IPTABLES


	* iptables
	* ulogd

Config :

sudo gedit /etc/default/ubuntu-firewall-cfg 

de http://rob.pectol.com/ubuntu-firewall-cfg.txt


############################################################################
#  ubuntu-firewall-cfg -  Configuration settings for the Ubuntu-firewall.  #
#  This config file should be placed within your /etc/default directory.   #
#  Version: 0.4.8							   #
############################################################################
###
#  Network Interfaces
###
#  Set the external interface.  This is the interface that will
#  face the Internet.  It's the one you want Ubuntu-firewall to
#  protect.  Typically it will be eth0 or eth1.  However, you
#  may choose to have Ubuntu-firewall automatically select the
#  * first * active interface it finds.  In this case, you would
#  use the key word, "auto" as in, EXTIF="auto".  This is usually
#  a good choice for users who have only one active network
#  interface on their machine.
#
#EXTIF="eth0"
EXTIF="auto"

#  Set the internal interface if you have one and want to be
#  able to pass local traffic over it.  If not, then don't
#  specify an interface inside the quotes.  Just leave it blank
#  as in INTIF="".
INTIF=""

##
#  Miscellaneous options set with, "yes" or, "no"
##
#  Disable the firewall (useful for temporarily de-activating Ubuntu-firewall
#  without having to remove it from your startup configuration, etc.)  This
#  setting affects Ubuntu-firewall's ability to load and IS PERSISTANT through
#  re-boots!
DISABLED="no"
#  Firewall logging (useful for debug, curiousity, etc.  Logs to syslog)
LOG_ALL="no"
#  Verbose mode (feedback during script execution - useful for debug, etc.)
VERBOSE="yes"
#  Respond to ICMP (echo-request) pings
ALLOW_PINGS="yes"

###
#  Complex Server options set with, "yes" or, "no"
###
#  FTP server - Firewall requirements for an FTP Server are a little more
#  involved.  Thus, I've coded support for it directly into the Ubuntu-firewall
#  script.  It can be enabled/disabled here.
ALLOW_FTP="no"

#  Micro$oft Networking - Firewall requirements for Micro$oft Networking are
#  a little more involved.  Thus, I've coded support for it directly into the
#  Ubuntu-firewall script.  It can be enabled/disabled here.
ALLOW_MSNETWORKING="no"

###
#  Other services
###
#  List the TCP ports you want un-blocked by the firewall.
#  The ports need to be inside the quotes with a space between each one.
#  (ex: OPEN_TCP_PORTS="22 80 110")
#  This would un-block TCP ports 22 (ssh), 80 (http), and 110 (POP-3).
OPEN_TCP_PORTS="22 8080"

#  List the UDP ports you want un-blocked by the firewall.
#  The ports need to be inside the quotes with a space between each one.
#  (ex: OPEN_UDP_PORTS="53")
#  This would un-block UDP port 53 (DNS Server services).
# OPEN_UDP_PORTS=""
OPEN_UDP_PORTS=""

###
#  Advanced Options
###

#  Network Address Translation/Routing
#
#  This enables NAT Routing capabilities.  To use this feature, you must
#  specify the interface for NAT_IF, for which you want NAT services applied.
#  This MAY be the same as your internal interface (INTIF) as specified above.
#  ex:  NAT_IF="eth1"  (this will allow you to connect another PC to this PC's
#  eth1 interface for Internet Access on that PC)  To disable NAT, don't
#  specify an interface inside the quotes.  Just leave it blank as in NAT_IF="".
#
#  Bear in mind that the PC connected to this one will need to be set up on
#  the same network segment that this one's NAT_IF is on.  You will also need
#  to use the IP address assigned to the NAT_IF device, as that PC's default
#  gateway to the Internet.
NAT_IF=""

#  Forwarding of Ports
#
#  This allows you to forward ports to an internal host.  To use this feature,
#  simply specify an internal host to which you want to forward incoming
#  connections using the FORWARD_HOST directive.  Leaving it blank as in,
#  FORWARD_HOST="" will disable port forwarding.  Once you've specified a
#  host to which you want ports forwarded, you need to specify the ports.
#  This is done using the following two directives: FORWARD_TCP_PORTS
#  FORWARD_UDP_PORTS.  You may list multiple ports by separating them with
#  spaces.  For instance, if you wanted to forward incoming to TCP ports 22,
#  80, and 110, to an internal host with an IP address of 192.168.1.10, you
#  would use the following configuration:
#  FORWARD_HOST="192.168.1.10"
#  FORWARD_TCP_PORTS="22 80 110"
#  FORWARD_UDP_PORTS=""
FORWARD_HOST=""
FORWARD_TCP_PORTS=""
FORWARD_UDP_PORTS=""

#  Custom Rules
#
#  This allows the user to define non-standard or custom rules to be added
#  to the firewall policy.  It is STRONGLY RECOMMENDED that you only make
#  use of this if you understand iptables hirarchy and firewall design in
#  general!  Carelessly inserting rules into Ubuntu-firewall can easily
#  render it ineffective.  You have been warned!  Now, with all that out
#  of the way, here's how to do it.  First, you need to create a file that
#  contains the appropriate iptables commands, making certain that you have
#  the syntax correct.  When making your custom rules, you should probably
#  test each of them, one-at-a-time at the command prompt to verify that they
#  work as expected.  You may define as many custom rules as you like but
#  remember, usually the simpler the firewall ruleset, the more robust it
#  tends to be.  Take special care to make sure that any rules you define,
#  don't sabotage other rules listed below it.  Once you have your file
#  populated with your custom rules, save it and set the CUSTOM_RULES directive
#  to point to your file. Ex: CUSTOM_RULES="/etc/default/custom_firewall_rules"
#  If you don't have any reason to use custom rules, then simply leave
#  CUSTOM_RULES blank as in, CUSTOM_RULES="".
CUSTOM_RULES="/etc/default/custom_firewall_rules"


Dans 


# sudo gedit /etc/default/custom_firewall_rules
#ip de confience
TRUSTED_HOST='127.0.0.1'
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT
# port 22
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# pour VLC # iptables -A INPUT -s 212.27.38.253 -d 192.168.0.1 -p udp --sport 32750:32950 --dport 31336 -m state --state ! INVALID -j ACCEPT # iptables -A INPUT -s 192.168.0.1 -d 228.67.43.91 -p udp --sport 15947 --dport 15947 -m state --state ! INVALID -j ACCEPT # pour Homeplayer ou Jukebox player # iptables -A INPUT -p tcp -s 212.27.38.253 --dport 8080 -j ACCEPT





Page 1 /3