readme.md

Firewall for debian

copy firewall.service file in /etc/systemd/system/firewall.service

copy firewall in /etc/init.d/firewall

Enable the new service

systemctl enable firewall.service

todo list

• write an installer
• force user to choose ssh port to filter + warning

firewall

#!/bin/sh 

# /etc/init.d/firewall
# chmod +x

### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Démarre les règles iptables
# Description: Charge la configuration du pare-feu iptables
### END INIT INFO


# Réinitialise les règles
iptables -t filter -F 
iptables -t filter -X 
 
# Bloque tout le trafic
iptables -t filter -P INPUT DROP 
iptables -t filter -P FORWARD DROP 
iptables -t filter -P OUTPUT DROP 
 
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -t filter -A INPUT -i lo -j ACCEPT 
iptables -t filter -A OUTPUT -o lo -j ACCEPT 
 
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT 
iptables -t filter -A OUTPUT -p icmp -j ACCEPT 
 
# SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT    # Attention, si vous avez changé le port SSH dans le fichier /etc/ssh/sshd_config, indiquez le à la place de 22 
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT 
 
# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT 
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT 
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT 

# NTP (horloge du serveur) 
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
 
# HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT 
# HTTP Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8008 -j ACCEPT

# HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
# HTTPS Caldav
iptables -t filter -A OUTPUT -p tcp --dport 8008 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT

# FTP 
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT 

# Mail SMTP 
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT 
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
 
# Mail POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT 
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT 
 
# Mail IMAP
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT 
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT 
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Anti Flood / Deni de service / scan de port
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

firewall.service

[Unit]
Description=Firewall with iptables

[Service]
ExecStart=/etc/init.d/firewall

[Install]
WantedBy=multi-user.target