FIREWALL COM IPTABLES

Publicado por Vinícius de Paula figueiredo 29/03/2004

[ Hits: 8.790 ]

Download firewall




Este Script foi desenvolvido para quem pucura uma solução rápida e barata (Grátis) para proteger sua rede contra ataques hackers. Está totalmente comentado, qualquer dúvida mandem pergutas.

  



Esconder código-fonte

#!/bin/bash
clear
echo "Aplicando Firewall..."

#Definicoes de Variaveis
HOSTNAME="firenet"
SRV01="10.0.0.3"
ETH_NET="eth0"
ETH_LOC="eth1"
IP_NET="192.168.1.143"
IP_LOC="10.0.0.254"
NET_LOC="10.0.0.0/8"
SENTRY_TCP1="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345"
SENTRY_TCP2="12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
SENTRY_UDP1="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770"
SENTRY_UDP2="32771,32772,32773,32774,31337,54321"
#Limpando todas as regras do firewall.
iptables -F
iptables -t nat -F
iptables -t mangle -F

#Deleta todas as chains criadas
iptables -X

#Zera todos os contadores das Tabelas
iptables -Z

#Determinando a Politica padrao do Firewall
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT

#Habilitando o IP_FORWARDING
#$echo 1 > /proc/sys/net/ipv4/ip_forward

echo "######################################"
echo "########## LOGS DE SERVICOS ##########"
echo "######################################"

#Logando e limitando acesso ao servico SSH para duas tentativas de conexao.
iptables -A INPUT -p tcp --syn -i $ETH_NET -s 0/0 -d $IP_NET --dport 22 -j LOG --log-prefix "Tentativa de Conexao SSH:"
iptables -A INPUT -p tcp --syn -i $ETH_NET -s 0/0 -d $IP_NET --dport 22 -m limit --limit 2/s --limit-burst 3 -j DROP

#Logando acessos de conexoes FTP (acima de 10/s)
iptables -A INPUT -p tcp --syn -i $ETH_NET -s 0/0 -d $IP_NET --dport 21 -m limit --limit 10/s --limit-burst 3 -j LOG --log-prefix "Excesso de conexoes FTP:"

#Logando acessos de conexoes HTTP (acima de 15/s)
iptables -A INPUT -p tcp --syn -i $ETH_NET -s 0/0 -d $IP_NET --dport 80 -m limit --limit 15/s --limit-burst 3 -j LOG --log-prefix "Excesso de conexoes HTTP:"

#Logando excesso de pacotes echo_request
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/s -j LOG --log-prefix "Excesso de pacotes ICMP 8:" 

#iptables -A INPUT -i eth1 -s 10.0.0.25 -j LOG --log-prefix=" NETMEETING INPUT "
#iptables -A OUTPUT -o eth1 -d 10.0.0.25 -j LOG --log-prefix=" NETMEETING OUTPUT "

echo "#######################################"
echo "######### PACOTES INDESEJADOS #########"
echo "#######################################"

## Regras de bloqueio por MAC
# Drop Carlos...
iptables -t filter -A INPUT -m mac --mac-source 00:50:22:87:DE:C4 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:50:22:87:DE:C4 -j DROP
# Drop Alex...'
iptables -t filter -A INPUT -m mac --mac-source 00:50:FC:60:90:1F -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:50:FC:60:90:1F -j DROP
#Drop Rogerio...'
iptables -t filter -A INPUT -m mac --mac-source 00:0A:E6:17:A1:F0 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:0A:E6:17:A1:F0 -j DROP
#Drop Nova maquina Rubens...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:7D:C9:FF:28 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:7D:C9:FF:28 -j DROP
#Drop Leandro...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:18:DA:6F:C3 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:18:DA:6F:C3 -j DROP
#Drop Fabio...'
iptables -t filter -A INPUT -m mac --mac-source 00:50:22:8C:B0:E0 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:50:22:8C:B0:E0 -j DROP
#Drop Mezenga...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:18:DA:70:3D -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:18:DA:70:3D -j DROP
#Drop Junin...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:7D:E6:68:C9 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:7D:E6:68:C9 -j DROP
#Drop Carlin...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:7D:A0:7E:FC -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:7D:A0:7E:FC -j DROP
#Drop Luiz...'
iptables -t filter -A INPUT -m mac --mac-source 00:E0:7D:FA:96:D6 -j DROP
iptables -t filter -A FORWARD -m mac --mac-source 00:E0:7D:FA:96:D6 -j DROP

