(Courriels de diversion: <secondaient@folioter-inventrices.com> <catalyserions@capitalisions-embourgeoisant.com> <insuffleriez@felicites-receptionnee.com> <syriennes@satisfaisons-convoierai.com> <sent@valorisiez-mastiquions.com> <soda@ridiculisant-federeras.com> <brechet@positives-replets.com> <reperde@vacarme-relaye.com> <surgelons@cartels-ereintages.com> <pipeaux@reouvrir-usuraires.com> )
Salut.
J'ai compilé un petit script firewall pour protéger une machine avec des
services.
Noyau 2.4.24 (grsec) + iptables 1.2.9
Au début j'était partie sur l'idée de tous laisser ouvert et de filtrer les
connexions: 80, 21, ...
Mon principe était le suivant: toute connexion à un port est vérifiée.
Les tests de nessus 2.09 sont propres.
Sauf une suggestion que je n'arrive à enlever:
général/udp:
For your information, here is the traceroute to 192.168.0.30 :
192.168.0.154
192.168.0.30
Je voudrais qu'il ne puisse pas avoir cette information
Je débute donc il y a forcément des énormités, soyez indulgent.
Pourriez vous m'aider à améliorer le script.
(le wan et le lan soit indentique, j'ai qu'une carte sur ce serveur et j'ai
prévu de gérer 2 cartes)
----------------------------------------------------------------------------
------------------------
#!/bin/bash
IPT=/sbin/iptables
############################################################################
####
# CONFIGURATION #
############################################################################
####
#----------------------------#
# FUNCTIONS #
#----------------------------#
WANIFACE="eth0"
WAN="192.168.0.0/24"
LANIFACE="eth0"
LAN="192.168.0.0/24"
#----------------------------#
# AUTOCONFIG #
#----------------------------#
WANIP=`ifconfig $WANIFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`
WANMASK=`ifconfig $WANIFACE | grep Mask | cut -d : -f 4`
WANBCAST=`ifconfig $WANIFACE | grep inet | cut -d : -f 3 | cut -d \ -f 1`
LANIP=`ifconfig $LANIFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LANMASK=`ifconfig $LANIFACE | grep Mask | cut -d : -f 4`
LANBCAST=`ifconfig $LANIFACE | grep inet | cut -d : -f 3 | cut -d \ -f 1`
#----------------------------#
# SERVICES #
#----------------------------#
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
dos_protect="on"
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -X -t mangle
iptables -X -t nat
#Set default policies to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#-----Chaines-----#
#Invalid packets (not ESTABLISHED,RELATED or NEW)
iptables -N LINVALID
iptables -A LINVALID -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=INVALID:1 a=DROP "
iptables -A LINVALID -j DROP
# Logging of possible TCP-SYN-Floods
iptables -N LSYNFLOOD
iptables -A LSYNFLOOD -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=SYNFLOOD:1 a=DROP "
iptables -A LSYNFLOOD -j DROP
# TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
iptables -N TCPACCEPT
iptables -A TCPACCEPT -p tcp --syn -m limit \
--limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST \
-j ACCEPT
iptables -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
iptables -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Logging of possible Ping-Floods
iptables -N LPINGFLOOD
iptables -A LPINGFLOOD -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG
iptables -A LPINGFLOOD -j DROP
#TCP-Packets with one ore more bad flags
iptables -N LBADFLAG
iptables -A LBADFLAG -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG
iptables -A LBADFLAG -j DROP
#All other dropped packets
iptables -N LDROP
iptables -A LDROP -p tcp -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=TCP:1 a=DROP "
iptables -A LDROP -p udp -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=UDP:2 a=DROP "
iptables -A LDROP -p icmp -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=ICMP:3 a=DROP "
iptables -A LDROP -f -m limit --limit $LOGLIMIT \
--limit-burst $LOGLIMITBURST -j LOG \
--log-prefix "fp=FRAGMENT:4 a=DROP "
iptables -A LDROP -j DROP
# Protection de base
iptables -N CHECKBADFLAG
# Furtive port scanner
iptables -A CHECKBADFLAG -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
# Drop illegal flag combinations which also prevents most port scanning
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ALL ALL -j
DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ALL NONE -j
DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ALL
FIN,URG,PSH -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp \
--tcp-flags ALL SYN,RST,ACK,FIN,URG \
-j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags SYN,RST
SYN,RST -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags SYN,FIN
SYN,FIN -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags FIN,RST
FIN,RST -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ACK,FIN FIN -j
DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ACK,PSH PSH -j
DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-flags ACK,URG URG -j
DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-option 64 -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp --tcp-option 128 -j DROP
# Refuse directed broadcasts used in Smurf/Fraggle type DOS attacks
iptables -A CHECKBADFLAG -i $WANIFACE -d 255.255.255.255 -j DROP
iptables -A CHECKBADFLAG -i $WANIFACE -d $WANBCAST -j DROP
