Alors alors,
Pour repartir sur des bases claires:
Le serveur: 192.168.1.2.
Le client: 192.168.1.5.
Quand le client envoie un fichier au serveur, cela fonctionne que le pare-feu soit actif, ou non.
Par contre, quand le serveur envoie un fichier au client, cela ne fonctionne que si le pare-feu est désactivé.
Le script:
#!/bin/sh
# Supprime tous les filtres actifs
iptables -F
# Supprime les chaines définies par l'utilisateur
iptables -X
# Politique par défaut : on ignore tout
iptables -P FORWARD DROP
iptables -P INPUT DROP
# Autorise linterface locale à dialoguer avec elle-même
iptables -A INPUT -i lo -j ACCEPT
#on active le forwarding ipv4, par defaut normalement le noyau est configurer pour autoriser le routage
echo 1 > /proc/sys/net/ipv4/ip_forward
# Autorise tout le trafic sortant
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Autorise le trafic entrant sur des connexions ouvertes
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Regles entrantes
iptables -A INPUT -p tcp -m multiport --dports 64555,22,80,137,139,445,443,28690,5222 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 138,137,28690,5222,8303 -j ACCEPT
# ENTRANTS ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Traces /var/log/messages
# -A INPUT -j LOG --log-prefix '[TENTATIVE_INTRUSION]:'
# Si 3 connexions SSH en 1 minute -> drop
# -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
# -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
service iptables save
Un iptables -L après lanchement du script:
[root@*** ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports 64555,ssh,http,netbios-ns,netbios-ssn,microsoft-ds,https,28690,xmpp-client,hpvirtgrp,xmpp-server
ACCEPT udp -- anywhere anywhere multiport dports netbios-dgm,netbios-ns,28690,xmpp-client,8303,xmpp-client,hpvirtgrp,xmpp-server
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHE
Bizarre, car j'ai déjà lancé ce script, et là, il n'y a pas le même contenu (REJECT all -- anywhere anywhere reject-with icmp-host-prohibited)
Le contenu de /etc/sysconfig/iptables:
# Generated by iptables-save v1.4.1.1 on Sun Feb 8 18:21:11 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [729:176025]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 64555,22,80,137,139,445,443,28690,5222,5223,5269 -j ACCEPT
-A INPUT -p udp -m multiport --dports 138,137,28690,5222,8303,5222,5223,5269 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Feb 8 18:21:11 2009
un
tcpdump -v -i eth0 avec iptables actif:
[root@*** ~]# tcpdump -v -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:16:36.897372 IP (tos 0x0, ttl 64, id 58895, offset 0, flags [DF], proto TCP (6), length 653) 192.168.1.2.xmpp-client > 192.168.1.5.fjippol-cnsl: P 4143938348:4143938961(613) ack 4044565560 win 21900
18:16:36.898530 IP (tos 0x0, ttl 64, id 29035, offset 0, flags [DF], proto UDP (17), length 70) 192.168.1.2.42516 > www.routerlogin.com.domain: 58599+ PTR? 5.1.168.192.in-addr.arpa. (42)
18:16:36.899408 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) www.routerlogin.com.domain > 192.168.1.2.42516: 58599*- 0/0/0 (42)
18:16:36.899654 IP (tos 0x0, ttl 64, id 29036, offset 0, flags [DF], proto UDP (17), length 70) 192.168.1.2.53034 > www.routerlogin.com.domain: 44056+ PTR? 2.1.168.192.in-addr.arpa. (42)
18:16:36.900543 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) www.routerlogin.com.domain > 192.168.1.2.53034: 44056*- 0/0/0 (42)
18:16:36.900792 IP (tos 0x0, ttl 64, id 29037, offset 0, flags [DF], proto UDP (17), length 70) 192.168.1.2.56953 > www.routerlogin.com.domain: 57864+ PTR? 1.1.168.192.in-addr.arpa. (42)
