FIREWALL COM IPTABLES - PARA EMPRESAS E INTRANETS

Publicado por Joabes Carlos de Carvalho 16/09/2003

[ Hits: 33.589 ]

Homepage: http://www.fwsnet.com.br / http://www.bookmail.com.br

Download rc.fw.1




ESSE FIREWALL É MUITO BOM, EU UTILIZAVA NA ANTIGA EMPRESA QUAL TRABALHAVA, ESPERO QUE POSSA SER UTIL A TODOS, OS COMENTÁRIOS DO FIREWALL ESTÃO EM INGLÊS, MAIS É BEM DECSRITIVO E FÁCIL DE USAR.


ATÉ A PRÓXIMA PESSOAL.

ABRAÇOS.

  



Esconder código-fonte

#!/bin/sh
############################################################################
############################################################################
#####################   FIREWALL PARA INTRANETS ############################
############################################################################
############################################################################
############################################################################

#Script de firewall muito facil para ser aplicado, apenas esta em ingles####
       

IPTABLES="/sbin/iptables"   # set to your iptables location, must be set
DNS="192.168.0.1"   #set to your DNS server(s), that you get zone transfers from
TCP_ALLOW="21 22 25 80 8000 8001" #TCP ports to ALLOW
UDP_ALLOW="500"            # UDP ports to ALLOW (53 not needed, covered by DNS above)
INET_IFACE="ppp0"         # the interface your internet's on (one only), must be set
LAN_IFACE="eth0"         # the interface(s) your LAN's on (currently used only as a sanity check)
USE_SSH1="TRUE"            # set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="TRUE"         # set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
INTERNAL_LAN="192.168.0.0/24"   #the internal network(s), must be set
AUTH_ALLOW=""   #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all)
DENY_ALL=""            # Internet hosts to explicitly deny from accessing your system at all
DROP="REJECT"            # What to do with packets we don't want: DROP, REJECT, LDROP (log and drop), or LREJECT (log and reject)

# Below here is experimental
MAC_LAN=""            # MAC addresses permitted to use masquerading, leave blank to not use
USE_MASQ="TRUE"         # Set to TRUE to use masquerading (anything else is interpreted as FALSE)
USE_SNAT=""            # If you have a static internet IP, put it here and set "USE_MASQ" above to FALSE
TCP_FW=""            # TCP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP"
UDP_FW=""            # Same as above but on UDP

# ----------------------------------------------------------------------|
# Do not modify configuration below here            |
# ----------------------------------------------------------------------|
DROP="REJECT" #Apparently some ISPs (@home comes to mind) have problems with denying them, so send back ICMP messages to fool them
FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here         |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Configuration Sanity Checks
echo -n "Checking configuration..."
if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then
   echo
   echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!"
   exit 1
fi
if  [ "$INET_IFACE" = "$LAN_IFACE" ] ; then
        if  [  "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then
      # This can't happen because the whole point of my masquerading code is that we don't need to know the IP.
      # While we know the IP with SNAT, I'm too lazy do change my code other than to use SNAT :)
      echo
      echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!"
      exit 1
   fi
fi
if ! [ -x $IPTABLES ] ; then
   echo
   echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
   exit 1
fi
echo "passed"

# Turn on IP forwarding (your kernel still needs it)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled..."

# Enable TCP Syncookies (always a 'good thing') (thanks steff)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies enabled..."
# Loading kernel modules...
echo "Loading kernel modules..."
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ip_conntrack_irc
insmod iptable_nat
insmod ip_nat_ftp
echo "Kernel modules loaded." 

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
# 
# You'll notice I give status now :)
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
   ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
   ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
   ${IPTABLES} -t filter -N ${chain}
   echo -n "${chain} "
done
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo

# Local traffic to internet or crossing subnets 
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
#   obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
   ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
   ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
   echo -n "${subnet}:ACCEPT "
done
echo

# Set up basic NAT if the user wants it
if [ $USE_MASQ = TRUE ] ; then
   echo -n "Setting up NAT: "
   if [ "$MAC_LAN" = "" ] ; then
      for subnet in ${INTERNAL_LAN} ; do
         ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
         echo -n "${subnet}:MASQUERADE "
      done
   else   
      for address in ${MAC_LAN} ; do
         ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
         echo -n "${address}:MASQUERADE "
      done
   fi
   echo
elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined 
   #(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup)
   echo -n "Setting up NAT: "
        if [ "$MAC_LAN" = "" ] ; then
                for subnet in ${INTERNAL_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${subnet}:SNAT "
                done
        else
                for address in ${MAC_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${address}:SNAT "
                done
        fi  
        echo
fi

#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
   echo -n "TCP Port Forwards: "
   if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
      for rule in ${TCP_FW} ; do
         ports=`echo $rule | sed 's/>.*//g'`
         srcport=`echo $ports | sed 's/:.*//g'`
         destport=`echo $ports | sed 's/.*://g'`
         host=`echo $rule | sed 's/.*>//g'`
         ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
         echo -n "${rule} "
      done
   else
      for rule in ${TCP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
         ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
         echo -n "${rule} "
      done
   fi
   echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
        echo -n "UDP Port Forwards: "
        if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        else
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        fi
        echo
fi

# ===============================================
# -------Chain setup before jumping to them------
# ===============================================


# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up logging chains: "
${IPTABLES} -t filter -A LDROP -p tcp -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " 
${IPTABLES} -t filter -A LDROP -f -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
        
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -j LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -j LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -j LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

#newline
echo


# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "

# TCPACCEPT
# SYN Flood Protection
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done
echo

# -------------------------------------------------
# =================================================
# -------------------------------------------------


