iZen.fr blog informatique

Partagé et accessible

ubuntu: iptables (pare-feu)

by admin

Categories: Sécurité, linux-ubuntu

Tags: No Tags

Comments: No Comments

Published on: 24 juin 2010

IPTABLES ( Pare-feu

Mise en place d’un Firewall intégrant la passerelle entre les deux interfaces.

# Initialisation de la table FILTER
#
iptables –F remise à zero des règles
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Initialisation de la table NAT
#
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING    ACCEPT
iptables -t nat -P POSTROUTING   ACCEPT
iptables -t nat -P OUTPUT        ACCEPT
#

# table FILTER
# chaine INPUT

iptables -A INPUT -i eth0 -d 192.168.0.5 -m state –state ESTABLISHED,RELATED -j ACCEPT

# chaine FORWARD

iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.1 -d 10.0.0.0/0 -m state –state ! INVALID -j ACCEPT

# chaine OUTPUT
iptables -A OUTPUT -o eth0 -m state –state ! INVALID -j ACCEPT
iptables -A OUTPUT -o eth1 -m state –state ! INVALID -j ACCEPT

# table NAT

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -j SNAT –to-source 192.168.0.5

root@serveur:~# cat /proc/sys/net/ipv4/ip_forward
0
root@serveur:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@serveur:~# cat /proc/sys/net/ipv4/ip_forward
1

root@serveur:~# iptables -L -v
Chain INPUT (policy ACCEPT 27689 packets, 15M bytes)
pkts bytes target     prot opt in     out     source               destination
843 50012 ACCEPT     all – eth0   any     anywhere             mail.izen-services.com state RELATED,ESTABLISHED
264 102K ACCEPT     all – lo     any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all – eth0   eth1    anywhere             192.168.1.1         state RELATED,ESTABLISHED
    0     0 ACCEPT     all – eth1   eth0    192.168.1.1          anywhere            state NEW,RELATED,ESTABLISHED,UNTRACKED

Chain OUTPUT (policy ACCEPT 26370 packets, 9807K bytes)
pkts bytes target     prot opt in     out     source               destination
678 937K ACCEPT     all – any    eth0    anywhere             anywhere            state NEW,RELATED,ESTABLISHED,UNTRACKED
    4   990 ACCEPT     all – any    eth1    anywhere             anywhere            state NEW,RELATED,ESTABLISHED,UNTRACKED
264 102K ACCEPT     all – any    lo      anywhere             anywhere

Configurer le forwarding(3 variantes – je préfére la 3ème)

echo 1 > /proc/sys/net/ipv4/ip_forward

tu as 2 posibilités :

écrire cette ligne dans /etc/init.d/rc.local

ajouter dans le fichier /etc/sysctl.conf la ligne
net.ipv4.ip_forward=1

Complément

Voir http://doc.ubuntu-fr.org/iptables

Et http://www.nbs-system.com/dossiers/howto-iptables.html

root@serveur:~# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Pour réinitialiser :

root@serveur:~# iptables –F

root@serveur:~# iptables –X