Firewall
La sécurité réseau assurée par Netfilter
Sécurité du réseau
Le serveur est exposé directement à Internet. Toute la sécurité réseau est portée par netfilter et fail2ban.
Netfilter
nftables.conf
1#!/usr/sbin/nft -f
2# https://wiki.nftables.org
3# Log file is /var/log/ulog/nftables.log
4#
5flush ruleset
6
7# Variables Definition
8define IF_LIVEBOX = enp1s0
9define IF_LAN = enp2s0
10define IF_WIFI = wlp3s0
11define IF_DOCKER = { "br-*", docker0 }
12define IF_LOOP = lo
13define NET_LOCALHOST = 127.0.0.1
14define NET_LIVEBOX = 192.168.1.0/24
15define NET_LAN = 192.168.100.0/24
16define NET_LAN_MANAGED = 192.168.100.150-192.168.100.250
17define NET_DOCKER = { 172.13.0.0/16, 172.17.0.0/16 }
18define IP_LIVEBOX = 192.168.1.1
19define IP_SERVER = { 192.168.1.2, 192.168.1.3, 192.168.100.1 }
20define IP_ASUS-AP = 192.168.100.2
21define IP_KALI = 192.168.100.7
22define HACK_PORT = 13131
23
24
25# Configuration Firewall
26table inet Toto_NetFilter {
27
28 set active_devices {
29 type ifname . ether_addr . ipv4_addr
30 timeout 1h
31 flags dynamic
32 }
33
34 chain prerouting {
35 type nat hook prerouting priority dstnat;
36 #Used to Reverse shell
37 iifname $IF_LIVEBOX ip daddr $IP_SERVER tcp dport $HACK_PORT log prefix "PREROUTE HACK OK " group 0 dnat to $IP_KALI:$HACK_PORT
38 #log prefix "NAT PREROUTING " group 0
39 counter accept
40 }
41
42 chain asus_input {
43 #meta l4proto { tcp, udp } th dport 2049 accept comment "Accept NFS"
44
45 ip protocol igmp counter accept comment "Accept IGMP"
46
47 udp dport 7788 counter accept
48 udp dport 9999 counter accept
49
50 udp dport tftp counter accept comment "Accept TFTP"
51 #Retourne a la ligne de la chaine input
52 }
53
54 chain input {
55 type filter hook input priority 0;
56
57 # established/related connections
58 ct state established,related counter accept
59 ct state invalid counter drop
60
61 #Log everything from WAN
62 ip saddr != { $NET_LOCALHOST, $NET_LIVEBOX, $NET_LAN, $NET_DOCKER } log prefix "INPUT VERBOSE " group 0
63
64 # Let Kali be
65 ip saddr $IP_KALI counter accept comment "Accept Kali traffic"
66
67 # loopback interface
68 iifname $IF_LOOP counter accept comment "Accept localhost traffic"
69
70 # Docker
71 iifname $IF_DOCKER counter accept comment "Accept docker traffic"
72
73 # icmp
74 icmp type echo-request counter accept comment "Accept ICMP Echo"
75
76 # Cas particulier du Routeur / AP ASUS
77 ip saddr $IP_ASUS-AP jump asus_input comment "Connections from ASUS Router/AP Manage"
78
79 # SSH
80 iifname $IF_LAN ip daddr $IP_SERVER tcp dport 22 counter accept comment "Accept SSH Request from LAN"
81
82 # DNS
83 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER meta l4proto { tcp, udp } th dport 53 counter accept comment "Accept DNS Request from LAN - TCP/UDP"
84
85 # mDNS
86 ip saddr { $NET_LIVEBOX, $NET_LAN } udp dport 5353 counter drop comment "Drop mDNS"
87
88 # HTTPS
89 iifname $IF_LAN ip daddr $IP_SERVER tcp dport 443 counter accept comment "Accept HTTPS Request from LAN"
90
91 # Open UDP Ports : Samsung (15600)
92 ip saddr { $NET_LIVEBOX, $NET_LAN } udp dport 15600 counter accept comment "Accept UDP Request for Samsung TV"
93
94 # Multicast
95 ip saddr { $IP_LIVEBOX, $IP_SERVER } ip daddr 224.0.0.1 counter accept comment "Accept Multicast TV Broadcast"
96
97 # SSDP
