#!/bin/sh ### BEGIN INIT INFO # Provides: firewall rules # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Suppression des règles précédentes /sbin/iptables -F /sbin/iptables -X ######## # DROP # ######## # Définition du blocage général /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # Drop des scans XMAS et NULL /sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ########## # ACCEPT # ########## # Conservations des connexions déjà établies /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Autorisation du loopback (127.0.0.1) /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # Autorisation des échanges avec le serveur DNS (53) /sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT # NTP (123) /sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # HTTP (80) /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP MATRIX FEDERATION (8448) # /sbin/iptables -A INPUT -p tcp --dport 8448 -j ACCEPT # /sbin/iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT # HTTPS (443) /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # SSH /sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH INPUT THROUGH TRAEFIK /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT # ICMP (Ping) /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -j ACCEPT # Parer les attaques de type Déni de Service /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT /sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT # Parer les scans de ports /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Allow all from private network and docker network /sbin/iptables -A INPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 # VPN /sbin/iptables -A INPUT -p udp --dport {{ server.vpn.port }} -j ACCEPT