Download presentation
Presentation is loading. Please wait.
1
Le firewall Technofutur
2
Table des matières Schémas du réseau Routage sans VPN Routage avec VPN Le NAT Le firewall
3
Schémas du réseau:
4
Configurations des interfaces auto eth0 iface eth0 inet static address 10.10.15.111 netmask 255.255.255.0 network 10.10.15.0 broadcast 10.10.15.255 gateway 10.10.15.250
5
Configurations des interfaces auto eth1 iface eth1 inet static address 172.16.0.1 netmask 255.255.255.0 network 172.16.0.1 broadcast 172.16.0.255
6
Configurations des interfaces auto eth2 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.0.255
7
Schémas du réseau:
8
Routage sans les VPN
9
echo "1" > /proc/sys/net/ipv4/ip_forward /etc/sysctl.conf tcpdump -n -i eth2 10:53:22.426214 IP 192.168.1.8 > 192.168.2.7: ICMP echo request, id 256, seq 5598, length 72 10:53:22.426361 IP 192.168.2.7 > 192.168.1.8: ICMP echo reply, id 256, seq 5598, length 72
10
Routage avec les VPN
11
ip route flush table all services networking stop services networking start ip route add 192.168.2.0/24 via 172.16.0.2 ip route add 172.17.0.0/24 via 172.16.0.2
12
Routage avec les VPN ip route flush table all services networking stop services networking start ip route add 192.168.1.0/24 via 172.17.0.2 ip route add 172.16.0.0/24 via 172.17.0.2
13
Le NAT iptables -v -t nat -A POSTROUTING -j MAQUERADE iptavles -v -t nat -i eth2 -A PREROUTING -s 10.10.15.2 -j DNAT --to 172.16.0.2
14
Le NAT iptables -v -t nat -A POSTROUTING -j MAQUERADE iptavles -v -t nat -i eth2 -A PREROUTING -s 10.10.15.111 -j DNAT --to 172.17.0.2
15
Firewall Policy iptables -v -P INPUT ACCEPT iptables -v -P OUTPUT ACCEPT iptables -v -P FORWARD DROP iptables -v -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
16
Firewall ICMP, test réseau # Autorisons l'ICMP sur tout le réseau iptables -v -A FORWARD -p ICMP -j ACCEPT # Autorisons l'ip 8.8.8.8 de google iptables -v -A FORWARD -d 8.8.8.8 -j ACCEPT
17
Firewall Client WEB: iptables -v -A FORWARD -s 192.168.1.4 -p TCP - m multiport --dports 80,443 -j DROP
18
Firewall VPN: #GRE iptables -v -A FORWARD -p 47 -j ACCEPT iptables -v -A FORWARD -s 172.16.0.2 -p TCP -- sport 1723 -j ACCEPT iptables -v -A FORWARD -d 172.16.0.2 -p TCP -- sport 1723 -j ACCEPT
19
Firewall IPSEC: iptables -v -A FORWARD -p 50 -j ACCEPT# ESP iptables -v -A FORWARD -p 51 -j ACCEPT# AH iptables -v -A FORWARD -s 172.16.0.2 -p UDP -j ACCEPT iptables -v -A FORWARD -d 172.16.0.2 -p UDP -j ACCEPT
20
Firewall SSH, web, SQUID iptables -v -A FORWARD -d 172.16.0.4 -p TCP - m multiport --dports 22,80,8080,3128 -j ACCEPT MAIL: iptables -v -A FORWARD -d 192.168.1.5 -p TCP - m multiport --dports 25,110,587,995 -j ACCEPT
21
Firewall DNS iptables -v -A FORWARD -d 192.168.1.2 -p UDP --dport 53 -j ACCEPT
22
Firewall Active Directory iptables -v -A FORWARD -d 192.168.1.0/24 -p UDP -m multiport --dports 53,67,68,88,137,138,389,464,2535 -j ACCEPT iptables -v -A FORWARD -s 192.168.1.0/24 -p TCP -m multiport --dports 53,80,88,135,139,389,443,445,464,636,3128,32 68,3269,5722,9389 -j ACCEPT
23
Firewall iptables -P FORWARD ACCEPT iptables --flush
24
Quesitons?
Similar presentations