18:16:36.901720 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 103) www.routerlogin.com.domain > 192.168.1.2.56953: 57864- 1/0/0 1.1.168.192.in-addr.arpa. PTR[|domain]
18:16:37.088288 IP (tos 0x0, ttl 128, id 63181, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.5.fjippol-cnsl > 192.168.1.2.xmpp-client: ., cksum 0x3971 (correct), ack 613 win 16907
18:16:41.893746 arp who-has 192.168.1.2 tell www.routerlogin.com
18:16:41.893779 arp reply 192.168.1.2 is-at 00:1f:c6:41:d0:75 (oui Unknown)
18:16:43.412260 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) 192.168.1.2.ntp > ns2.le-studio75.com.ntp: NTPv4, length 48
Client, Leap indicator: (0), Stratum 2, poll 6s, precision -22
Root Delay: 0.096618, Root dispersion: 0.045700, Reference-ID: ns2.le-studio75.com
Reference Timestamp: 3443102077.510800957 (2009/02/08 18:14:37)
Originator Timestamp: 3443102140.474222630 (2009/02/08 18:15:40)
Receive Timestamp: 3443102140.509100914 (2009/02/08 18:15:40)
Transmit Timestamp: 3443102203.412230610 (2009/02/08 18:16:43)
Originator - Receive Timestamp: +0.034878283
Originator - Transmit Timestamp: +62.938007950
18:16:43.412432 IP (tos 0x0, ttl 64, id 35549, offset 0, flags [DF], proto UDP (17), length 72) 192.168.1.2.59197 > www.routerlogin.com.domain: 2089+ PTR? 159.32.178.88.in-addr.arpa. (44)
18:16:43.509994 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 76) ns2.le-studio75.com.ntp > 192.168.1.2.ntp: NTPv4, length 48
Server, Leap indicator: (0), Stratum 1, poll 6s, precision -20
Root Delay: 0.000000, Root dispersion: 0.005126, Reference-ID: DCFa
Reference Timestamp: 3443102191.255486994 (2009/02/08 18:16:31)
Originator Timestamp: 3443102203.412230610 (2009/02/08 18:16:43)
Receive Timestamp: 3443102203.474375844 (2009/02/08 18:16:43)
Transmit Timestamp: 3443102203.474445790 (2009/02/08 18:16:43)
Originator - Receive Timestamp: +0.062145225
Originator - Transmit Timestamp: +0.062215197
18:16:43.667756 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 105) www.routerlogin.com.domain > 192.168.1.2.59197: 2089 1/0/0 159.32.178.88.in-addr.arpa. (77)
18:16:47.906410 IP (tos 0x0, ttl 64, id 36964, offset 0, flags [DF], proto TCP (6), length 68) 192.168.1.2.40570 > hermes.jabber.org.xmpp-server: P, cksum 0x3602 (incorrect (-> 0x026e), 4276115208:4276115224(16) ack 3122336203 win 54 <nop,nop,timestamp 564331 300135939>
18:16:47.906619 IP (tos 0x0, ttl 64, id 40043, offset 0, flags [DF], proto UDP (17), length 73) 192.168.1.2.40160 > www.routerlogin.com.domain: 31750+ PTR? 220.163.68.208.in-addr.arpa. (45)
18:16:47.906759 IP (tos 0x0, ttl 64, id 36965, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.2.40570 > hermes.jabber.org.xmpp-server: F, cksum 0x0771 (correct), 16:16(0) ack 1 win 54 <nop,nop,timestamp 564331 300135939>
18:16:47.924321 IP (tos 0x0, ttl 64, id 58896, offset 0, flags [DF], proto TCP (6), length 333) 192.168.1.2.xmpp-client > 192.168.1.5.fjippol-cnsl: P 613:906(293) ack 1 win 21900
18:16:48.061914 IP (tos 0x0, ttl 48, id 42241, offset 0, flags [DF], proto TCP (6), length 52) hermes.jabber.org.xmpp-server > 192.168.1.2.40570: ., cksum 0x9254 (correct), ack 16 win 46 <nop,nop,timestamp 300165928 564331>
18:16:48.062111 IP (tos 0x0, ttl 48, id 42242, offset 0, flags [DF], proto TCP (6), length 52) hermes.jabber.org.xmpp-server > 192.168.1.2.40570: F, cksum 0x9253 (correct), 1:1(0) ack 16 win 46 <nop,nop,timestamp 300165928 564331>
