> > Ne faut-il pas tout bonnement faire de la traduction d'adresses (NAT) > > avec Iptables (Linux2.4.x) ou Ipchains (Linux2.2.x) ?
> Suis sur 2.2.19. J'avoue ne pas tres bien connaitre ipchains. Est-ce qu'il > faut introduire une commande dans la chaine forward? Pour l'instant, la > securite du cluster consiste a n'accepter que le proptocole ssh depuis > l'exterieur, mais ipchains n'est pas encore configure correctement. J'ai > aussi active les tcpwrappers, meme si je sais qu'ils sont moins performants > et moins surs. Est-ce que qqun connait une page web ou on peux facilement > apprendre a utiliser les ipchains? Google "ipchains howto" m'a donné : http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html En pièce jointe, à titre d'exemple, un script de configuration de firewall utilisant ipchains. Vous devez pouvoir trouver plein d'autres exemples sur le Web. -- Eric
#!/bin/sh # # /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset. # PATH=/sbin:/bin:/usr/sbin:/usr/bin # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented from loading. # Supports the proper masquerading of FTP file transfers using the PORT method # /sbin/modprobe -k ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # # /sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #/sbin/modprobe ip_masq_vdolive #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # # linuxconf fait deja ca echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels # # This used to be a compile-time option but the behavior was changed # in 2.2.12. It should also be noted that some distributions have # removed this option from the /proc table. If this entry isn't # present in your /proc, don't worry about it. # echo "1" > /proc/sys/net/ipv4/ip_always_defrag echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making the life with Diald and similar programs much easier. # # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vunerabilities. # # echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # Specify your Static IP address here. # # If you have a DYNAMIC IP address, you need to make this ruleset understand # your IP address everytime you get a new IP. To do this, enable the # following one-line script. (Please note that the different single and # double quote characters MATTER). # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "ppp0" with the name of your EXTERNAL Internet connection (eth0, eth1, etc) # on the lines for "ppp-ip" and "extip". It should be also noted that the # DHCP server can change IP addresses on you. To fix this, users should # configure their DHCP client to re-run the firewall ruleset everytime the # DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions use syntax like: # dhcpcd eth0 /etc/rc.d/rc.firewall # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up sccript, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # ALL PPP and DHCP users must set this for the correct EXTERNAL interface name ppptunnel="ppp0" # # PPP and DHCP Users: # ------------------- # Remove the # on the line below and place a # in front of the line after that. # export ppptunnel # Check the IP from ifconfig. getip() { IP=`/sbin/ifconfig $ppptunnel | fgrep "inet ad" | cut -f2 -d":" | cut -f1 -d" "` } getip extip=$IP if [ -z "$extip" ] then exit 1 fi # For PPP users with STATIC IP addresses: # # extip="your.static.PPP.address" # Assign the internal IP inteth="eth0" exteth="eth1" intnet="192.168.0.0/24" modem="10.0.0.138" ip2modem="10.0.0.2" # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself) # # ipchains -M -S 7200 10 60 ############################################################################# # Incoming, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # # (moved at the end) ipchains -P input ACCEPT ipchains -F input # tout ce qui vient du tunnel du modem est pris ipchains -A input -i $exteth -s $modem/32 -d $ip2modem/32 -j ACCEPT # local interface, local machines, going anywhere is valid # ipchains -A input -i $inteth -s $intnet -d 0.0.0.0/0 -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # ipchains -A input -i $ppptunnel -s $intnet -d 0.0.0.0/0 -l -j REJECT # pas de telnet depuis l'exterieur (entrant sur ppp) ipchains -A input -i $ppptunnel --protocol tcp --dport 23 -j REJECT # remote interface, any source, going to permanent PPP address is valid # ipchains -A input -i $ppptunnel -s 0.0.0.0/0 -d $extip/32 -j ACCEPT # loopback interface is valid. # ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. # # ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ipchains -P input REJECT ############################################################################# # Outgoing, flush and set default policy of reject. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # ipchains -P output ACCEPT ipchains -F output # tout ce qui part sur le tunnel du modem peut sortir ipchains -A output -i $exteth -s $ip2modem/32 -d $modem/32 -j ACCEPT # local interface, any source going to local net is valid # ipchains -A output -i $inteth -s 0.0.0.0/0 -d $intnet -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # ipchains -A output -i $ppptunnel -s 0.0.0.0/0 -d $intnet -l -j REJECT # outgoing from local net on remote interface, stuffed masquerading, deny # ipchains -A output -i $ppptunnel -s $intnet -d 0.0.0.0/0 -l -j REJECT # anything else outgoing on remote interface is valid # ipchains -A output -i $ppptunnel -s $extip/32 -d 0.0.0.0/0 -j ACCEPT # loopback interface is valid. # ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. # # ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT ipchains -P output REJECT ############################################################################# # Forwarding, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. # ipchains -F forward ipchains -P forward DENY # Masquerade from local net on local interface to anywhere. # ipchains -A forward -i $ppptunnel -s $intnet -d 0.0.0.0/0 -j MASQ # # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. # # ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT #End of file.