#Logando e negando tentativas de conexoes TCP sem Flag SYN
iptables -A INPUT -p tcp -s 0/0 -i $ETH_NET ! --syn -m state --state NEW -j LOG --log-prefix "Conexao NEW sem SYN:"
iptables -A INPUT -p tcp -s 0/0 -i $ETH_NET ! --syn -m state --state NEW -j DROP

#Logando e negando pacotes com erro
iptables -A INPUT -m unclean -i $ETH_NET -j LOG --log-prefix "Pacote TCP com erro:"
iptables -A INPUT -m unclean -i $ETH_NET -j DROP

# Negando Rede de IP's privadas e de loopback
iptables -A INPUT -i $ETH_NET -s 10.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 127.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 172.16.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 192.168.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 192.168.1.0 -j DROP

#Negando endereco de broadcast de rede
iptables -A INPUT -i $ETH_NET -s 0.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 255.255.255.255 -j DROP

#Negando todas as redes de IP's Reservados que possam vir da internet, pois
#estas podem ser utilizadas para tentar ataques de IP Spoofing. Visitar o site
#www.iana.org/assignments/ipv4-address-space

#Negando IP's de multicast caso nao esteja conecta a algum backbone
iptables -A INPUT -i $ETH_NET -s 224.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 225.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 226.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 227.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 228.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 229.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 230.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 231.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 232.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 233.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 234.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 235.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 236.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 237.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 238.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 239.0.0.0 -j DROP
iptables -A INPUT -i $ETH_NET -s 240.0.0.0 -j DROP

#Logando e Negando entradas de pacotes mal formados
iptables -A INPUT -m unclean -i $ETH_NET -j LOG --log-prefix="INPUT: DROP: unclean"
iptables -A INPUT -m unclean -i $ETH_NET -j DROP
iptables -A INPUT -f -i $ETH_NET -j DROP

#Logando e Negando Conexoes TCP NEW que nao possuem a Flag SYN
iptables -A INPUT -p tcp -s 0/0 -i $ETH_NET ! --syn -mstate --state NEW -j LOG --log-prefix="INPUT: DROP: NEW sem SYN"
iptables -A INPUT -p tcp -s 0/0 -i $ETH_NET ! --syn -mstate --state NEW -j DROP

#Negar combinacoes de FLAGS que geralmente sao utilizadas por scanners de redes
iptables -N NEGAR
iptables -A NEGAR -m limit --limit 15/m -j LOG --log-prefix="INPUT: DROP: flags ilegais"
iptables -A NEGAR -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $ETH_NET -j NEGAR
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $ETH_NET -j NEGAR

#Criando chain para conexoes tcp, onde so serao aceitas conexoes que iniciarem
#com flag SYN e conexoes estabelecidas.
iptables -N TCP_CONNECT
iptables -A TCP_CONNECT -p tcp --syn -j ACCEPT
iptables -A TCP_CONNECT -p tcp -mstate --state RELATED,ESTABLISHED -j ACCEPT
iptables -A TCP_CONNECT -p tcp -j DROP

#Criando chain para conexoes udp, onde so serao aceitas conexoes que iniciarem
#com flag SYN e conexoes estabelecidas.
iptables -N UDP_CONNECT
iptables -A UDP_CONNECT -p udp -mstate --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A UDP_CONNECT -p udp -j DROP

echo "#################################################"
echo "# REGRAS DAS CONEXOES ENTRE FIREWALL E INTERNET #"
echo "#################################################"

#Liberando conexao UDP
iptables -A INPUT -p udp -i $ETH_NET -s 0/0 -d $IP_NET --sport 53 -j UDP_CONNECT
iptables -A OUTPUT -p udp -o $ETH_NET -s $IP_NET -d 0/0 --dport 53 -j UDP_CONNECT

