J'ai essayé de me faire un firewall digne de ce nom. Cependant, j'aurais besoin d'un avis plus expert, pour me dire ce que vous en pensez. Voici le script en question :
Code : Tout sélectionner
#!/bin/bash
# stop the iptables
/etc/rc.d/iptables stop
# reset iptables rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
# ----------------------------------------------------------------------------
# Protection against common attacks
#
# Ne pas casser les connexions établies
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Interdire toute connexion entrante et sortante
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
# Autoriser loopback
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
#Autoriser tout en sortie
/sbin/iptables -t filter -A OUTPUT -o eth0 -j ACCEPT
# allow only SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# force fragments packets check
iptables -A INPUT -f -j DROP
# drop incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# ----------------------------------------------------------------------------
# Hide the computer # (optional) #
#
# block PING request
iptables -A INPUT -i ${internet} -p icmp --icmp-type echo-request -j DROP
# ICMP type match blocking
iptables -I INPUT -p icmp --icmp-type redirect -j DROP
iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# Ouvertures persos
/usr/sbin/iptables -t filter -A INPUT -p tcp --dport 55550 -j ACCEPT
# ----------------------------------------------------------------------------
# the end
/etc/rc.d/iptables save
/etc/rc.d/iptables start
# print the iptables
iptables -L;
exit 0;