WIKI Liberasys

Outils pour utilisateurs

Outils du site

Piste :
shorewallmonointerface:shorewall_mono_interface

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Prochaine révision		Révision précédente
shorewallmonointerface:shorewall_mono_interface [2018/09/05 14:49] – créée ronanshorewallmonointerface:shorewall_mono_interface [2019/01/14 14:04] (Version actuelle) rguyader
Ligne 1: Ligne 1:
 ====== Shorewall mono interface ====== ====== Shorewall mono interface ======
  
-  apt-get install shorewall ulogd+<code bash> 
 +apt-get install shorewall ulogd
      
-  cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall +cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall 
-  cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf_ +cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf_ 
-  cp -a /etc/shorewall/interfaces /etc/shorewall/interfaces.conf_ +cp -a /etc/shorewall/interfaces /etc/shorewall/interfaces.conf_ 
-  cp -a /etc/shorewall/policy /etc/shorewall/policy_ +cp -a /etc/shorewall/policy /etc/shorewall/policy_ 
-  cp -a /etc/shorewall/params /etc/shorewall/params_ +cp -a /etc/shorewall/params /etc/shorewall/params_ 
-  sed -i "s/info\$/\\\$LOG/g" /etc/shorewall/policy +sed -i "s/info\$/\\\$LOG/g" /etc/shorewall/policy 
-  sed -i "s/LOGFILE=\/var\/log\/messages/LOGFILE=\/var\/log\/ulog\/syslogemu.log/g" /etc/shorewall/shorewall.conf +sed -i "s/LOGFILE=\/var\/log\/messages/LOGFILE=\/var\/log\/ulog\/syslogemu.log/g" /etc/shorewall/shorewall.conf 
-  sed -i "s/DISABLE_IPV6=No/DISABLE_IPV6=Yes/g" /etc/shorewall/shorewall.conf +sed -i "s/DISABLE_IPV6=No/DISABLE_IPV6=Yes/g" /etc/shorewall/shorewall.conf 
-  sed -i "s/#LAST LINE -- DO NOT REMOVE/LOG=ULOG\n\n#LAST LINE -- DO NOT REMOVE/g" /etc/shorewall/params +sed -i "s/#LAST LINE -- DO NOT REMOVE/LOG=ULOG\n\n#LAST LINE -- DO NOT REMOVE/g" /etc/shorewall/params 
-  cat << 'EOF' >> /etc/shorewall/rules +cat << 'EOF' >> /etc/shorewall/rules 
-  # SSH port 22000 +# SSH port 22000 
-  ACCEPT:$LOG          net             fw              tcp     22000 +ACCEPT:$LOG          net             fw              tcp     22000 
-  EOF +EOF 
-  sed -i "s/startup=0/startup=1/g" /etc/default/shorewall+sed -i "s/startup=0/startup=1/g" /etc/default/shorewall
  
-  vi /etc/shorewall/shorewall.conf # verifier options+vi /etc/shorewall/shorewall.conf # verifier options 
 +</code>
  
 **/!!!!\** **/!!!!\**
  
-  vi /etc/shorewall/interfaces # verifier options : notemment DHCP /!\ OVH : venet0 et non eth0 ! +<code bash> 
 +vi /etc/shorewall/interfaces # verifier options : notemment DHCP /!\ OVH : venet0 et non eth0 ! 
 +</code>
 **/!!!!\** **/!!!!\**
  
-  vi /etc/shorewall/policy # verifier comportement de base +<code bash> 
 +vi /etc/shorewall/policy # verifier comportement de base 
 +</code>
 ===== Si pas de désactivation IPv6 ===== ===== Si pas de désactivation IPv6 =====
  
-  /etc/init.d/shorewall stop +<code bash> 
-  /etc/init.d/shorewall start+/etc/init.d/shorewall stop 
 +/etc/init.d/shorewall start 
 +</code>
  
