Commit a3263b01 authored by Benjamin Sonntag's avatar Benjamin Sonntag

adding basic iptables configuration, TODO: add --user prosody limits + connection tracking

parent 175db812
#!/bin/sh
# Initialize the firewall for explicitly allowed connexions only :
echo "Initial Policy and flush"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo "(IPv6) Initial Policy and flush"
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -t filter -F
ip6tables -t filter -X
echo "Standard Matrix"
iptables -D INPUT -j IN_STANDARD 2>/dev/null
iptables -D OUTPUT -j OUT_STANDARD 2>/dev/null
iptables -F IN_STANDARD 2>/dev/null
iptables -F OUT_STANDARD 2>/dev/null
iptables -N IN_STANDARD
iptables -N OUT_STANDARD
# LOOPBACK
iptables -A IN_STANDARD -i lo -j ACCEPT
iptables -A OUT_STANDARD -o lo -j ACCEPT
for dns in 91.194.60.250 91.194.60.251
do
iptables -A OUT_STANDARD -p udp --dport 53 -d $dns -j ACCEPT
iptables -A IN_STANDARD -p udp --sport 53 -s $dns -j ACCEPT
iptables -A OUT_STANDARD -p tcp --dport 53 -d $dns -j ACCEPT
iptables -A IN_STANDARD -p tcp --sport 53 -s $dns -j ACCEPT
done
# UPGRADES DEBIAN HTTP
iptables -A IN_STANDARD -p tcp --sport 80 -s 91.194.60.112 -j ACCEPT
iptables -A OUT_STANDARD -p tcp --dport 80 -d 91.194.60.112 -j ACCEPT
# SSH BACKUPS & Octopuce
for ip in 91.194.60.8 91.194.61.192/27
do
iptables -A IN_STANDARD -p tcp --dport 22 -s $ip -j ACCEPT
iptables -A OUT_STANDARD -p tcp --sport 22 -d $ip -j ACCEPT
done
# BUG WITH "--limit" module on LXC, don't use it for now ...
iptables -A OUT_STANDARD -p icmp -j ACCEPT
iptables -A IN_STANDARD -p icmp -j ACCEPT
# WHOIS out
iptables -A OUT_STANDARD -p tcp --dport 43 -j ACCEPT
iptables -A IN_STANDARD -p tcp --sport 43 -j ACCEPT
# On main chain, jump there :
iptables -A INPUT -j IN_STANDARD
iptables -A OUTPUT -j OUT_STANDARD
echo "(IPv6) Standard Matrix"
ip6tables -D INPUT -j IN_STANDARD 2>/dev/null
ip6tables -D OUTPUT -j OUT_STANDARD 2>/dev/null
ip6tables -F IN_STANDARD 2>/dev/null
ip6tables -F OUT_STANDARD 2>/dev/null
ip6tables -N IN_STANDARD
ip6tables -N OUT_STANDARD
# LOOPBACK
ip6tables -A IN_STANDARD -i lo -j ACCEPT
ip6tables -A OUT_STANDARD -o lo -j ACCEPT
# UPGRADES DEBIAN HTTP
ip6tables -A IN_STANDARD -p tcp --sport 80 -s 2001:67c:288::112 -j ACCEPT
ip6tables -A OUT_STANDARD -p tcp --dport 80 -d 2001:67c:288::112 -j ACCEPT
for ip in 2001:67c:288::8 2001:67c:288:1::/64
do
ip6tables -A IN_STANDARD -p tcp --dport 22 -s $ip -j ACCEPT
ip6tables -A OUT_STANDARD -p tcp --sport 22 -d $ip -j ACCEPT
done
# ICMP : ACCEPT
ip6tables -A IN_STANDARD -p icmpv6 -j ACCEPT
ip6tables -A OUT_STANDARD -p icmpv6 -j ACCEPT
# WHOIS out
ip6tables -A OUT_STANDARD -p tcp --dport 43 -j ACCEPT
ip6tables -A IN_STANDARD -p tcp --sport 43 -j ACCEPT
# Multicast (for neighbor discovery)
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
# On main chain, jump there :
ip6tables -A INPUT -j IN_STANDARD
ip6tables -A OUTPUT -j OUT_STANDARD
echo "Custom ports for Jabber, Https"
for inport in 5222 5269 443 25
do
iptables -A INPUT -p tcp --dport $inport -j ACCEPT
iptables -A OUTPUT -p tcp --sport $inport -j ACCEPT
ip6tables -A INPUT -p tcp --dport $inport -j ACCEPT
ip6tables -A OUTPUT -p tcp --sport $inport -j ACCEPT
done
for outport in 5269 25
do
iptables -A INPUT -p tcp --sport $outport -j ACCEPT
iptables -A OUTPUT -p tcp --dport $outport -j ACCEPT
ip6tables -A INPUT -p tcp --sport $outport -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport $outport -j ACCEPT
done
echo "End main chain"