98 ip saddr { $NET_LIVEBOX, $NET_LAN } udp dport 1900 counter accept comment "Accept UDP Request for SSDP - TV"
99
100 # SMB
101 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr { $IP_SERVER, 192.168.1.255, 192.168.100.255 } udp dport { 137 , 138 } counter accept comment "Accept SMB Request from LAN"
102 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 445 counter accept comment "Accept SMB Request from LAN"
103
104 # NTPd
105 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER udp dport 123 counter accept comment "Accept NTP Request from LAN"
106
107 # DHCP (only from WLAN)
108 iifname $IF_LAN udp dport 67 counter accept comment "Accept DHCP Request"
109 iifname $IF_LIVEBOX ip daddr 255.255.255.255 udp dport 67 counter drop comment "Drop Large Broadcast DHCP Request"
110
111 # DOCKER / Uptime KUMA
112 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 3001 counter accept comment "Accept Kuma Uptime Request from LAN"
113
114 # DOCKER / DOZZLE
115 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 9999 counter accept comment "Accept Dozzle Request from LAN"
116
117 # DOCKER / Home Assistant
118 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 8123 counter accept comment "Accept Home Assistant Request from LAN"
119
120 # DOCKER / Traefik Dashboard
121 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 8080 counter accept comment "Accept Traefik Request from LAN"
122
123 # HUGO
124 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 1313 counter accept comment "Accept HUGO Request from LAN"
125
126 # DOCKER / COZY
127 ip saddr { $NET_LIVEBOX, $NET_LAN } ip daddr $IP_SERVER tcp dport 80 counter accept comment "Accept COZY Request from LAN"
128
129 ######### OPEN TO THE WORLD########
130 # SSH
131 iifname $IF_LIVEBOX ip daddr $IP_SERVER tcp dport 22 log prefix "INPUT SSH OK " group 0 counter accept comment "Accept SSH Request from WORLD"
132
133 # HTTPS
134 iifname $IF_LIVEBOX ip daddr $IP_SERVER tcp dport 443 log prefix "INPUT HTTPS OK " group 0 counter accept comment "Accept HTTPS Request from WORLD"
135
136 # OpenVPN
137 iifname $IF_LIVEBOX ip daddr $IP_SERVER udp dport 1194 log prefix "OPENVPN UDP OK " group 0 counter accept comment "Accept OPENVPN Request from WORLD"
138 ###################################
139
140 log prefix "INPUT DROP " group 0
141 counter drop
142 }
143 chain forward {
144 type filter hook forward priority 10;
145
146 # Log Active Devices
147 iifname { $IF_LAN, $IF_WIFI, $IF_LIVEBOX, $IF_DOCKER } counter add @active_devices { iifname . ether saddr . ip saddr }
148
149 # established/related connections
150 ct state established,related accept
151 ct state invalid counter drop
152
153 # Let Kali be
154 ip saddr 192.168.100.7 counter accept
155 #Used to Reverse shell
156 iifname $IF_LIVEBOX ip daddr $IP_KALI tcp dport $HACK_PORT log prefix "FORWARD HACK OK " group 0 counter accept
157
158 # DOCKER to LAN
159 iifname $IF_DOCKER oifname $IF_LAN counter accept
160
161 # LAN to DOCKER
162 iifname $IF_LAN oifname $IF_DOCKER counter accept
163
164 # DOCKER to WWW
165 iifname $IF_DOCKER oifname $IF_LIVEBOX counter accept
166
167 # LAN to WWW for Managed Range (schedule children wifi downtime)
168 iifname $IF_LAN oifname $IF_LIVEBOX ip saddr $NET_LAN_MANAGED meta hour "00:00"-"06:00" log prefix "WIFI DOWNTIME " group 0 counter drop
169
170 # LAN to WWW
