WIKI Liberasys

Outils pour utilisateurs

Outils du site

Piste: zabbix_utilisation shorewall_mono_interface
shorewallmonointerface:shorewall_mono_interface

Table des matières

Shorewall mono interface

apt-get install shorewall ulogd
 
cp -a /usr/share/doc/shorewall/examples/one-interface/* /etc/shorewall
cp -a /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf_
cp -a /etc/shorewall/interfaces /etc/shorewall/interfaces.conf_
cp -a /etc/shorewall/policy /etc/shorewall/policy_
cp -a /etc/shorewall/params /etc/shorewall/params_
sed -i "s/info\$/\\\$LOG/g" /etc/shorewall/policy
sed -i "s/LOGFILE=\/var\/log\/messages/LOGFILE=\/var\/log\/ulog\/syslogemu.log/g" /etc/shorewall/shorewall.conf
sed -i "s/DISABLE_IPV6=No/DISABLE_IPV6=Yes/g" /etc/shorewall/shorewall.conf
sed -i "s/#LAST LINE -- DO NOT REMOVE/LOG=ULOG\n\n#LAST LINE -- DO NOT REMOVE/g" /etc/shorewall/params
cat << 'EOF' >> /etc/shorewall/rules
# SSH port 22000
ACCEPT:$LOG          net             fw              tcp     22000
EOF
sed -i "s/startup=0/startup=1/g" /etc/default/shorewall
 
vi /etc/shorewall/shorewall.conf # verifier options

/!!!!\ 

vi /etc/shorewall/interfaces # verifier options : notemment DHCP /!\ OVH : venet0 et non eth0 !

/!!!!\ 

vi /etc/shorewall/policy # verifier comportement de base

Si pas de désactivation IPv6

/etc/init.d/shorewall stop
/etc/init.d/shorewall start

Attention : IPV6 désactivé :

Désactiver les écoutes en ipv6

Si bind

cp -a /etc/default/bind9 /etc/default/bind9_
sed -i "s/RESOLVCONF=no/RESOLVCONF=yes/g" /etc/default/bind9
sed -i "s/OPTIONS=\"-u bind\"/OPTIONS=\"-4 -u bind\"/g" /etc/default/bind9
/etc/init.d/bind9 stop
/etc/init.d/bind9 start
rndc flush

Si ssh

cp -a /etc/default/ssh /etc/default/ssh_
sed -i "s/SSHD_OPTS=/SSHD_OPTS=-4/g" /etc/default/ssh
/etc/init.d/ssh stop
/etc/init.d/ssh start

Dans tous les cas, desactivation au niveau noyau et reboot

echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
reboot

PVE : ne fonctionne pas sous proxmox VE, faire

cat << 'EOF' >> /opt/firewall_ipv6_drop_all.sh
#!/bin/sh
 
IPT6="/sbin/ip6tables"
 
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
 
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
 
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
EOF
chmod 750 /opt/firewall_ipv6_drop_all.sh
vi /etc/rc.local # ajouter : /opt/firewall_ipv6_drop_all.sh

Test : 

apt-get update
shorewallmonointerface/shorewall_mono_interface.txt · Dernière modification: 2019/01/14 15:04 par rguyader

Outils de la page

Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki