iptables (newfireX)
Firewall com iptables
Categoria: Networking
Software: iptables
[ Hits: 7.221 ]
Por: luiz vigiato
Configuração do iptables de tal forma que sua máquina não seja vista de fora pra dentro, sua intranet seja roteada para fora e você possa acessar e-mail e outros servicos externos. Especial para quem tem ADSL.
Em caso de problemas pode me contactar pelo e-mail: vigiatoluiz@bol.com.br.
#!/bin/sh # description: Firewall Basico # # chkconfig: 2345 80 30 # processname: iptables # pidfile: /var/run/iptable.pid # # firewall-masq This script sets up firewall rules for a machine # acting as a masquerading gateway # # IPTABLES configurating by Luiz Vigiato 09/04/03 for ADSL # vigiatoluiz@bol.com.br # ACRESCENTAR A LINHA ABAIXO EM /etc/syslog.conf # kern.=alert -/var/log/firewall.log # # Identificacao do programa iptables WIPT="/usr/sbin/iptables" INTRANET_PORT="eth0" INTERNET_PORT="ppp0" INTRANET=$(/sbin/ifconfig $INTRANET_PORT|grep inet |cut -d: -f2|cut -d\ -f2) INTERNET=$(/sbin/ifconfig $INTERNET_PORT|grep inet |cut -d: -f2|cut -d\ -f2) SERVER_DNS="$(cat /etc/resolv.conf |cut -d\ -f2) $INTRANET" echo ---------------------- echo Intranet := $INTRANET_PORT - $INTRANET echo Internet := $INTERNET_PORT - $INTERNET echo DNS := $SERVER_DNS echo ---------------------- #--------------------------------------------------------------- ANYWHERE="0.0.0.0/0" LOOPBACK="127.0.0.1/8" TRACEROUTE_SRC="32769:35535" TRACEROUTE_DES="33434:33523" NFS_PORT="2049" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" SSH_PORTS="1020:1023" XWINDOW_PORTS="6000:6063" SOCKS_PORT="1080" OPEN_WINDOWS_PORT="2000" NFS_PORT="2049" #-----------------------------## Configuracao dos modulos # modprobe ip_contrack # modprobe ip_contrack_ftp # modprobe ipt_log # modprobe ipt_reject /sbin/modprobe iptable_nat /sbin/modprobe ip_tables /sbin/modprobe ipt_state /sbin/modprobe ipt_unclean /sbin/modprobe ipt_limit #------------------------------## Configuracao da protecao echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/tcp_syncookies # echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f; done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 1 > $f; done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 1 > $f; done for f in /proc/sys/net/ipv4/conf/*/log_martians ; do echo 1 > $f; done #------------------------------## Inicializacao Completa case "$1" in start) #--------------------------## Limpando Chains $WIPT -F $WIPT -X $WIPT -F FORWARD $WIPT -F INPUT $WIPT -F OUTPUT #-----------------------------## Definicoes de configuracao #---------------------------------------------------------- $WIPT -N log_drop $WIPT -A log_drop -j LOG --log-level 1 --log-prefix DROPPED:: $WIPT -A log_drop -j DROP $WIPT -N log_accept $WIPT -A log_accept -m limit -j LOG --log-level 1 --log-prefix ACCEPTED:: $WIPT -A log_accept -j ACCEPT $WIPT -N log_reject $WIPT -A log_reject -j LOG --log-level 1 --log-prefix REJECTED:: $WIPT -A log_reject -j REJECT $WIPT -N log_unclean $WIPT -A log_unclean -j LOG --log-level 1 --log-prefix UNCLEANED:: $WIPT -A log_unclean -j DROP $WIPT -N log_fragment $WIPT -A log_fragment -j LOG --log-level 1 --log-prefix FRAGMENTO:: $WIPT -A log_fragment -j DROP $WIPT -N log_spoofed $WIPT -A log_spoofed -j LOG --log-level 1 --log-prefix SPOOFED:: $WIPT -A log_spoofed -j ACCEPT $WIPT -N log_priv $WIPT -A log_priv -j LOG --log-level 1 --log-prefix PRIV:: $WIPT -A log_priv -j ACCEPT $WIPT -N log_ass_unpriv $WIPT -A log_ass_unpriv -j LOG --log-level 1 --log-prefix ASS_UnPrivPort:: $WIPT -A log_ass_unpriv -j DROP $WIPT -N log_traceroute $WIPT -A log_traceroute -j LOG --log-level 1 --log-prefix TRACEROUTE:: $WIPT -A log_traceroute -j DROP $WIPT -N log_in_new $WIPT -A log_in_new -j LOG --log-level 1 --log-prefix LOG_NEW:: $WIPT -A log_in_new -j DROP $WIPT -N log_in_invalid $WIPT -A log_in_invalid -j LOG --log-level 1 --log-prefix LOG_INVALID:: $WIPT -A log_in_invalid -j DROP # Habilitando serviços SSH/SMTP/POP/WWW/ ... $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 22 -j log_accept $WIPT -A INPUT -p udp -i $INTRANET_PORT --dport 22 -j log_accept $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 25 -j log_accept $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 80 -j log_accept $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 110 -j log_accept $WIPT -A FORWARD -p tcp -i $INTERNET_PORT --dport 22 -j log_accept $WIPT -A FORWARD -p udp -i $INTRANET_PORT --dport 22 -j log_accept $WIPT -A FORWARD -p tcp -i $INTERNET_PORT --dport 25 -j log_accept $WIPT -A FORWARD -p tcp -i $INTERNET_PORT --dport 80 -j log_accept $WIPT -A FORWARD -p tcp -i $INTERNET_PORT --dport 110 -j log_accept ## REDIRECIONADOR PROXY #$WIPT -A PREROUTING -t nat -i $INTRANET_PORT -p tcp -j REDIRECT --to 192.168.0.1:3128 $WIPT -t nat -A PREROUTING -i $INTRANET_PORT -p tcp --dport 80 -j REDIRECT --to-port 3128 ## LOOPBACK $WIPT -A INPUT -i lo -j ACCEPT $WIPT -A OUTPUT -o lo -j ACCEPT ## FRAGMENTOS $WIPT -A INPUT -i $INTERNET_PORT -m unclean -j log_unclean $WIPT -A INPUT -f -i $INTERNET_PORT -j log_fragment ## SPOOFINGS SPO8="0 1 2 3 4 5 7 10 23 27 31 36 37 39 41 42 49 50 60 67 68 72 80 96 192 197" spo32="169.254.0.0/16 192.0.2.0/24 218.0.0.0/7 220.0.0.0/6 224.0.0.0/3 224.0.0.0/4 224.0.0.0/5 0.0.0.0" for i in $SPO8 do $WIPT -A INPUT -i $INTERNET_PORT -s $i.0.0.0/8 -j log_spoofed done for i in $spo32 do $WIPT -A INPUT -i $INTERNET_PORT -s $i -j log_spoofed done $WIPT -A INPUT -i $INTERNET_PORT -s $INTERNET -j log_spoofed #------------------------------## Bloqueios diversos. # Kazaa $WIPT -A INPUT -i $INTERNET_PORT -s 192.168.0.0/24 -j log_reject $WIPT -A OUTPUT -o $INTERNET_PORT -d 192.168.0.0/24 -j log_reject $WIPT -A INPUT -s 192.168.0.0/24 -i $INTERNET_PORT -j log_reject $WIPT -A OUTPUT -d 192.168.0.0/24 -o $INTERNET_PORT -j log_reject $WIPT -A FORWARD -d 192.168.0.107/32 -j log_drop $WIPT -A FORWARD -d 192.168.0.136/32 -j log_drop $WIPT -A FORWARD -d 192.168.0.137/32 -j log_drop $WIPT -A FORWARD -d 192.168.0.110/32 -j log_drop #$WIPT -A FORWARD -d 192.168.0.138/32 -j log_drop $WIPT -A FORWARD -d 192.168.0.139/32 -j log_drop $WIPT -A FORWARD -d 192.168.0.140/32 -j log_drop # $WIPT -A FORWARD -i $INTRANET_PORT -j log_drop $WIPT -A FORWARD -d 213.248.112.0/24 -j log_drop SPO="1214,1436,1477,1492,4200,4422,4444,7777,8888" $WIPT -A FORWARD -p tcp -m multiport --source-port $SPO -j log_reject $WIPT -A FORWARD -p udp -m multiport --source-port $SPO -j log_reject #$WIPT -A OUTPUT -o $INTERNET_PORT --source_port 1214 -j log_reject # Habilitando DNS $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 53 -j log_accept $WIPT -A INPUT -p udp -i $INTERNET_PORT --source-port 53 -j log_accept $WIPT -A OUTPUT -p tcp -o $INTRANET_PORT --dport 53 -j log_accept $WIPT -A OUTPUT -p udp -o $INTRANET_PORT --source-port 53 -j log_accept # $WIPT -A OUTPUT -f -d $INTERNET -j DROP # $WIPT -A FORWARD -p TCP --syn -m limit --limit 1/s -j log_accept # #$WIPT -A INPUT -p TCP --syn --destination-port 80 -j log_accept # #$WIPT -A INPUT -p TCP --syn --destination-port 22 -j log_accept # #$WIPT -A FORWARD -p TCP --syn --destination_port 25 -j log_accept # #$WIPT -A FORWARD -p TCP --syn --destination_port 110 -j log_accept # 05092003 $WIPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $WIPT -t nat -A POSTROUTING -o $INTERNET_PORT -j MASQUERADE $WIPT -A INPUT -i $INTERNET_PORT -m state --state NEW,INVALID -j DROP $WIPT -A FORWARD -i $INTERNET_PORT -m state --state NEW,INVALID -j DROP # #---------------------------- ## Servicos permitidos for NSADDR in $SERVER_DNS do echo $NSADDR $WIPT -A OUTPUT -o $INTERNET_PORT -p udp -s $INTERNET --sport $UNPRIVPORTS -d $NSADDR --dport 53 -j ACCEPT $WIPT -A INPUT -i $INTERNET_PORT -p udp -s $NSADDR --sport 53 -d $INTERNET --dport $UNPRIVPORTS -j ACCEPT #$WIPT -A OUTPUT -o $INTERNET_PORT -p udp -s $INTERNET --sport $UNPRIVPORTS -d $NSADDR --dport 53 -j ACCEPT done #---------------------------## Servicos Negados #--------- Portas privilegiadas $WIPT -A INPUT -i $INTERNET_PORT -p tcp --dport $PRIVPORTS -j log_priv # $WIPT -A OUTPUT -o $INTERNET_PORT -p tcp --sport $PRIVPORTS -j log_reject $WIPT -A INPUT -i $INTERNET_PORT -p udp --dport $PRIVPORTS -j log_priv # $WIPT -A OUTPUT -o $INTERNET_PORT -p udp --sport $PRIVPORTS -j log_reject #--------- Portas nao privilegiadas $WIPT -A INPUT -i $INTERNET_PORT -p tcp --dport $XWINDOW_PORTS --syn -j log_ass_unpriv $WIPT -A OUTPUT -o $INTERNET_PORT -p tcp --dport $XWINDOW_PORTS --syn -j log_reject $WIPT -A INPUT -m multiport -i $INTERNET_PORT -p tcp --dport $SOCKS_PORT,$OPEN_WINDOWS_PORT,$NFS_PORT --syn -j log_ass_unpriv $WIPT -A OUTPUT -m multiport -o $INTERNET_PORT -p tcp --dport $SOCKS_PORT,$OPEN_WINDOWS_PORT,$NFS_PORT --syn -j log_reject $WIPT -A INPUT -i $INTERNET_PORT -p udp --dport $NFS_PORT -j log_ass_unpriv $WIPT -A OUTPUT -o $INTERNET_PORT -p udp --dport $NFS_PORT -j log_ass_unpriv ##--------- Traceroute UDP $WIPT -A INPUT -i $INTERNET_PORT -p udp --sport $TRACEROUTE_SRC --dport $TRACEROUTE_DES -j log_traceroute #--------- Regra DSUST $WIPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$WIPT -A INPUT -m state --state NEW -j log_in_new $WIPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $WIPT -A INPUT -m state --state INVALID -j log_in_invalid $WIPT -A OUTPUT -m limit -j LOG --log-level 1 --log-prefix "Out.P.REJ" $WIPT -A INPUT -m limit -j LOG --log-level 1 --log-prefix "Inp.P.DROP" $WIPT -A FORWARD -m limit -j LOG --log-level 1 --log-prefix "Fw.P.DROP" logger "Firewall instalado" echo "Firewall total rodando " #=============================================================# ;; minimo) #------------------------------## Limpando Chains $WIPT -F $WIPT -X $WIPT -F FORWARD $WIPT -F INPUT $WIPT -F OUTPUT #-----------------------------## Definicoes de configuracao $WIPT -t nat -A POSTROUTING -o $INTERNET_PORT -j MASQUERADE #$WIPT -t nat -A POSTROUTING -o $INTRANET_PORT -j MASQUERADE $WIPT -A FORWARD -p TCP --syn -m limit --limit 1/s -j ACCEPT $WIPT -A FORWARD -i $INTERNET_PORT -m state --state ESTABLISHED,RELATED -j ACCEPT $WIPT -A FORWARD -i $INTERNET_PORT -m state --state INVALID -j DROP # Habilitando serviços SSH/SMTP/POP/WWW/ ... $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 22 -j ACCEPT $WIPT -A INPUT -p tcp -i $INTRANET_PORT --dport 22 -j ACCEPT $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 25 -j ACCEPT $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 80 -j ACCEPT $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 110 -j ACCEPT # Habilitando DNS $WIPT -A INPUT -p tcp -i $INTERNET_PORT --dport 53 -j ACCEPT $WIPT -A INPUT -p udp -i $INTERNET_PORT --source-port 53 -j ACCEPT $WIPT -A OUTPUT -p tcp -o $INTRANET_PORT --dport 53 -j ACCEPT $WIPT -A OUTPUT -p udp -o $INTRANET_PORT --source-port 53 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward echo Firewall MINIMO rodando ;; status) $WIPT -L ;; stop) #------------------------------## Limpando Chains $WIPT -F $WIPT -X $WIPT -F FORWARD $WIPT -F INPUT $WIPT -F OUTPUT $WIPT -L echo Fierewall DESATIVADO #-----------------------------## Definicoes de configuracao ;; *) echo "Use : newfire1 (start/minimo/status/stop)" ;; esac exit 0
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
GLPI - Configuração de destinatário com conta Microsoft Exchange (0)
Vou voltar moderar conteúdos de Dicas e Artigos (3)
OpenVPN no MACBOOK conecta mas não pinga pastas de rede compartilhada ... (1)
Melhorando a precisão de valores flutuantes em python[AJUDA] (8)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta