% Installation du Firewall # Utilisation de lfirewall ## Récupération ```bash git clone git@git.hubbros.fr:lhubert/lfirewall.git cd lfirewall ``` ## Installation ```bash sudo make ``` ## COnfiguration ```bash sudo cp /etc/lfirewall/lfirewall.conf /etc/lfirewall/lfirewall.conf.local ``` On édite le fichier `/etc/lfirewall/lfirewall.conf.local` : Et on place les lignes suivante: ``` ALLOW_IP_FORWARDING=0 NETWORK_IF=eth0 #SSH SSH_PORT="64035" TCP_SERVICES="22" # Web server TCP_SERVICES="http https $TCP_SERVICES" #... REMOTE_TCP_SERVICES="80 443" # Web browsing REMOTE_TCP_SERVICES="22 $REMOTE_TCP_SERVICES" # SSH REMOTE_TCP_SERVICES="20 $REMOTE_TCP_SERVICES" # FTP REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS" REMOTE_UDP_SERVICES="53" # DNS BANNED_LISTS="et_spamhaus spamhaus_drop et_dshield" ``` ## Création des listes ipset ```bash sudo ipset create whitelist hash:net hashsize 4096 sudo ipset add whitelist 83.193.14.206 sudo ipset create et_spamhaus hash:net hashsize 4096 sudo ipset create spamhaus_drop hash:net hashsize 4096 sudo ipset create et_dshield hash:net hashsize 4096 ``` ## Installation de firehol-tools (update-ipsets) :::warning Faire: `sudo update-ipsets enable et_spamhaus spamhaus_drop et_dshield` ne fonctionne pas bien ::: ```bash for chain in et_spamhaus spamhaus_drop et_dshield do sudo update-ipsets enable $chain sudo update-ipsets -s run $chain done ``` ## Rendre les ipset persistentes ```bash sudo apt install ipset-persistent ``` Supprimer ufw si nécessaire ### Mise à jour régulière ```bash sudo crontab -e ``` Et ajouter ``` # Mise à jour des listes de ban 0 */2 * * * /usr/sbin/update-ipsets -s > /dev/null 2>&1 ``` ## Installation des règles de bannissement automatique pour le port 22 [Bannissement de toute connection à un port donné](ban-connection-port.html) ### Enregistrement de ces règles dans lfirewall ```bash sudo iptables-save -t filter -f /etc/lfirewall/iptables-user.v4 sudo ip6tables-save -t filter -f /etc/lfirewall/iptables-user.v6 ``` Ajout des règles pour le reverse-proxy: ``` # Generated by iptables-save v1.8.9 on Fri Feb 14 01:09:27 2025 *raw :PREROUTING ACCEPT [468:33624] :OUTPUT ACCEPT [465:35352] -A PREROUTING -i fwbr+ -j CT --zone 1 -A PREROUTING -i fwbr+ -j CT --zone 1 COMMIT # Completed on Fri Feb 14 01:09:27 2025 # Generated by iptables-save v1.8.9 on Fri Feb 14 01:09:27 2025 *nat :PREROUTING ACCEPT [24:968] :INPUT ACCEPT [23:908] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.10:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.10:443 -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Fri Feb 14 01:09:27 2025 ``` ## Test du firewall ### Premier test BIEN SUIVRE TOUTES LES INSTRUCTIONS Sur la machine à tester: ```bash sudo lfirewall test & ``` DANS LES 30s: depuis un autre terminal, ouvrir une autre session SSH (la connexion doit être immédiate) ### Second test Ajouter la ligne suivante dans le crontab de root: ```bash */10 * * * * /usr/sbin/lfirewall clear ``` Tester le firewall en réel: ```bash sudo lfirewall start ``` ### Afficher les règles iptables: ```bash sudo iptables -L -v ``` ``` Chain INPUT (policy DROP 9 packets, 380 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh match-set whitelist src 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https match-set whitelist src 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http match-set whitelist src 1 60 DROP all -- any any anywhere anywhere match-set et_dshield src 0 0 DROP all -- any any anywhere anywhere match-set spamhaus_drop src 0 0 DROP all -- any any anywhere anywhere match-set et_spamhaus src 0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:https state NEW recent: UPDATE seconds: 30 hit_count: 20 name: DEFAULT side: source mask: 255.255.255.255 0 0 tcp -- eth0 any anywhere anywhere tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 30 hit_count: 20 name: DEFAULT side: source mask: 255.255.255.255 0 0 tcp -- eth0 any anywhere anywhere tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255 0 0 SET tcp -- any any anywhere anywhere tcp dpt:ssh recent: UPDATE hit_count: 1 name: SSH_BLOCK side: source mask: 255.255.255.255 add-set banned_ips src 0 0 tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW recent: SET name: SSH_BLOCK side: source mask: 255.255.255.255 1 40 DROP all -- any any anywhere anywhere match-set banned_ips src 698 56728 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 12 384 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 1 64 ACCEPT tcp -- any any anywhere anywhere tcp dpt:64035 0 0 ACCEPT all -- lo any localhost localhost 0 0 ACCEPT all -- lo any localhost localhost 0 0 ACCEPT all -- lo any localhost localhost 0 0 ACCEPT all -- lo any localhost localhost 9 380 LOG all -- any any anywhere anywhere LOG level warn Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere LOG level warn Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6 688 ACCEPT tcp -- any any anywhere anywhere tcp dpt:64035 350 21995 ACCEPT all -- any lo localhost localhost 0 0 ACCEPT all -- any lo localhost localhost 0 0 ACCEPT all -- any lo localhost localhost 0 0 ACCEPT all -- any lo localhost localhost 0 0 ACCEPT all -- any lo anywhere anywhere 316 34444 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 0 0 LOG all -- any any anywhere anywhere LOG level warn 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable ``` ## ACtivation du service lfirewall ```bash sudo systemctl enable lfirewall sudo systemctl start lfirewall ``` Supprimer les règles crontab après avoir testé que tout fonctionne.