#Liberando conexao TCP
iptables -A INPUT -p tcp -i $ETH_NET --dport 1024:65535 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -o $ETH_NET -j TCP_CONNECT

#Liberando Trafego Local
iptables -A INPUT -s localhost -j ACCEPT
iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
iptables -A INPUT -s $HOSTNAME -d $HOSTNAME -j ACCEPT
iptables -A OUTPUT -s $HOSTNAME -d 0/0 -j ACCEPT

#Liberando Entradas e Saidas ICMP no Firewall
iptables -A INPUT -i $ETH_LOC -p icmp --icmp-type echo-reply -m limit --limit 5/s -j ACCEPT
iptables -A INPUT -i $ETH_LOC -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT
iptables -A OUTPUT -o $ETH_LOC -p icmp --icmp-type echo-reply -m limit --limit 5/s -j ACCEPT
iptables -A OUTPUT -o $ETH_LOC -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT

#Liberando portas do PortSentry
iptables -A INPUT -p tcp -s 0/0 -m multiport --dport $SENTRY_TCP1 -j TCP_CONNECT 
iptables -A INPUT -p tcp -s 0/0 -m multiport --dport $SENTRY_TCP2 -j TCP_CONNECT 
iptables -A INPUT -p udp -s 0/0 -m multiport --dport $SENTRY_UDP1 -j UDP_CONNECT
iptables -A INPUT -p udp -s 0/0 -m multiport --dport $SENTRY_UDP1 -j UDP_CONNECT

#Liberando Conexoes ao Servidor WEB
iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME -m multiport --dport 80,443 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -s $HOSTNAME -d 0/0 -m multiport --sport 80,443 -j TCP_CONNECT

#Liberando Conexoes ao Servidor MYSQL
iptables -A INPUT  -p tcp -i $ETH_LOC -s $NET_LOC -d $HOSTNAME --dport 3306 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -o $ETH_LOC -s $HOSTNAME -d $NET_LOC --sport 3306 -j TCP_CONNECT 

#Liberando Conexoes ao Servidor de FTP
iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME -m multiport --dport 20,21 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -s $HOSTNAME -d 0/0 -m multiport --sport 20,21 -j TCP_CONNECT

#Liberando Uso do Proxy Squid 
iptables -A INPUT -p tcp -s $NET_LOC -i $ETH_LOC -d $HOSTNAME --dport 3128 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -o $ETH_LOC -s $HOSTNAME -d $NET_LOC --sport 3128 -j TCP_CONNECT

#Liberando Autenticacao do Squid (via smb_auth)
iptables -A INPUT -p udp -i $ETH_NET -s 192.168.1.1 -d $IP_NET --sport 137 -j ACCEPT
iptables -A OUTPUT -o $ETH_NET -s $IP_NET -d 192.168.1.255 -p udp  --dport 137 -j ACCEPT
iptables -A OUTPUT -o $ETH_NET -s $IP_NET -d 192.168.1.1 -p udp --dport 137 -j ACCEPT

#Liberando Conexao SSH
iptables -A INPUT -p tcp -i $ETH_LOC -s $NET_LOC -d $HOSTNAME -m mac --mac-source 00:E0:7D:FA:B3:28 --dport 22 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -o $ETH_LOC -d $NET_LOC --sport 22 -j ACCEPT

#Liberando Saida Syslog
iptables -A INPUT -p udp -i $ETH_LOC -s $NET_LOC -d $HOSTNAME --sport 514 -j UDP_CONNECT
iptables -A OUTPUT -p udp -o $ETH_LOC -s $HOSTNAME -d $NET_LOC --dport 514 -j UDP_CONNECT 

#Liberando Servicos do Netmeeting
#Porta de Monitoracao Gatekeeper
iptables -A INPUT -i $ETH_LOC -p tcp -s $NET_LOC -d $HOSTNAME --dport 7000 -j TCP_CONNECT
iptables -A OUTPUT -o $ETH_LOC -p tcp -s $NET_LOC -d $NET_LOC --sport 7000 -j TCP_CONNECT