# Explicitly drop microsoft ports (no log)
for i in 137 138 139 445
do
iptables -A INPUT -p tcp --dport $i -j DROP
iptables -A INPUT -p udp --dport $i -j DROP
done
# we drop the broadcasted packets (local or global)
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 185.34.33.31 -j DROP
iptables -A INPUT -d 185.34.33.0 -j DROP
# also the multicast range
iptables -A INPUT -d 224.0.0.0/4 -j DROP
# don't use this: bug with Linux kernel <3.15 and LXC + Limit module on iptables !
#iptables -A INPUT -m limit --limit 2/second -j LOG --log-prefix "GENERIC INPUT "
#iptables -A OUTPUT -m limit --limit 2/second -j LOG --log-prefix "GENERIC OUTPUT "
iptables -A INPUT -j LOG --log-prefix "GENERIC INPUT "
iptables -A OUTPUT -j LOG --log-prefix "GENERIC OUTPUT "
echo "(IPv6) End main chain"
# we drop the broadcasted packets (local or global)
ip6tables -A INPUT -d ff02::1 -j DROP
ip6tables -A OUTPUT -d ff02::1 -j DROP
#ip6tables -A INPUT -m limit --limit 2/second -j LOG --log-prefix "GENERIC INPUT "
#ip6tables -A OUTPUT -m limit --limit 2/second -j LOG --log-prefix "GENERIC OUTPUT "
ip6tables -A INPUT -j LOG --log-prefix "GENERIC INPUT "
ip6tables -A OUTPUT -j LOG --log-prefix "GENERIC OUTPUT "
#echo "DEFAULT IS ACCEPT"
#iptables -A INPUT -j ACCEPT
#iptables -A OUTPUT -j ACCEPT
#ip6tables -A INPUT -j ACCEPT
#ip6tables -A OUTPUT -j ACCEPT
<!-- .et_pb_post --> </div> <!-- #left-area --> <div id="sidebar"> <div id="search-2" class="et_pb_widget widget_search"><form role="search" method="get" id="searchform" class="searchform" action="https://jabber.lqdn.fr/"> <div> <label class="screen-reader-text" for="s">Search for:</label> <input type="text" value="" name="s" id="s" /> <input type="submit" id="searchsubmit" value="Search" /> </div> </form></div> <!-- end .et_pb_widget --> <div id="recent-posts-2" class="et_pb_widget widget_recent_entries"> <h4 class="widgettitle">Recent Posts</h4> <ul> <li> <a href="https://jabber.lqdn.fr/?p=37">Bienvenue sur jabber.lqdn.fr</a> </li> </ul> </div> <!-- end .et_pb_widget --><div id="archives-2" class="et_pb_widget widget_archive"><h4 class="widgettitle">Archives</h4> <select name="archive-dropdown" onchange='document.location.href=this.options[this.selectedIndex].value;'> <option value="">Select Month</option> <option value='https://jabber.lqdn.fr/?m=201408'> August 2014 </option> </select></div> <!-- end .et_pb_widget --><div id="categories-2" class="et_pb_widget widget_categories"><h4 class="widgettitle">Categories</h4><select name='cat' id='cat' class='postform' > <option value='-1'>Select Category</option> <option class="level-0" value="4">fr&nbsp;&nbsp;(1)</option></select><script type='text/javascript'>/* <![CDATA[ */ var dropdown = document.getElementById("cat"); function onCatChange() { if ( dropdown.options[dropdown.selectedIndex].value > 0 ) { location.href = "https://jabber.lqdn.fr/?cat="+dropdown.options[dropdown.selectedIndex].value; } } dropdown.onchange = onCatChange;/* ]]> */</script></div> <!-- end .et_pb_widget --> </div> <!-- end #sidebar --> </div> <!-- #content-area --> </div> <!-- .container --> </div> <!-- #main-content --> <footer id="main-footer"> <div id="footer-bottom"> <div class="container clearfix"> <p id="footer-info"></p> </div> <!-- .container --> </div> </footer> <!-- #main-footer --> </div> <!-- #et-main-area --> </div> <!-- #page-container --> <script type='text/javascript' src='https://jabber.lqdn.fr/wp-includes/js/comment-reply.min.js?ver=3.9.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/jquery.fitvids.js?ver=2.1.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/waypoints.min.js?ver=2.1.