 **Attention :** IPV6 désactivé : **Attention :** IPV6 désactivé :
Ligne 39: Ligne 45:
 ==== Si bind ==== ==== Si bind ====
  
-  cp -a /etc/default/bind9 /etc/default/bind9_ +<code bash> 
-  sed -i "s/RESOLVCONF=no/RESOLVCONF=yes/g" /etc/default/bind9 +cp -a /etc/default/bind9 /etc/default/bind9_ 
-  sed -i "s/OPTIONS=\"-u bind\"/OPTIONS=\"-4 -u bind\"/g" /etc/default/bind9 +sed -i "s/RESOLVCONF=no/RESOLVCONF=yes/g" /etc/default/bind9 
-  /etc/init.d/bind9 stop +sed -i "s/OPTIONS=\"-u bind\"/OPTIONS=\"-4 -u bind\"/g" /etc/default/bind9 
-  /etc/init.d/bind9 start +/etc/init.d/bind9 stop 
-  rndc flush+/etc/init.d/bind9 start 
 +rndc flush 
 +</code>
  
 ==== Si ssh ==== ==== Si ssh ====
  
-  cp -a /etc/default/ssh /etc/default/ssh_ +<code bash> 
-  sed -i "s/SSHD_OPTS=/SSHD_OPTS=-4/g" /etc/default/ssh +cp -a /etc/default/ssh /etc/default/ssh_ 
-  /etc/init.d/ssh stop +sed -i "s/SSHD_OPTS=/SSHD_OPTS=-4/g" /etc/default/ssh 
-  /etc/init.d/ssh start+/etc/init.d/ssh stop 
 +/etc/init.d/ssh start 
 +</code>
  
 ==== Dans tous les cas, desactivation au niveau noyau et reboot ==== ==== Dans tous les cas, desactivation au niveau noyau et reboot ====
  
-  echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf +<code bash> 
-  reboot+echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf 
 +reboot 
 +</code>
  
 ===== PVE : ne fonctionne pas sous proxmox VE, faire ===== ===== PVE : ne fonctionne pas sous proxmox VE, faire =====
  
-  cat << 'EOF' >> /opt/firewall_ipv6_drop_all.sh +<code bash> 
-  #!/bin/sh+cat << 'EOF' >> /opt/firewall_ipv6_drop_all.sh 
 +#!/bin/sh
      
-  IPT6="/sbin/ip6tables"+IPT6="/sbin/ip6tables"
      
-  $IPT6 -F +$IPT6 -F 
-  $IPT6 -X +$IPT6 -X 
-  $IPT6 -t mangle -F +$IPT6 -t mangle -F 
-  $IPT6 -t mangle -X+$IPT6 -t mangle -X
      
-  # DROP all incomming traffic +# DROP all incomming traffic 
-  $IPT6 -P INPUT DROP +$IPT6 -P INPUT DROP 
-  $IPT6 -P OUTPUT DROP +$IPT6 -P OUTPUT DROP 
-  $IPT6 -P FORWARD DROP+$IPT6 -P FORWARD DROP
      
-  #unlimited access to loopback +#unlimited access to loopback 
-  $IPT6 -A INPUT -i lo -j ACCEPT +$IPT6 -A INPUT -i lo -j ACCEPT 
-  $IPT6 -A OUTPUT -o lo -j ACCEPT +$IPT6 -A OUTPUT -o lo -j ACCEPT 
-  EOF +EOF 
-  chmod 750 /opt/firewall_ipv6_drop_all.sh +chmod 750 /opt/firewall_ipv6_drop_all.sh 
-  vi /etc/rc.local # ajouter : /opt/firewall_ipv6_drop_all.sh+vi /etc/rc.local # ajouter : /opt/firewall_ipv6_drop_all.sh 
 +</code>
  
 Test : Test :
- +<code bash> 
-  apt-get update+apt-get update 
 +</code>
shorewallmonointerface/shorewall_mono_interface.1536158984.txt.gz · Dernière modification : 2018/09/05 14:49 de ronan