RHEL/CentOS >=7

Une zone active par défaut: public

Une mode permanent et runtime

Rajouter un service:

sudo firewall-cmd --permanent --zone=public --add-service=foo

Rajouter un port:

sudo firwall-cmd --permanent --add-port=2222/TCP

Rajouter une “règle riche”:

sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="193.49.39.198/26"  port port=873 protocol="tcp" accept'

L'option timeout permet de spécifier une durée de vie à la règle mise en place.

Lister l'état d'une zone:

sudo firewall-cmd --permanent --zone=public --list-all

Obsolète

= Pare feu pour passerelle / routeur = voir aussi: Redirections et LimitedRedirections

Nouvelle version:

  • Créer le fichier de rêgles /etc/iptables:
  *mangle
:PREROUTING ACCEPT [2165:440617]
:INPUT ACCEPT [2165:440617]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2810:239407]
:POSTROUTING ACCEPT [2820:240821]
COMMIT
# Completed on Thu Jun 19 12:28:11 2008
# Generated by iptables-save v1.4.0 on Thu Jun 19 12:28:11 2008
  *filter
:INPUT DROP [5:707]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2532:211307]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -i wlan0 -p tcp -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -i wlan0 -p tcp -j ACCEPT 
-A INPUT -s 192.168.10.0/24 -i wlan0 -p tcp -j ACCEPT 
-A INPUT -i wlan0 -p tcp -j LOG 
-A INPUT -i wlan0 -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -i wlan0 -p udp -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Thu Jun 19 12:28:11 2008
# Generated by iptables-save v1.4.0 on Thu Jun 19 12:28:11 2008
  *nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:389]
:OUTPUT ACCEPT [15:1339]
-A POSTROUTING -o wlan0 -j MASQUERADE 
COMMIT

Les règles existantes peuvent être récupérées à l'aide de la commande <code> iptables-save > /etc/iptables </code>

  • Créer le script d'init /etc/init.d/iptables:
# = /bin/sh -e =
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Setup | deactivate [[:firewall|firewall]] rules
### END INIT INFO

if [\[ =  -e /etc/iptables\]] ; then =
        echo "configuration file not found"
        exit -1
fi

case "$1" in
        start)
        cat /etc/iptables | /sbin/iptables-restore
        \[-e /proc/sys/net/ipv4/tcp_ecn\] && echo 0 > /proc/sys/net/ipv4/tcp_ecn
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        ;;
        stop)
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        iptables -F OUTPUT
        iptables -P OUTPUT ACCEPT
        iptables -F FORWARD
        iptables -P FORWARD DROP
        iptables -t nat -F POSTROUTING
        iptables -t nat -F PREROUTING
        ;;
        restart)
        $0 stop
        $0 start
        ;;
esac
  • Activer le script au démarrage:
chmod 750 /etc/init.d/iptables
update-rc.d iptables defaults

old version:

vim /etc/init.d/fw.sh
# =  /bin/sh =
UPLINK="eth1"
INTERFACES="lo eth1 eth0"
TCPSERVICES="http https 2222 smtp"
UDPSERVICES=""
case "$1" in
    start)
        echo "Starting firewall..."
        modprobe ip_nat_ftp
        iptables -P INPUT DROP
        iptables -A INPUT -i  =  ${UPLINK} -j ACCEPT =
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -p icmp -j ACCEPT
        for x in ${TCPSERVICES}
        do
                iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
        done
        for y in ${UDPSERVICES}
        do
                iptables -A INPUT -p udp --dport ${y} -j ACCEPT
        done

        iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
        iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

        if \[-e /proc/sys/net/ipv4/tcp_ecn\]
        then
                echo 0 > /proc/sys/net/ipv4/tcp_ecn
        fi
        for x in ${INTERFACES}
        do
                echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
        done
        echo 1 > /proc/sys/net/ipv4/ip_forward
        iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
        echo "done."
        ;;
    stop)
        echo "Stopping firewall..."
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        iptables -F OUTPUT
        iptables -P OUTPUT ACCEPT
        iptables -F FORWARD
        iptables -P FORWARD ACCEPT
        #turn off NAT/masquerading, if any
        iptables -t nat -F POSTROUTING
        iptables -t nat -F PREROUTING
        iptables -t mangle -F
        echo "done."
        ;;
    restart)
        echo "Restarting firewall..."
        $0 stop
        $0 start
        echo "done."
        ;;
esac
ln -s /etc/init.d/fw.sh /etc/rcS.d/S4[[:firewall|2]]

# vim: set filetype=dokuwiki:

firewall.txt · Dernière modification: 2015/12/13 17:20 (modification externe)