OVH Community, votre nouvel espace communautaire.

Firewall - Monitoring OVH


angecorse
13/12/2015, 10h16
Hello la bande !

Plus besoin de signales la devise : "Aide-toi des forums, OVH ne t'aidera pas"
Et pour cause il m'ont proposé ceci à déposer dans mon /etc/init.d/firewall :

Code:
# Monitoring du serveur proposé par OVH
iptables -A INPUT -i eth0 -s IP_OVH/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s 151.80.118.90/32 -p ICMP -j ACCEPT
echo "Monitoring du serveur: OK"
Mais ceci n'arrange pas le monitoring puisque ce code met "down" le monitoring d'OVH.

En revanche voici le contenu de mon firewall:
Code:
### Infos
# Provides:          firewall
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Demarrage du script du firewall
# Description:       Regles du firewall
### Fin Infos

#!/bin/sh
case "$1" in
start)

########## Initialisation ##########
# On vide les tables
iptables -t filter -F
iptables -t filter -X
echo "Mise à 0 des tables: OK"

# Modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat

echo "Chargement des modules: OK"

# On Interdit toutes connexions entrantes et sortantes
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo "Connexion entrantes et sortantes interdites: OK"

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Acceptation des connexions en cours: OK"

########## Regles ##########
# Trafic local
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo "Acceptation du trafic local: OK"

# Ping
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo "Acceptation du Ping: OK"

# SSH
iptables -t filter -A INPUT -p tcp --dport MON_PORT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport MON_PORT -j ACCEPT
echo "Ouverture du port SSH: OK"

# DNS
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Gestion des DNS: OK"

# NTP
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo "Gestion de l'horloge atomique NTP: OK"

# FTP
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
#iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
echo "Gestion FTP: OK"

# FTP -  mode passif
#iptables -A OUTPUT -o eth0 -p tcp --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024: --dport 30000:35000 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 30000:35000 --dport 1024: -m state --state ESTABLISHED -j ACCEPT
echo "FTP - Mode passif: OK"

# FTP - mode actif
iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "FTP - Mode actif: OK"

# FTP Client
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
echo "FTP Client: OK"

# FTP client - mode actif
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "FTP Client - Mode actif: OK"

# FTP client - mode passif
iptables -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "FTP Client - Mode passif: OK"

# HTTP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
echo "Gestion du port HTTP: OK"

# HTTPS
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
echo "Gestion du port HTTPS: OK"

# MYSQL
iptables -t filter -A INPUT -p tcp --dport MON_PORT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport MON_PORT -j ACCEPT
echo "Gestion du port MySQL: OK"

# SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo "Gestion du port SMTP: OK"

# POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo "Gestion du port POP3: OK"

# IMAP
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo "Gestion du port IMAP: OK"

# SMTPS
iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
echo "Gestion du port SMTPS: OK"

# IMAPS
iptables -t filter -A INPUT -p tcp --dport 993 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 993 -j ACCEPT
echo "Gestion du port IMAPS: OK"

# POP3S
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
echo "Gestion du port POP3S: OK"

# Postgrey
iptables -t filter -A INPUT -p tcp --dport MON_PORT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport MON_PORT -j ACCEPT
echo "Gestion du port de Postgrey: OK"

# Monitoring du serveur proposé par OVH
iptables -A INPUT -i eth0 -s IP_OVH_MONITORING_SLA/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH_MONITORING_SLA/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH_MONITORING_SLA/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH_MONITORING_SLA/24 -p ICMP -j ACCEPT
iptables -A INPUT -i eth0 -s IP_OVH_MONITORING_SLA/32 -p ICMP -j ACCEPT
echo "Monitoring du serveur: OK"

# Flood
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Scan de ports
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Mon monitoring perso
iptables -t filter -A INPUT -p tcp --dport MON_PORT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport MON_PORT -j ACCEPT

echo ""
echo ""
echo "===== FIREWALL START ====="
echo ""
echo ""
;;
status)

echo - Liste des regles :
iptables -L
;;
stop)

# Vidage des tables
iptables -t filter -F
iptables -t filter -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "Vidage des tables: OK"
echo ""
echo ""
echo "===== FIREWALL STOP ====="
echo ""
echo ""
;;
esac
exit 0
Si un "master" geek peut m'aider car ce script invalide le fonctionnement de monitoring d'OVH: ping, ssh, hhtp, https, dns, smtp.

Merci de votre possible soutien !