#Explicit denies
if [ "$DENY_ALL" != "" ] ; then
   echo -n "Denying hosts: "
   for host in ${DENY_ALL} ; do
      ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
      echo -n "${host}:${DROP}"
   done
   echo
fi

#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"



# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================

#Start allowing stuff

# Flood "security"
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood is on a per-port basis because it's a security hole to put it here!
# This is just a packet limit, you still get the packets on the interface and 
#    still may experience lag if the flood is heavy enough
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo -n "ICMP-PING "
echo

echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

if [ "$TCP_ALLOW" != "" ] ; then
   echo -n "TCP Input Allow: "
   for port in ${TCP_ALLOW} ; do
           if [ "0$port" == "021" ]; then #Active FTP (thanks steff)
              ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT
      fi
       ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
      echo -n "${port} "
   done
   echo
fi

if [ "$UDP_ALLOW" != "" ] ; then
   echo -n "UDP Input Allow: "
   for port in ${UDP_ALLOW} ; do
      ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT
      echo -n "${port} "
   done
   echo
fi

if [ "$DNS" != "" ] ; then
   echo -n "DNS Zone Transfers: "
   for server in ${DNS} ; do
      ${IPTABLES} -t filter -A INETIN   -p udp -s ${server} --sport 53 -j UDPACCEPT
      echo -n "${server} "
   done
   echo
fi

#SSH Rulesets
if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
    echo -n "Accounting for SSH..."
   if [ $USE_SSH1 = TRUE ]; then #SSH1
      ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j TCPACCEPT
      echo -n "SSH1 "
   fi
   if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
      ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j TCPACCEPT
      echo -n "OpenSSH "
   fi
   echo
fi

#AUTH(identd) host-based allows
if [ "$AUTH_ALLOW" != "" ] ; then
   echo -n "AUTH accepts: "
   for host in ${AUTH_ALLOW} ; do
      ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j TCPACCEPT
      echo -n "${host} "
   done
   echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"

#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

#All done!
echo "Done loading the firewall!"
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.2:8000




Scripts recomendados

Script p/ instalar o modem pctel onboard

consamba.sh

Atualizando se Slackware

LINUX+SAMBA+QUOTAS

Recriando /dev/null facilmente


  

Comentários
[1] Comentário enviado por joabes em 17/09/2003 - 12:12h

Desculpe-me pessoal, não sei por que razão o arquivo para download não ficou disponivel, mais o script está disponível para visualização.


Abraços.

[2] Comentário enviado por andreigy em 23/06/2004 - 10:17h

O kra, e dae como funciona, eu baixo, torno ele executavel e respondo as perguntas, como funciona?

[3] Comentário enviado por andreigy em 23/06/2004 - 10:18h

eu to querendo fazer um firewall experimental, vc poderia me ajudar, as apostilas não estão sanando as minhas duvidas !!!!

[4] Comentário enviado por joabes em 23/06/2004 - 11:20h

Amigo, é só vc baixar o script no seu micro, torna-lo executavel e no rc.local vc coloca /etc/rc.d/rc.fw boot

Claro, isso vc coloca se vc colocar o script no /etc/rc.d e deixa que o resto a natureza cuida.


Dúvidas entre m contato.

[5] Comentário enviado por removido em 26/11/2005 - 14:45h

kra, naum sei c ajuda mais eu coloco ele no /etc/init.d
e crio um link no /etc/rc2.d para ele executar toda a vez em q a maquina for reiniciada...bele

[6] Comentário enviado por MSansoni em 01/12/2005 - 15:13h

Caro amigo, eu tenho o arquivo rc.firewall , eu coloco ele dentro da pasta /etc/rc.d <<< dai como ficaria o resto do meu comando para eu poder carregar este script toda vez?? Outra coisa, quero bloquear os programas tipo MSN, ICQ, Kazaa ( e todos ou quase todos os P2P ) como eu faço isso, seria pelo próprio Iptables ou essa parte seria do squid??

Obrigado pela ajuda,

Manuel

[7] Comentário enviado por joabes em 01/12/2005 - 15:51h

Já que ele está dentro do rc.d, faça assim

chmod +x rc.firewall

depois acesse o rc.local
vi rc.local e adicione

/etc/rc.d/rc.firewall boot

Salve, quando vc reiniciar o pc, ele já carrega o script.

Porém se vc usar esse script não precisa do squid.

Msn e Icq vc até consegue barrar pelo iptables, agora programas P2p é complicado.

Estarei postando algo sobre.

abraços.

[8] Comentário enviado por MSansoni em 01/12/2005 - 15:58h

Obrigado pela ajuda.... Só mais uma coisa, você disse que eu não preciso usar o squid com esse script.. Onde que eu barro os sites indesejáveis, por exemplo orkut.com , playboy.com.br , entre outros sites...

Obrigado mais uma vez pela ajuda,

Manuel

[9] Comentário enviado por joabes em 01/12/2005 - 16:02h

cara me passa seu msn, fica mais fácil falar.
abraços.

[10] Comentário enviado por MSansoni em 01/12/2005 - 16:13h

meu msn é manuelsansoni@hotmail.com !

[11] Comentário enviado por MSansoni em 01/12/2005 - 16:39h

Foi mal ter fechado o msn rapidamente, me manda os dados para manuel@sectron.com.br para eu poder estar analisando..

Obrigado pela ajuda,

Manuel

[12] Comentário enviado por removido em 10/02/2011 - 04:10h

Cara sinceramente, creio que n ah necessidade de uma configuração tão extensa!!!

Até pq se tu for tentar implementar um firewall desse na tua rede, é mais facil
tu criar um novo, pois a demora vai ser a mesma,e outra que se tu mesmo criar um firewall
fica mais facil de adaptar as tuas necessidades!!!

Mas no mais legal Parabens!


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts