J'ai suivi le "tuto" pour configurer iptables : https://wiki.archlinux.org/index.php/Si ... l_firewall
La partie sur SSH m'intéressais beaucoup (pour atténuer les attaques en force brute) mais je ne suis pas sûr que les règles soient au bon endroit. Serait-il possible qu'un regard avisé me le confirme ou l'infirme ?
Code : Tout sélectionner
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2287 219K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
5 34 3532 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
6 58 2808 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
7 1 60 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
8 9 1493 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
9 45 1380 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
10 0 0 IN_SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2018 packets, 317K bytes)
num pkts bytes target prot opt in out source destination
Chain IN_SSH (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 3 TTL-Match name: sshbf side: source mask: 255.255.255.255
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 1800 hit_count: 4 TTL-Match name: sshbf side: source mask: 255.255.255.255
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: sshbf side: source mask: 255.255.255.255
Chain TCP (1 references)
num pkts bytes target prot opt in out source destination
1 1 60 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
4 56 2688 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain UDP (1 references)
num pkts bytes target prot opt in out source destination
1 25 2039 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53