18:16:48.062138 IP (tos 0x0, ttl 64, id 36966, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.2.40570 > hermes.jabber.org.xmpp-server: ., cksum 0x91af (correct), ack 2 win 54 <nop,nop,timestamp 564486 300165928>
18:16:48.062519 IP (tos 0x0, ttl 48, id 42243, offset 0, flags [DF], proto TCP (6), length 52) hermes.jabber.org.xmpp-server > 192.168.1.2.40570: ., cksum 0x9252 (correct), ack 17 win 46 <nop,nop,timestamp 300165928 564331>
18:16:48.123556 IP (tos 0x0, ttl 128, id 63182, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.5.fjippol-cnsl > 192.168.1.2.xmpp-client: ., cksum 0x3971 (correct), ack 906 win 16614
18:16:48.193052 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 104) www.routerlogin.com.domain > 192.168.1.2.40160: 31750 1/0/0 220.163.68.208.in-addr.arpa. (76)
18:16:50.990975 IP (tos 0x0, ttl 128, id 63185, offset 0, flags [DF], proto TCP (6), length 397) 192.168.1.5.fjippol-cnsl > 192.168.1.2.xmpp-client: P 1:358(357) ack 906 win 16614
18:16:51.030219 IP (tos 0x0, ttl 64, id 58897, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.2.xmpp-client > 192.168.1.5.fjippol-cnsl: ., cksum 0x17fe (correct), ack 358 win 24820
18:16:51.030763 IP (tos 0x0, ttl 64, id 58898, offset 0, flags [DF], proto TCP (6), length 397) 192.168.1.2.xmpp-client > 192.168.1.5.fjippol-cnsl: P 906:1263(357) ack 358 win 24820
18:16:51.037995 IP (tos 0x0, ttl 128, id 63186, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:16:51.038060 IP (tos 0xc0, ttl 64, id 50944, offset 0, flags [none], proto ICMP (1), length 76) 192.168.1.2 > 192.168.1.5: ICMP host 192.168.1.2 unreachable - admin prohibited, length 56
IP (tos 0x0, ttl 128, id 63186, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:16:51.233531 IP (tos 0x0, ttl 128, id 63187, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.5.fjippol-cnsl > 192.168.1.2.xmpp-client: ., cksum 0x380c (correct), ack 1263 win 16257
18:16:51.412265 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) 192.168.1.2.ntp > pegase.pouf.org.ntp: NTPv4, length 48
Client, Leap indicator: (0), Stratum 2, poll 6s, precision -22
Root Delay: 0.096618, Root dispersion: 0.045822, Reference-ID: ns2.le-studio75.com
Reference Timestamp: 3443102077.510800957 (2009/02/08 18:14:37)
Originator Timestamp: 3443102145.422365635 (2009/02/08 18:15:45)
Receive Timestamp: 3443102145.453938931 (2009/02/08 18:15:45)
Transmit Timestamp: 3443102211.412234455 (2009/02/08 18:16:51)
Originator - Receive Timestamp: +0.031573276
Originator - Transmit Timestamp: +65.989868819
18:16:51.412464 IP (tos 0x0, ttl 64, id 43549, offset 0, flags [DF], proto UDP (17), length 72) 192.168.1.2.49081 > www.routerlogin.com.domain: 45310+ PTR? 162.81.191.88.in-addr.arpa. (44)
18:16:51.454058 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto UDP (17), length 76) pegase.pouf.org.ntp > 192.168.1.2.ntp: NTPv4, length 48
Server, Leap indicator: (0), Stratum 3, poll 6s, precision -20
Root Delay: 0.021652, Root dispersion: 0.057189, Reference-ID: ns2.kamino.fr
Reference Timestamp: 3443101180.488391548 (2009/02/08 17:59:40)
Originator Timestamp: 3443102211.412234455 (2009/02/08 18:16:51)
Receive Timestamp: 3443102211.422421574 (2009/02/08 18:16:51)
Transmit Timestamp: 3443102211.422453910 (2009/02/08 18:16:51)
Originator - Receive Timestamp: +0.010187118
Originator - Transmit Timestamp: +0.010219456
18:16:51.459259 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 101) www.routerlogin.com.domain > 192.168.1.2.49081: 45310 1/0/0 162.81.191.88.in-addr.arpa. (73)
18:16:51.459587 IP (tos 0x0, ttl 64, id 43596, offset 0, flags [DF], proto UDP (17), length 74) 192.168.1.2.39963 > www.routerlogin.com.domain: 39965+ PTR? 205.169.251.213.in-addr.arpa. (46)