171 iifname $IF_LAN oifname $IF_LIVEBOX counter accept
172
173 log prefix "FORWARD DROP " group 0
174 counter drop
175 }
176 chain output {
177 type filter hook output priority 20;
178
179 # established/related connections
180 ct state established,related accept
181 ct state invalid counter drop
182
183 #Log everything to WAN
184 log prefix "OUTPUT VERBOSE " group 0
185
186 # loopback interface
187 oifname $IF_LOOP log prefix "OUTPUT LOCAL OK " group 0 counter accept comment "Accept localhost traffic"
188
189 # Docker
190 oifname $IF_DOCKER log prefix "OUTPUT DOCKER OK " group 0 counter accept comment "Accept docker traffic"
191
192 # LAN
193 oifname $IF_LAN ip daddr { $NET_LIVEBOX, $NET_LAN } log prefix "OUTPUT LAN OK " group 0 counter accept comment "Accept LAN traffic"
194
195 # ICMP
196 icmp type echo-request log prefix "OUTPUT ICMP OK " group 0 counter accept comment "Accept ICMP Output Request"
197
198 # DNS
199 oifname $IF_LIVEBOX ip saddr $IP_SERVER meta l4proto {tcp, udp} th dport 53 log prefix "OUTPUT DNS OK " group 0 counter accept comment "Accept DNS udp Output Request"
200
201 # NTP
202 oifname $IF_LIVEBOX ip saddr $IP_SERVER udp dport 123 log prefix "OUTPUT NTP OK " group 0 counter accept comment "Accept NTP Output Request"
203
204 # SSH
205 tcp dport {22, 2222} log prefix "OUTPUT SSH OK " group 0 counter accept comment "Accept SSH Output Request"
206
207 # WEB
208 tcp dport 80 log prefix "OUTPUT HTTP OK " group 0 counter accept comment "Accept HTTP Output Request"
209 tcp dport 443 log prefix "OUTPUT HTTPS OK " group 0 counter accept comment "Accept HTTPS Output Request"
210
211 # RootMe
212 tcp dport 51069 accept
213
214 log prefix "OUTPUT DROP " group 0
215 counter drop
216 }
217
218 chain postrouting {
219 type nat hook postrouting priority srcnat;
220 masquerade;
221 #log prefix "NAT POSTROUTING " group 0
222 counter accept
223 }
224}
Fail2ban
fail2ban/jail.conf
1[DEFAULT]
2# Destination email for action that send you an email
3destemail =
4
5# Sender email. Warning: not all actions take this into account. Make sure to test if you rely on this
6sender =
7
8# Default action. Will block user and send you an email with whois content and log lines.
9action = %(action_)s
10
11# ignoreip can be a list of IP addresses, CIDR masks, or DNs hosts. Fail2ban
12# # will not ban a host which matches an address in this list.
13ignoreip = 127.0.0.1/8 192.168.0.0/16 172.0.0.0/8
14
15# configure nftables
16banaction = nftables-multiport
17chain = input
18
19# regular banning
20bantime = 24h
21findtime = 600
22maxretry = 3
23
24# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
25# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
26bantime.increment = true
27
28# "bantime.rndtime" is the max number of seconds using for mixing with random time
29# to prevent "clever" botnets calculate exact time IP can be unbanned again:
30bantime.rndtime = 30m
31
32# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
33bantime.maxtime = 60d
34
35# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
36# default value of factor is 1 and with default value of formula, the ban time
37# grows by 1, 2, 4, 8, 16 ...
38bantime.factor = 2
39
40# purge database entries after
41dbpurgeage = 30d
42
43[sshd]
44enabled = true
45port = ssh
46filter = sshd
47maxretry = 3
48mode = aggressive