firewall.md 8.6 KB
% Installation du Firewall
Utilisation de lfirewall
Récupération
git clone git@git.hubbros.fr:lhubert/lfirewall.git
cd lfirewall
Installation
sudo make
COnfiguration
sudo cp /etc/lfirewall/lfirewall.conf /etc/lfirewall/lfirewall.conf.local
On édite le fichier /etc/lfirewall/lfirewall.conf.local :
Et on place les lignes suivante:
ALLOW_IP_FORWARDING=0
NETWORK_IF=eth0
#SSH
SSH_PORT="64035"
TCP_SERVICES="22"
# Web server
TCP_SERVICES="http https $TCP_SERVICES"
#...
REMOTE_TCP_SERVICES="80 443" # Web browsing
REMOTE_TCP_SERVICES="22 $REMOTE_TCP_SERVICES" # SSH
REMOTE_TCP_SERVICES="20 $REMOTE_TCP_SERVICES" # FTP
REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS"
REMOTE_UDP_SERVICES="53" # DNS
BANNED_LISTS="et_spamhaus spamhaus_drop et_dshield"
Création des listes ipset
sudo ipset create whitelist hash:net hashsize 4096
sudo ipset add whitelist 83.193.14.206
sudo ipset create et_spamhaus hash:net hashsize 4096
sudo ipset create spamhaus_drop hash:net hashsize 4096
sudo ipset create et_dshield hash:net hashsize 4096
Installation de firehol-tools (update-ipsets)
:::warning
Faire: sudo update-ipsets enable et_spamhaus spamhaus_drop et_dshield ne fonctionne pas bien
:::
for chain in et_spamhaus spamhaus_drop et_dshield
do
sudo update-ipsets enable $chain
sudo update-ipsets -s run $chain
done
Rendre les ipset persistentes
sudo apt install ipset-persistent
Supprimer ufw si nécessaire
Mise à jour régulière
sudo crontab -e
Et ajouter
# Mise à jour des listes de ban
0 */2 * * * /usr/sbin/update-ipsets -s > /dev/null 2>&1
Installation des règles de bannissement automatique pour le port 22
Bannissement de toute connection à un port donné
Enregistrement de ces règles dans lfirewall
sudo iptables-save -t filter -f /etc/lfirewall/iptables-user.v4
sudo ip6tables-save -t filter -f /etc/lfirewall/iptables-user.v6
Ajout des règles pour le reverse-proxy:
# Generated by iptables-save v1.8.9 on Fri Feb 14 01:09:27 2025
*raw
:PREROUTING ACCEPT [468:33624]
:OUTPUT ACCEPT [465:35352]
-A PREROUTING -i fwbr+ -j CT --zone 1
-A PREROUTING -i fwbr+ -j CT --zone 1
COMMIT
# Completed on Fri Feb 14 01:09:27 2025
# Generated by iptables-save v1.8.9 on Fri Feb 14 01:09:27 2025
*nat
:PREROUTING ACCEPT [24:968]
:INPUT ACCEPT [23:908]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.10:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.10:443
-A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Feb 14 01:09:27 2025
Test du firewall
Premier test
BIEN SUIVRE TOUTES LES INSTRUCTIONS
Sur la machine à tester:
sudo lfirewall test &
DANS LES 30s: depuis un autre terminal, ouvrir une autre session SSH (la connexion doit être immédiate)
Second test
Ajouter la ligne suivante dans le crontab de root:
*/10 * * * * /usr/sbin/lfirewall clear
Tester le firewall en réel:
sudo lfirewall start
Afficher les règles iptables:
sudo iptables -L -v
Chain INPUT (policy DROP 9 packets, 380 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh match-set whitelist src
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https match-set whitelist src
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http match-set whitelist src
1 60 DROP all -- any any anywhere anywhere match-set et_dshield src
0 0 DROP all -- any any anywhere anywhere match-set spamhaus_drop src
0 0 DROP all -- any any anywhere anywhere match-set et_spamhaus src
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:https state NEW recent: UPDATE seconds: 30 hit_count: 20 name: DEFAULT side: source mask: 255.255.255.255
0 0 tcp -- eth0 any anywhere anywhere tcp dpt:https state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 30 hit_count: 20 name: DEFAULT side: source mask: 255.255.255.255
0 0 tcp -- eth0 any anywhere anywhere tcp dpt:http state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
0 0 SET tcp -- any any anywhere anywhere tcp dpt:ssh recent: UPDATE hit_count: 1 name: SSH_BLOCK side: source mask: 255.255.255.255 add-set banned_ips src
0 0 tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW recent: SET name: SSH_BLOCK side: source mask: 255.255.255.255
1 40 DROP all -- any any anywhere anywhere match-set banned_ips src
698 56728 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
12 384 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
1 64 ACCEPT tcp -- any any anywhere anywhere tcp dpt:64035
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT all -- lo any localhost localhost
0 0 ACCEPT all -- lo any localhost localhost
9 380 LOG all -- any any anywhere anywhere LOG level warn
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level warn
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 688 ACCEPT tcp -- any any anywhere anywhere tcp dpt:64035
350 21995 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT all -- any lo localhost localhost
0 0 ACCEPT all -- any lo anywhere anywhere
316 34444 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 LOG all -- any any anywhere anywhere LOG level warn
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
ACtivation du service lfirewall
sudo systemctl enable lfirewall
sudo systemctl start lfirewall
Supprimer les règles crontab après avoir testé que tout fonctionne.