18:16:51.511061 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 101) www.routerlogin.com.domain > 192.168.1.2.39963: 39965 1/0/0 205.169.251.213.in-addr.arpa. (73)
18:16:54.042560 IP (tos 0x0, ttl 128, id 63188, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:16:54.042617 IP (tos 0xc0, ttl 64, id 50945, offset 0, flags [none], proto ICMP (1), length 76) 192.168.1.2 > 192.168.1.5: ICMP host 192.168.1.2 unreachable - admin prohibited, length 56
IP (tos 0x0, ttl 128, id 63188, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:16:54.412246 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) 192.168.1.2.ntp > time.digimedia.fr.ntp: NTPv4, length 48
Client, Leap indicator: (0), Stratum 2, poll 6s, precision -22
Root Delay: 0.096618, Root dispersion: 0.045867, Reference-ID: ns2.le-studio75.com
Reference Timestamp: 3443102077.510800957 (2009/02/08 18:14:37)
Originator Timestamp: 3443102148.425384670 (2009/02/08 18:15:48)
Receive Timestamp: 3443102148.455342888 (2009/02/08 18:15:48)
Transmit Timestamp: 3443102214.412219285 (2009/02/08 18:16:54)
Originator - Receive Timestamp: +0.029958205
Originator - Transmit Timestamp: +65.986834585
18:16:54.412448 IP (tos 0x0, ttl 64, id 46549, offset 0, flags [DF], proto UDP (17), length 71) 192.168.1.2.33435 > www.routerlogin.com.domain: 5326+ PTR? 16.146.98.87.in-addr.arpa. (43)
18:16:54.456691 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 76) time.digimedia.fr.ntp > 192.168.1.2.ntp: NTPv4, length 48
Server, Leap indicator: (0), Stratum 2, poll 6s, precision -20
Root Delay: 0.015930, Root dispersion: 0.029098, Reference-ID: chronos.cru.fr
Reference Timestamp: 3443101357.293892621 (2009/02/08 18:02:37)
Originator Timestamp: 3443102214.412219285 (2009/02/08 18:16:54)
Receive Timestamp: 3443102214.426314830 (2009/02/08 18:16:54)
Transmit Timestamp: 3443102214.426342606 (2009/02/08 18:16:54)
Originator - Receive Timestamp: +0.014095545
Originator - Transmit Timestamp: +0.014123328
18:16:54.460888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 102) www.routerlogin.com.domain > 192.168.1.2.33435: 5326 1/0/0 16.146.98.87.in-addr.arpa. (74)
18:16:54.461233 IP (tos 0x0, ttl 64, id 46598, offset 0, flags [DF], proto UDP (17), length 73) 192.168.1.2.58958 > www.routerlogin.com.domain: 12832+ PTR? 163.94.220.195.in-addr.arpa. (45)
18:16:54.507527 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 101) www.routerlogin.com.domain > 192.168.1.2.58958: 12832 1/0/0 163.94.220.195.in-addr.arpa. (73)
18:17:00.061838 IP (tos 0x0, ttl 128, id 63189, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:17:00.061967 IP (tos 0xc0, ttl 64, id 50946, offset 0, flags [none], proto ICMP (1), length 76) 192.168.1.2 > 192.168.1.5: ICMP host 192.168.1.2 unreachable - admin prohibited, length 56
IP (tos 0x0, ttl 128, id 63189, offset 0, flags [DF], proto TCP (6), length 48) 192.168.1.5.everydayrc > 192.168.1.2.43172: S, cksum 0x22f2 (correct), 582010530:582010530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:17:06.994706 IP (tos 0x0, ttl 128, id 63199, offset 0, flags [DF], proto TCP (6), length 253) 192.168.1.5.fjippol-cnsl > 192.168.1.2.xmpp-client: P 358:571(213) ack 1263 win 16257
18:17:06.994770 IP (tos 0x0, ttl 64, id 58899, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.2.xmpp-client > 192.168.1.5.fjippol-cnsl: ., cksum 0x0a5c (correct), ack 571 win 27740
^C
48 packets captured
48 packets received by filter
0 packets dropped by kernel
Voilà, Merci à vous deux 🙂