#Porta de Conexao Gatekeeper
iptables -A INPUT -p udp -s 0/0 -d $HOSTNAME --dport 1719 -j UDP_CONNECT
iptables -A OUTPUT -p udp -s $HOSTNAME -d 0/0 --sport 1719 -j UDP_CONNECT

#
iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 1720 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -s $HOSTNAME -d 0/0 --sport 1720 -j TCP_CONNECT

#
iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 1721 -j ACCEPT
iptables -A OUTPUT -p tcp -s $HOSTNAME -d 0/0 --sport 1721 -j ACCEPT 

iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 20000:20050 -j TCP_CONNECT
iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 20000:20050 -j TCP_CONNECT

iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 30000:30050 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -s 0/0 -d $HOSTNAME --sport 30000:30050 -j TCP_CONNECT

iptables -A INPUT -p tcp -s 0/0 -d $HOSTNAME --dport 40000:40050 -j TCP_CONNECT
iptables -A OUTPUT -p tcp -s 0/0 -d $HOSTNAME --sport 40000:40050 -j TCP_CONNECT

iptables -A INPUT -p udp -s 0/0 -d $HOSTNAME --dport 50000:50050 -j UDP_CONNECT
iptables -A OUTPUT -p udp -s 0/0 -d $HOSTNAME --sport 50000:50050 -j UDP_CONNECT


echo "#################################################"
echo "####### REPASSE DE PACOTES PELO FIREWALL ########"
echo "#################################################"

# Verificar necessedade de filtrar portas e estados
###
iptables -A FORWARD -i $ETH_NET -o $ETH_LOC -d $NET_LOC -mstate --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ETH_LOC -o $ETH_NET -d 0/0 -mstate --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Mascaramento de enderecos IP Geral
iptables -t nat -A POSTROUTING -o $ETH_NET -s $NET_LOC -j SNAT --to-source $IP_NET   

#Redirecionamento de portas para o server1
#iptables -t nat -A PREROUTING -p tcp --dport 21 -i $ETH_NET -j DNAT --to-destination $SRV01
#iptables -t nat -A PREROUTING -p tcp --dport 25 -i $ETH_NET -j DNAT --to-destination $SRV01
#iptables -t nat -A PREROUTING -p tcp --dport 80 -i $ETH_NET -j DNAT --to-destination $SRV01
#iptables -t nat -A PREROUTING -p tcp --dport 110 -i $ETH_NET -j DNAT --to-destination $SRV01

#Liberacao de servicos HTTP,FTP,POP,SMTP
#iptables -A FORWARD -p tcp -s 0/0 -i $ETH_NET -o $ETH_LOC -d $SRV01 -m multiport --dport 80,21,110,25 -j TCP_CONNECT

echo "#################################################"
echo "############# MUDANCA DE RESPOSTAS ##############"
echo "#################################################"

#Bloqueando e Logando ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -i $ETH_NET -j LOG --log-prefix="INPUT: DROP: Ping Remoto"
iptables -A INPUT -p icmp --icmp-type echo-request -i $ETH_NET -j DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT


echo "Firewall aplicado."
############## F I M   D O   S C R I P T #################



Scripts recomendados

Criando uma simples lixeira para o usuário [Melhorado]

tkFind

Script lixeira em Tcl

Crivo de Eratóstenes Simples em Tcl (sem Tk)

Simples relógio digital


  

Comentários
[1] Comentário enviado por rabbarros em 23/08/2004 - 16:55h

Este IP 192.168.1.1 a que servidor se refere, eh ao teu PDC?

[2] Comentário enviado por vpf em 17/02/2005 - 17:36h

sim!

[3] Comentário enviado por rjdiniz em 13/10/2010 - 19:39h

Vinição! E ae mano blz? Sumiu! Cara onde vc pegou referências desse seu Script? Muito bom por sinal...

Raul Jr.
@Tec

[4] Comentário enviado por dsobrinho34 em 01/09/2014 - 13:43h

Muito bom


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts