IPTABLES

Script

Ajouté au fichier d'interface pour qu'il soit éxécuté à chaque redémarrage du service.

#!/bin/bash


#set default policies
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

#Accept traffic from localhost and local network
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.42.0/24 -j ACCEPT

#NAT HOSTS FROM VLAN42
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Track and forward connexions initiated by VLAN42 hosts
iptables -A FORWARD -i eth0 -o eth0.42 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Forward trafic coming from VLAN42
iptables -A FORWARD -i eth0.42 -j ACCEPT

#DNS trafic
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

#DHCP service/client trafic
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp --dport 68 -j ACCEPT

#SSH service/client trafic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT

#Web trafic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

#FTP trafic
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -j ACCEPT

#Mail trafic
iptables -A INPUT -p tcp --sport 993 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT


#ping response
iptables -A INPUT -p icmp -j ACCEPT

#NTP
iptables -A INPUT -p udp --sport 123 -j ACCEPT

#RDP
#iptables -A FORWARD -i eth0 -p tcp --dport 3389 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 3389 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.42.3

#XRDP
iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT
iptables -A INPUT -i eth0.42 -p tcp --dport 3390 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 3389 -j ACCEPT
iptables -A INPUT -i eth0.42 -p tcp --sport 3389 -j ACCEPT

iptables -A INPUT -i eth0.42 -p udp --sport 2049 -j ACCEPT