# Refuse spoofed packets pretending to be from your IP address
iptables -A CHECKBADFLAG -i $WANIFACE -s $WANIP -d $WANIP -j DROP
# Drop Fragments
iptables -A CHECKBADFLAG -i $WANIFACE -f -j DROP
# Make sure packets are associated with known connections
#iptables -A CHECKBADFLAG -i $WANIFACE -m state --state INVALID -j DROP
# Make sure NEW tcp connections are SYN packets
iptables -A CHECKBADFLAG -i $WANIFACE -p tcp ! --syn \
-m state --state NEW -j DROP
# Refuse bogus IP ranges
# Broadcast
iptables -A CHECKBADFLAG -i $WANIFACE -s 255.255.255.255/32 -j DROP
# Loopback
iptables -A CHECKBADFLAG -i $WANIFACE -s 127.0.0.0/8 -j DROP
# Link local networks
iptables -A CHECKBADFLAG -i $WANIFACE -s 169.254.0.0/16 -j DROP
# Test-net
#iptables -A CHECKBADFLAG -i $WANIFACE -s 192.0.2.0/24 -j DROP
# Unallocated
iptables -A CHECKBADFLAG -i $WANIFACE -s 248.0.0.0/5 -j DROP
# Class A private (RFC 1918)
#iptables -A CHECKBADFLAG -i $WANIFACE -s 10.0.0.0/8 -j DROP
# Class B private (RFC 1918)
#iptables -A CHECKBADFLAG -i $WANIFACE -s 172.16.0.0/16 -j DROP
# Class C private (RFC 1918)
#iptables -A CHECKBADFLAG -i $WANIFACE -s 192.168.0.0/16 -j DROP
# Class D multicast
iptables -A CHECKBADFLAG -i $WANIFACE -s 224.0.0.0/4 -j DROP
# Class E reserved
iptables -A CHECKBADFLAG -i $WANIFACE -s 240.0.0.0/5 -j DROP
# Filtrage des ports ICMP
iptables -N ICMPINBOUND
# Remarque:
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
#--- ICMP traffic--#
# Destination Unreachable
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 3 -j ACCEPT
# Source Quench
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 4 -j ACCEPT
# Time Exceeded
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 11 -j ACCEPT
# Parameter Problem
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 12 -j ACCEPT
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 13 -j DROP
iptables -A ICMPINBOUND -i $WANIFACE -p icmp --icmp-type 14 -j DROP
# Ping Flood protection. Accept $PINGLIMIT echo-requests/sec,
# rest will be logged/dropped
iptables -A ICMPINBOUND -p icmp --icmp-type echo-request \
-m limit --limit $PINGLIMIT -j ACCEPT
iptables -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
iptables -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j DROP
iptables -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j DROP
#Allow all other ICMP in
iptables -A ICMPINBOUND -p icmp -j ACCEPT
iptables -N ICMPOUTBOUND
#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type ttl-zero-during-transit -j DROP
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type ttl-zero-during-reassembly -j DROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type address-mask-request -j DROP
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type address-mask-reply -j DROP
# Block incoming traceroute
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type 3 -j DROP
iptables -A ICMPOUTBOUND -p icmp \
--icmp-type 11 -j DROP
#Accept all other ICMP going out
iptables -A ICMPOUTBOUND -p icmp -j ACCEPT
#-----------------------------------------#
# TOS Tweaks #
#-----------------------------------------#
# (0x00) Normal-Service 0
# (0x02) Minimize-Cost 2
# (0x04) Maximize-Reliability 4
# (0x08) Maximize-Throughput 8
# (0x10) Minimize-Delay 16
iptables -t mangle -N MANGLE_OUTPUT
iptables -t mangle -F MANGLE_OUTPUT
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -N MANGLE_PREROUTING
iptables -t mangle -F MANGLE_PREROUTING
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos
16
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos
16
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos
16
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos
16
iptables -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos
16
iptables -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
#----------------------------#
# RULES #
#----------------------------#
# --------------------------------------------------------------------------
--
# LOCAL TRAFFIC
#--------------
# Allow all existing connections
iptables -I INPUT 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT 1 -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -s $LAN -j ACCEPT
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
# --------------------------------------------------------------------------
--
# --------------------------------------------------------------------------
--
# EXPLOIT PROTECTION & TWEAKS
#----------------------------
# Kill timestamps
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
fi
# Disable logging of misc TCP conntracking
#if [ -e /proc/sys/net/ipv4/netfilter ]; then
# for x in /proc/sys/net/ipv4/netfilter/ip_ct_tcp_log_*; do
# echo 0 > $x; done
#fi
# Enable bogus error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Enable support for spoof and DOS protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Enable source address verification to prevent spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x; done
fi
# Disable TCP Explicit Congestion Notification Support
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# Disable acceptance of ICMP redirects to avoid malicious routing changes
if [ -e /proc/sys/net/ipv4/conf/$WANIFACE/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/$WANIFACE/accept_redirects
