-- Script simple Netfilter (pour une GW connecté au net) --
#!/bin/sh
# Firewalling
PATH=/bin:/sbin:/usr/sbin:/usr/bin
PPP=ppp0
case "$1" in
start)
echo -n "Turning on firewall"
### ACTIVER LE FILTRAGE ###
echo 1 > /proc/sys/net/ipv4/ip_forward
### RAZ ###
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
### RULES ##
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j REJECT
### MASQUERADING ###
iptables -t nat -A POSTROUTING -o $PPP -j MASQUERADE
echo "..."
;;
stop)
echo -n "Turning off firewall"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
echo "..."
;;
restart)
$0 stop
sleep 2
$0 start
;;
*)
echo "Usage: /etc/init.d/iptables.sh {start|stop|restart}"
exit 1
;;
esac
---------------------------
-- Ping check --
#!/bin/bash
PINGLAT=$(ping -c1 8.8.8.8 | grep -i time | head -n 1 | awk '{print $7}' | awk 'BEGIN {FS="[=]|[ ]"} {print $2}')
PINGTHRESHOLD=350
PINGLATINT=$(echo "$PINGLAT/1" | bc)
echo $PINGLATINT
if [ $PINGLATINT -gt $PINGTHRESHOLD ]
then play -q ~jdoe/Musique/bip.mp3
else exit 0
fi
---------------------------
-- Memproc --
#!/bin/bash
if [ "$1" = "" ] ; then
echo -n "Nom du process : "
read process
else
process=$1
fi
ps aux | grep $process | grep -v grep | awk 'BEGIN { sum=0 } {sum=sum+$6; } END {printf("Taille RAM utilisée: %s Mo\n",sum / 1024)}'
---------------------------
5 commentaires:
Voir aussi :
http://firehol.sourceforge.net/
Un "firewall builder", assez simple et qui permet de faire des choses interessantes très rapidement :)
version 5
transparent_squid 3128 "proxy proxy" inface eth0
nat to-destination 192.168.0.2 proto "tcp" dport "80" dst 100.100.100.100/32
interface "eth0" Internet
protection strong
server "ssh" accept
server custom openvpn "tcp/1194 udp/1194" default accept
client all accept
interface "eth1" LAN
policy accept
client all accept
router lan2internet inface "eth1" outface "eth0"
client all accept
route all accept
masquerade
-- Note --
100.100.100.100 == Public IP
Voir aussi :
- http://wiki.debian.org/DebianFirewall
- http://www.taltan.fr/post/2006/06/08/21-netfilter-scripts-de-configuration-iptables
- http://jaywax.free.fr/?p=25
Démarrage :
# update-rc.d firewall start 40 S . stop 89 0 6 .
http://formation.bearstech.com/trac/wiki/InsiaAdminSysFirewall
# Script simple standalone server
#!/bin/sh
PATH=/bin:/sbin:/usr/sbin:/usr/bin
# VARIABLES
FILTER="/sbin/iptables"
# RAZ
$FILTER -F
$FILTER -X
$FILTER -P INPUT ACCEPT
$FILTER -P FORWARD ACCEPT
$FILTER -P OUTPUT ACCEPT
# Banned PROTOs
$FILTER -A INPUT -p udp --dport 138 -j DROP #netbios_dgm
$FILTER -A INPUT -p udp --dport 137 -j DROP #netbios_ns
$FILTER -A INPUT -p tcp --dport 139 -j DROP #netbios_ssn
# Banned IPs
for i in $(< /root/banned_IPs);
do $FILTER -A INPUT -s $i -j DROP;
done
exit 0
Enregistrer un commentaire