####################################################################################
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!) #
####################################################################################
# Configuration File for Arno's IPTABLES single & dual homed (ADSL) firewall script (rc.iptables)
# (C) Copyright 2001-2002 by Arno van Amersfoort
# Homepage : http://rulhmpc57.leidenuniv.nl/projects/iptables-firewall/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#################################################################################################
## Any suggestions, questions or comments are welcome at: "a r n o v a AT x s 4 a l l DOT n l" ##
#################################################################################################
############################################
# Required variables for correct operation #
############################################
IPTABLES="/sbin/iptables" # Location of the IPTABLES binary
EXT_IF="ppp+" # The external interface that will be protected (and used as internet connection)
# This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
# otherwise it should be "ethX" (ex. eth0)
DYNAMIC_IP=1 # Enable this if your ISP dynamically assigns IP's through DHCP
#################################################################################################################
# These options should (only) be used when you have an ADSL/DSL modem ("Alcatal Home" for example.) which works #
# for with a PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection). #
# #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown). #
# This means that if your modem is bridging (a transparant router) or the network interface the modem is #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)! #
#################################################################################################################
MODEM_IF="eth0" # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
MODEM_IF_IP="192.168.20.1" # The IP of the network interface (MODEM_IF) your ADSL modem is connected to (IP shown
# for the modem interface (MODEM_IF) in 'ifconfig')
MODEM_IP="" # The IP of your (A)DSL modem itself (which should NOT be the same as MODEM_IF_IP!).
# If (you suspect that) your modem doesn't have an IP, than leave MODEM_IP empty(="" )!
#####################################
# LAN & NAT (masquerading) settings #
#####################################
INT_IF="eth1" # Internal network interface or interfaces (multiple(!) interfaces should be
# space seperated). Rremark this if you don't have any internal network interfaces.
INTERNAL_NET="192.168.0.0/24" # Your internal subnet which is connected to the internal interface. For multiple
# interfaces(!) you can either specify multiple subnets here or specify one big
# subnet for all internal interfaces. Packets from these subnets are always accepted!
NAT=1 # Enable this if you want to perform NAT for your internal network (LAN)
# (ie, share your internet connection with your internal net(s) connected to INT_IF)
NAT_INTERNAL_NET="" # (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
# be able to access the internet. When no value is specified, you're whole internal LAN
# will have access. In both cases its only meaningful of course when NAT is enabled.
MODEM_INTERNAL_NET=$INTERNAL_NET # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should have
# access to the (A)DSL modem itself (manage modem settings). The default setting
# ($INTERNAL_NET) allows access from everybody on your LAN.
TCP_FORWARD="3389>192.168.0.4, 80>192.168.0.5" # TCP forwards, form is "PORT1,PORT2,...>DESTIP1{:port} PORT3,PORT4,...>DESTIP2{:port}"
UDP_FORWARD="" # UDP forwards, form is "PORT1,PORT2,...>DESTIP1{:port} PORT3,PORT4,...>DESTIP2{:port}"
# Note that {:port} is optional in TCP/UDP port forwards.
# TCP/UDP port forward example: xxx_FORWARD="20,21>192.168.0.10 81>192.168.0.11:80".
IP_FORWARD="" # IP protocol forwards (useful for forwarding non-TCP/UDP/ICMP protocols)
# form is "PROTO1,PROTO2,...>DESTIP1 PROTO3,PROTO4,...>DESTIP2"
# IP protocol forward example: "47,48>192.168.0.10"
OTHER_IF="" # (EXPERT SETTING!). Other network interfaces for which ALL IP traffic should be
# ACCEPTED (like with a local loopback) (multiple(!) interfaces should be space
# seperated). Be warned that anything to and from these interfaces is allowed (ACCEPTED)
# so make sure its NOT routable(accessible) from the outside world (internet)!
####################
# General settings #
####################
MANGLE_TOS=1 # Enable this if you want TOS mangling (RFC)
SET_MSS=1 # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0 # Enable this to resolve names of DNS/TH IP's etc.
DHCP_BOOTP=0 # Enable support for DHCP/BOOTP service
USE_IRC=0 # Enable support for IRC service
LOOSE_FORWARD=0 # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
# that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1 # Enable this if you want to drop packets originating from a private address. Normally
# this should be enabled(1).
DROP_IANA_RESERVED=1 # Enable this if you want to drop addresses which are registered as reserved by IANA.
# This option exists as the IANA list simply changes too often.
#########################################################################
# Logging options - All logging is rate limited to prevent log flooding #
#########################################################################
ICMP_FLOOD_LOG=1 # Enable logging for ICMP flooding
ICMP_DROP_LOG=1 # Enable logging for ICMP-packets which are DROPPED
SCAN_LOG=1 # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=1 # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=1 # Enable logging for TCP-packets with bad flags
BLOCKED_HOST_LOG=1 # Enable logging for explicitly blocked hosts
CLOSED_PORT_LOG=1 # Enable logging for explicitly blocked ports
RESERVED_NET_LOG=1 # Enable logging of source IP's with reserved addresses
OPEN_CONNECT_LOG=0 # Enable logging of new connections to TCP/UDP ports open to the whole world
INVALID_PACKET_LOG=1 # Enable logging of invalid packets
FRAG_LOG=1 # Enable logging of fragmented packets
LOST_CONNECTION_LOG=0 # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
CONNECT_LOG=1 # Enable logging of connection attempts to privileged (TCP/UDP) ports
UNPRIV_TCP_LOG=1 # Enable logging of connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=1 # Enable logging of connection attempts to unprivileged UDP ports
OTHER_IP_LOG=1 # Enable logging of connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