fi
# Ignore broadcast ICMP echo requests to prevent becoming a Smurf attack
amplifier
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# Drop the ECN flag in tcp-packets
if [ -e /proc/sys/net/ipv4/tcp_ecn ];then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# Adjust connection tracking timeout value
# Default=600 (600 seconds or 10 minutes)
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi
# Increase maximum limit of connections to track (default=2048)
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
fi
# reduce DOS ability
if [ "$dos_protect" = "on" ]; then
echo 1800 2>/dev/null > /proc/sys/net/ipv4/tcp_keepalive_time
echo 30 2>/dev/null > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 2>/dev/null > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 2>/dev/null > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
fi
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
# --------------------------------------------------------------------------
--
# --------------------------------------------------------------------------
--
# Start Ruleset
#--------------
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
iptables -A INPUT -m state --state invalid -j LINVALID
# Check TCP-Packets for Bad Flags
iptables -A INPUT -i $WANIFACE -p tcp -j CHECKBADFLAG
#-----ICMP & Traceroute filtering-----#
#Filter ICMP
iptables -A INPUT -i $WANIFACE -p icmp -j ICMPINBOUND
iptables -A OUTPUT -o $WANIFACE -p icmp -j ICMPOUTBOUND
# Block UDP-Traceroute
# TRACEROUTE_DEST_PORTS="33434:33523"
iptables -A INPUT -p udp --dport $TRACEROUTE_DEST_PORTS -j DROP
#--------------------------------------#
# Silently reject Ident (Don't DROP ident, because of possible
# delays when establishing an outbound connection)
iptables -A INPUT -i $WANIFACE -p tcp --dport 113 \
-j REJECT --reject-with tcp-reset
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 113 \
-j REJECT --reject-with tcp-reset
# Allow ESTABLISHED/RELATED connections in
iptables -A INPUT -i $WANIFACE -m state \
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $WANIFACE -p tcp \
--dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
iptables -A INPUT -i $WANIFACE -p udp \
--dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
# Catch all rule
# iptables -A INPUT -j LDROP
# -----------------------------------------------------------------
# Public services running ON FIREWALL-BOX (comment out to activate):
#---------------------------------------------------------
# SSH server
iptables -A INPUT -i $WANIFACE -p tcp --dport 22 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 22 \
-m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# FTP server
# ftp-data
iptables -A INPUT -i $WANIFACE -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 20 -j ACCEPT
# ftp
iptables -A INPUT -i $WANIFACE -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 21 -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# Mail server
# SMTP
iptables -A INPUT -i $WANIFACE -p tcp --dport 25 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 25 \
-m state --state ESTABLISHED -j ACCEPT
# Pop et Pops
iptables -A INPUT -i $WANIFACE -p tcp --dport 110 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 110 \
-m state --state ESTABLISHED -j ACCEPT
# Imap et Imaps
iptables -A INPUT -i $WANIFACE -p tcp --dport 143 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 143 \
-m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# DNS: full server (53)
# ---------------------
# server/client to server query or response
iptables -A INPUT -i $WANIFACE -p udp \
--source-port $UNPRIVPORTS \
-d $WANIP --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p udp \
-s $WANIP --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $WANIFACE -p udp \
--source-port 53 \
-d $WANIP --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p udp \
-s $WANIP --source-port 53 \
--destination-port 53 -j ACCEPT
# DNS client (53)
# ---------------
iptables -A INPUT -i $WANIFACE -p udp \
--source-port 53 \
-d $WANIP --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p udp \
-s $WANIP --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
iptables -A INPUT -i $WANIFACE -p tcp ! --syn \
--source-port 53 \
-d $WANIP --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp \
-s $WANIP --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# HTTP et HTTPS server
iptables -A INPUT -i $WANIFACE -p tcp --dport 80 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 80 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $WANIFACE -p tcp --dport 443 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 443 \
-m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# Webmin server
iptables -A INPUT -i $WANIFACE -p tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 10000 \
-m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
#---------------------------------------------------------
# Swat server
iptables -A INPUT -i $WANIFACE -p tcp --dport 901 -j TCPACCEPT
iptables -A OUTPUT -o $WANIFACE -p tcp --sport 901 \
-m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
Merci
Nicolas M.
--------------------------------------------------------------------
Les listes de diffusion occultes: <URL:http://www.CULTe.org/listes/>