|
Lines 1-14
Link Here
|
| 1 |
<?xml version='1.0' encoding="UTF-8"?> |
1 |
<?xml version='1.0' encoding="UTF-8"?> |
| 2 |
<!-- $Header: /var/www/www.gentoo.org/raw_cvs/gentoo/xml/htdocs/doc/fr/security/shb-firewalls.xml,v 1.2 2005/10/16 10:03:39 neysx Exp $ --> |
2 |
<!-- $Header: /var/www/www.gentoo.org/raw_cvs/gentoo/xml/htdocs/doc/fr/security/shb-firewalls.xml,v 1.2 2005/10/16 10:03:39 neysx Exp $ --> |
| 3 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
3 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
| 4 |
|
4 |
|
| 5 |
<sections> |
5 |
<sections> |
| 6 |
|
6 |
|
| 7 |
<version>1.1</version> |
7 |
<version>1.2</version> |
| 8 |
<date>2005-10-16</date> |
8 |
<date>2006-10-31</date> |
| 9 |
|
9 |
|
| 10 |
<section> |
10 |
<section> |
| 11 |
<title>Un pare-feu</title> |
11 |
<title>Un pare-feu</title> |
| 12 |
<body> |
12 |
<body> |
| 13 |
|
13 |
|
| 14 |
<p> |
14 |
<p> |
|
Lines 707-736
Link Here
|
| 707 |
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:" |
707 |
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:" |
| 708 |
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
708 |
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
| 709 |
|
709 |
|
| 710 |
# Applique et ajoute les chaînes invalides. |
710 |
# Applique et ajoute les chaînes invalides. |
| 711 |
einfo "Appliquer les chaînes a INPUT" |
711 |
einfo "Appliquer les chaînes a INPUT" |
| 712 |
$IPTABLES -A INPUT -m state --state INVALID -j DROP |
712 |
$IPTABLES -A INPUT -m state --state INVALID -j DROP |
| 713 |
$IPTABLES -A INPUT -j icmp_allowed |
713 |
$IPTABLES -A INPUT -p icmp -j icmp_allowed |
| 714 |
$IPTABLES -A INPUT -j check-flags |
714 |
$IPTABLES -A INPUT -j check-flags |
| 715 |
$IPTABLES -A INPUT -i lo -j ACCEPT |
715 |
$IPTABLES -A INPUT -i lo -j ACCEPT |
| 716 |
$IPTABLES -A INPUT -j allow-ssh-traffic-in |
716 |
$IPTABLES -A INPUT -j allow-ssh-traffic-in |
| 717 |
$IPTABLES -A INPUT -j allowed-connection |
717 |
$IPTABLES -A INPUT -j allowed-connection |
| 718 |
|
718 |
|
| 719 |
einfo "Appliquer les chaînes au FORWARD" |
719 |
einfo "Appliquer les chaînes au FORWARD" |
| 720 |
$IPTABLES -A FORWARD -m state --state INVALID -j DROP |
720 |
$IPTABLES -A FORWARD -m state --state INVALID -j DROP |
| 721 |
$IPTABLES -A FORWARD -j icmp_allowed |
721 |
$IPTABLES -A FORWARD -p icmp -j icmp_allowed |
| 722 |
$IPTABLES -A FORWARD -j check-flags |
722 |
$IPTABLES -A FORWARD -j check-flags |
| 723 |
$IPTABLES -A FORWARD -o lo -j ACCEPT |
723 |
$IPTABLES -A FORWARD -o lo -j ACCEPT |
| 724 |
$IPTABLES -A FORWARD -j allow-ssh-traffic-in |
724 |
$IPTABLES -A FORWARD -j allow-ssh-traffic-in |
| 725 |
$IPTABLES -A FORWARD -j allow-www-traffic-out |
725 |
$IPTABLES -A FORWARD -j allow-www-traffic-out |
| 726 |
$IPTABLES -A FORWARD -j allowed-connection |
726 |
$IPTABLES -A FORWARD -j allowed-connection |
| 727 |
|
727 |
|
| 728 |
einfo "Appliquer les chaînes à l'OUTPUT" |
728 |
einfo "Appliquer les chaînes à l'OUTPUT" |
| 729 |
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
729 |
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
| 730 |
$IPTABLES -A OUTPUT -j icmp_allowed |
730 |
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed |
| 731 |
$IPTABLES -A OUTPUT -j check-flags |
731 |
$IPTABLES -A OUTPUT -j check-flags |
| 732 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
732 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
| 733 |
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out |
733 |
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out |
| 734 |
$IPTABLES -A OUTPUT -j allow-dns-traffic-out |
734 |
$IPTABLES -A OUTPUT -j allow-dns-traffic-out |
| 735 |
$IPTABLES -A OUTPUT -j allow-www-traffic-out |
735 |
$IPTABLES -A OUTPUT -j allow-www-traffic-out |
| 736 |
$IPTABLES -A OUTPUT -j allowed-connection |
736 |
$IPTABLES -A OUTPUT -j allowed-connection |