DHCP_BROADCAST_LOG=0 # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
# have a DHCP server in your subnet but don't use it yourself.
OUTPUT_DENY_LOG=1 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
LOGLEVEL=info # Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall,
# but you have to configure syslogd accordingly (see included syslogd.conf example)
###########################################
# /proc based settings (EXPERT SETTINGS!) #
###########################################
SYN_PROT=1 # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1 # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=0 # Enable if you want to automatically ignore all ICMP echo requests (IPv4)
# this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0 # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0 # Enable if you want to accept ICMP redirect messages
# Should be set to "0" in case of a router
HIGHER_CONNTRACK=0 # Enable if you want to handle a huge number of simultanteous connections
# (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0 # You may need to enable this to get some internet games to work,
# but note that it's *less* secure
ECN=0 # Enable ECN (Explicit Congestion Notification) TCP flag
# Disabled by default, as some routers are still not compatible with this
RP_FILTER=1 # Use the rp_filter to drop connections from non-routable IPs. This should be
# disabled(0) when you for example want to use Freeswan (VPN) to route external private
# addresses into your network. Note that for extra security the external interface(s)
# (EXT_IF) is/are always filtered!
#################################################################################################################
# Put in the following variable which hosts (subnets) you want have full access via your internet connection(!) #
# NOTE: Don't mistake this variable with the one used for internal nets #
#################################################################################################################
FULL_ACCESS_HOSTS=""
#################################################################################################################
# Put in the following variable which DNS servers you use #
# Only required when you run your own DNS server (for example BIND) #
#################################################################################################################
DNS_SERVERS=""
# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
#ROOT_DNS_SERVERS="128.63.2.53 192.33.4.12 192.112.36.4 192.5.5.241 128.9.0.107 \
# 198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
# 192.203.230.10 128.8.10.90 198.41.0.4"
#################################################################################################################
# Put in the following variables which ports you want to leave open to the whole world #
#################################################################################################################
OPEN_TCP="2002 21 3389" # TCP port(s) the whole world is allowed to connect to
OPEN_UDP="" # UDP port(s) the whole world is allowed to connect to
OPEN_IP="" # IP protocol(s) (non TCP/UDP) the whole world is allowed to connect to
OPEN_ICMP=0 # Enable ICMP reply for the whole world (not recommended)
#################################################################################################################
# Put in the following variables the tcp/udp ports you want to block for everyone. Also use these variables #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts) #
#################################################################################################################
CLOSED_TCP=""
CLOSED_UDP=""
#################################################################################################################
# Put in the following variables which ports you want to block for everyone but NOT logged. #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm) #
# and don't want your logs flooded with it. #
#################################################################################################################
CLOSED_TCP_NOLOG=""
CLOSED_UDP_NOLOG=""
#################################################################################################################
# Put in the following variables which hosts you want to allow for certain services #
# TCP/UDP port format (OPEN_HOST_TCP & OPEN_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (OPEN_HOST_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
OPEN_HOST_TCP=""
OPEN_HOST_UDP=""
OPEN_HOST_IP=""
OPEN_HOST_ICMP=""
#################################################################################################################
# Put in the following variables which hosts you want to deny for certain services #
# TCP/UDP port format (DENY_HOST_TCP & DENY_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
#################################################################################################################
DENY_HOST_TCP=""
DENY_HOST_UDP=""
#################################################################################################################
# Put in the following variables the tcp/udp ports TO (remote end-point) which the MASQUERADED machines are NOT #
# permitted to connect to via the external (internet) interface. Examples of usage are for blocking #
# IRC (tcp 6666:6669) #
#################################################################################################################
DENY_TCP_FORWARD=""
DENY_UDP_FORWARD=""
#################################################################################################################
# Put in the following variables the tcp/udp ports TO (remote end-point) which THIS machine is NOT permitted to #
# connect to via the external (internet) interface. Examples of usage are for blocking IRC (tcp 6666:6669) #
#################################################################################################################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
#################################################################################################################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host) #
#################################################################################################################
BLOCK_HOSTS=""
# Location of the BLOCKED HOSTS file (if any):
##############################################
BLOCKED_HOSTS=/etc/iptables-blocked-hosts
# Location of the custom IPTABLES rules file (if any):
######################################################
CUSTOM_RULES=/etc/iptables-custom-rules
|
et c'est hyper urgent 
![[:ddr555]](https://forum-images.hardware.fr/images/perso/ddr555.gif "[:ddr555]")
vais l'essayer de suite 
![[:sisicaivrai]](https://forum-images.hardware.fr/images/perso/sisicaivrai.gif "[:sisicaivrai]")
)
![[:quannum]](https://forum-images.hardware.fr/images/perso/quannum.gif "[:quannum]")
![[:wam]](https://forum-images.hardware.fr/images/perso/wam.gif "[:wam]")
.....ce que je comprend pas c'est que depuis mon LAN ça ne foonctionne po........ 