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/jquery.magnific-popup.js?ver=2.1.2'></script><script type='text/javascript'>/* <![CDATA[ */var et_custom = {"ajaxurl":"https:\/\/jabber.lqdn.fr\/wp-admin\/admin-ajax.php","images_uri":"https:\/\/jabber.lqdn.fr\/wp-content\/themes\/Divi\/images","et_load_nonce":"ce86d314f9","subscription_failed":"Please, check the fields below to make sure you entered the correct information.","fill":"Fill","field":"field","invalid":"Invalid email","captcha":"Captcha","prev":"Prev","next":"Next"};/* ]]> */</script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/custom.js?ver=2.1.2'></script></body></html>
</article> <!-- .et_pb_post --> </div> <!-- #left-area --> <div id="sidebar"> <div id="search-2" class="et_pb_widget widget_search"><form role="search" method="get" id="searchform" class="searchform" action="https://jabber.lqdn.fr/"> <div> <label class="screen-reader-text" for="s">Search for:</label> <input type="text" value="" name="s" id="s" /> <input type="submit" id="searchsubmit" value="Search" /> </div> </form></div> <!-- end .et_pb_widget --> <div id="recent-posts-2" class="et_pb_widget widget_recent_entries"> <h4 class="widgettitle">Recent Posts</h4> <ul> <li> <a href="https://jabber.lqdn.fr/?p=37">Bienvenue sur jabber.lqdn.fr</a> <span class="post-date">2014/08/20</span> </li> </ul> </div> <!-- end .et_pb_widget --><div id="archives-2" class="et_pb_widget widget_archive"><h4 class="widgettitle">Archives</h4> <select name="archive-dropdown" onchange='document.location.href=this.options[this.selectedIndex].value;'> <option value="">Select Month</option> <option value='https://jabber.lqdn.fr/?m=201408'> August 2014 </option> </select></div> <!-- end .et_pb_widget --><div id="categories-2" class="et_pb_widget widget_categories"><h4 class="widgettitle">Categories</h4><select name='cat' id='cat' class='postform' > <option value='-1'>Select Category</option> <option class="level-0" value="4">fr&nbsp;&nbsp;(1)</option></select><script type='text/javascript'>/* <![CDATA[ */ var dropdown = document.getElementById("cat"); function onCatChange() { if ( dropdown.options[dropdown.selectedIndex].value > 0 ) { location.href = "https://jabber.lqdn.fr/?cat="+dropdown.options[dropdown.selectedIndex].value; } } dropdown.onchange = onCatChange;/* ]]> */</script></div> <!-- end .et_pb_widget --> </div> <!-- end #sidebar --> </div> <!-- #content-area --> </div> <!-- .container --> </div> <!-- #main-content --> <footer id="main-footer"> <div id="footer-bottom"> <div class="container clearfix"> <p id="footer-info"></p> </div> <!-- .container --> </div> </footer> <!-- #main-footer --> </div> <!-- #et-main-area --> </div> <!-- #page-container --> <script type='text/javascript' src='https://jabber.lqdn.fr/wp-includes/js/comment-reply.min.js?ver=3.9.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/jquery.fitvids.js?ver=2.1.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/waypoints.min.js?ver=2.1.2'></script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/jquery.magnific-popup.js?ver=2.1.2'></script><script type='text/javascript'>/* <![CDATA[ */var et_custom = {"ajaxurl":"https:\/\/jabber.lqdn.fr\/wp-admin\/admin-ajax.php","images_uri":"https:\/\/jabber.lqdn.fr\/wp-content\/themes\/Divi\/images","et_load_nonce":"2e73a55794","subscription_failed":"Please, check the fields below to make sure you entered the correct information.","fill":"Fill","field":"field","invalid":"Invalid email","captcha":"Captcha","prev":"Prev","next":"Next"};/* ]]> */</script><script type='text/javascript' src='https://jabber.lqdn.fr/wp-content/themes/Divi/js/custom.js?ver=2.1.2'></script></body></html>
\ No newline at end of file
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment