Firewall

Publicado por Charles Silva 21/09/2006

[ Hits: 9.261 ]

Homepage: www.charlessilva.com.br

Download rc.firewall




Esse firewall é super seguro. Algumas coisas coisas estão comentadas e as interfaces têm que ser modificadas para aquelas que você usa.

  



Esconder código-fonte

#!/bin/sh
#
############################################
#
# Script Firewall - Versao 1.0
# Atualizado 20/06/2006 - Charles Silva
#
#############################################

echo "Starting Firewall..."

#################################
# DEFINICAO DE VARIAVEIS:
#################################

IPTABLES="/usr/local/sbin/iptables"

# Interfaces:
#IFACE_EXTERNA="Whan0"
#IFACE_INTERNA="eth1"
LO_IFACE="lo"

# Redes:
REDE_INTERNA="192.168.0.0/24"
#IP_PROVEDOR="192.168.0.1"

#################################################
# LIMPANDO AS CHAINS E SETANDO A POLITICA PADRAO
#################################################

# Seta a politica padrao da tabela filter:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Seta a politica padrao na tabela NAT:
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# Limpa as regras nas tabelas filter e nat:
$IPTABLES -F
$IPTABLES -t nat -F

# Apaga qualquer chain fora do padrao nas tabelas filter e NAT:
$IPTABLES -X
$IPTABLES -t nat -X

###################################################
# Permitindo trafego no loopback e nas interfaces:
###################################################
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_INTERNA -s $REDE_INTERNA -j ACCEPT

###########################################
# Logdrop - loga todos pacotes dropados:
###########################################
$IPTABLES -N logdrop
$IPTABLES -A logdrop -j LOG --log-level WARN --log-prefix "[logdrop] "
$IPTABLES -A logdrop -j DROP

#####################################################
# Regras para dropar e logar scanners do tipo xmas:
#####################################################
$IPTABLES -N logxmas
$IPTABLES -A logxmas -j LOG --log-level WARN --log-prefix "[xmas_scanners] "
$IPTABLES -A logxmas -j DROP

########################################################
# Regras para dropar e logar scanners do tipo SYN,FIN
########################################################
$IPTABLES -N logsynfin
$IPTABLES -A logsynfin -j LOG --log-level WARN --log-prefix "[SYN FIN scanners] "
$IPTABLES -A logsynfin -j DROP

########################################################
# Regras para dropar e logar scanners do tipo SYN,RST
########################################################
$IPTABLES -N logsynrst
$IPTABLES -A logsynrst -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A logsynrst -j DROP

########################################################################################
# Regras para dropar e logar scanners que ativam o bit FIN sem estabelecer uma conexao:
########################################################################################
$IPTABLES -N logfin
$IPTABLES -A logfin -j LOG --log-level WARN --log-prefix "[FIN scanners] "
$IPTABLES -A logfin -j DROP

#############################################################################
# Regras para dropar e logar scanners do tipo que ativam todas as flags TCP:
#############################################################################
$IPTABLES -N logalltcp
$IPTABLES -A logalltcp -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A logalltcp -j DROP

#############################################################################
# Regras para dropar e logar scanners do tipo nao ativam nenhuma flag TCP:
#############################################################################
$IPTABLES -N lognonetcp
$IPTABLES -A lognonetcp -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A lognonetcp -j DROP

#########################################################################
# Rule allowed - for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.

$IPTABLES -N allowed
#$IPTABLES -A allowed -p TCP --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j logdrop

#########################################################################
# Watch - loga pacotes suspeitos

$IPTABLES -N watch
#$IPTABLES -A watch -s 192.168.0.2 -j ACCEPT
$IPTABLES -A watch -j LOG --log-level WARN --log-prefix "[watch] "
$IPTABLES -A watch -j ACCEPT

#########################################################################
# Scanners - loga tentativas de scanners na rede

# Loga e bloqueia scanners do tipo Xmas Portscanner:
$IPTABLES -N xmas_scanner
$IPTABLES -A xmas_scanner -p TCP --tcp-flags ALL FIN,URG,PSH -m limit --limit 7/s --limit-burst 3 -j logxmas

# Loga e bloqueia scanners do tipo que ativa os bits SYN e FIN:
$IPTABLES -N synfin_scanner
$IPTABLES -A synfin_scanner -p TCP --tcp-flags ALL SYN,FIN -m limit --limit 7/s --limit-burst 3 -j logsynfin

# Loga e bloqueia scanners do tipo que ativa os bits SYN e RST:
$IPTABLES -N synrst_scanner
$IPTABLES -A synrst_scanner -p TCP --tcp-flags SYN,RST SYN,RST -m limit --limit 7/s --limit-burst 3 -j logsynrst

# Loga e bloqueia scanners do tipo que ativa o bit FIN sem estabelecer uma conexao:
$IPTABLES -N fin_scanner
$IPTABLES -A fin_scanner -p TCP --tcp-flags ALL FIN -m limit --limit 7/s --limit-burst 3 -m state --state ! ESTABLISHED -j logfin

# Loga e bloqueia scanners do tipo que ativa todas flags TCP:
$IPTABLES -N alltcp_scanner
$IPTABLES -A alltcp_scanner -p TCP --tcp-flags ALL ALL -m limit --limit 7/s --limit-burst 3 -j logalltcp

# Loga e bloqueia scanners do tipo que nao ativa nenhuma flag TCP:
$IPTABLES -N nonetcp_scanner
$IPTABLES -A nonetcp_scanner -p TCP --tcp-flags ALL NONE -m limit --limit 7/s --limit-burst 3 -j lognonetcp

#########################################################################
# icmptrap - para pacotes ICMP:

$IPTABLES -N icmptrap
$IPTABLES -A icmptrap -p icmp --icmp-type echo-reply                   -j ACCEPT
$IPTABLES -A icmptrap -p icmp --icmp-type destination-unreachable      -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-unreachable        -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-unreachable           -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   protocol-unreachable       -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   port-unreachable           -j DROP
$IPTABLES -A icmptrap -p icmp --icmp-type   fragmentation-needed       -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   source-route-failed        -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-unknown            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-unknown               -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-prohibited         -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-prohibited            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-network-unreachable    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-host-unreachable       -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   communication-prohibited   -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-precedence-violation  -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   precedence-cutoff          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type source-quench                -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type redirect                     -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   network-redirect           -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   host-redirect              -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-network-redirect       -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-host-redirect          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type echo-request                 -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type router-advertisement         -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type router-solicitation          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type time-exceeded                -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ttl-zero-during-transit    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ttl-zero-during-reassembly -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type parameter-problem            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ip-header-bad              -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   required-option-missing    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type timestamp-request            -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type timestamp-reply              -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type address-mask-request         -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type address-mask-reply           -j logdrop

#########################################################################
# dropiana - dropa IP's nao liberados pela IANA(RFC1918,RFC3330) e redes reservadas

$IPTABLES -N dropiana
$IPTABLES -A dropiana -s 0.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 1.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 2.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 5.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 10.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 23.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 27.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 31.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 36.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 37.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 39.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 41.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 42.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 58.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 59.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 60.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 71.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 88.0.0.0/5 -j logdrop
$IPTABLES -A dropiana -s 96.0.0.0/3 -j logdrop
$IPTABLES -A dropiana -s 128.0.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 172.16.0.0/12 -j logdrop
$IPTABLES -A dropiana -s 191.255.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 192.31.196.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.52.193.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.67.23.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.68.185.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.70.192.0/21 -j logdrop
$IPTABLES -A dropiana -s 192.70.201.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.94.77.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.94.78.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.97.38.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.168.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 197.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 221.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 222.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 223.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 224.0.0.0/4 -j logdrop
$IPTABLES -A dropiana -s 240.0.0.0/4 -j logdrop

#########################################################################
# Rule safe - apenas para chamar a dropiana e a icmptrap

# Create safe rule
$IPTABLES -N safe

# Call todas regras de scanners
$IPTABLES -A safe -j xmas_scanner
$IPTABLES -A safe -j synfin_scanner
$IPTABLES -A safe -j synrst_scanner
$IPTABLES -A safe -j fin_scanner
$IPTABLES -A safe -j alltcp_scanner
$IPTABLES -A safe -j nonetcp_scanner

# ICMP packets
$IPTABLES -A safe -p ICMP -j icmptrap

# Call dropiana
$IPTABLES -A safe -j dropiana

# Call INPUT Safe
$IPTABLES -A INPUT -j safe

#########################################################################
# Regras especificas para Rede Interna

# Pacotes que entram na rede
$IPTABLES -N main-in

# Pacotes que saem da rede
$IPTABLES -N main-out

################################
# REGRAS GERAIS P/ REDE INTERNA
################################

#############################
# Libera DNS p/ rede interna
#############################
$IPTABLES -A main-in -p UDP -i $IFACE_EXTERNA -s 0/0--sport 53 -j ACCEPT
$IPTABLES -A main-out -p UDP -o $IFACE_EXTERNA -d 0/0 --dport 53 -j ACCEPT


################################
# Regra p/ Bloqueio da internet
################################
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --dport 80 -j logdrop 
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --sport 80 -j logdrop
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --dport 110 -j logdrop 
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --sport 110 -j logdrop

########################
# SSH P/ outro usuario
########################
$IPTABLES -A main-in -p TCP -s 000.00.00.000 --dport 22 -j allowed
$IPTABLES -A main-out -p TCP -d 000.00.000.000 --sport 22 -j allowed
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 22 -j logdrop


##########################
# Libera NTP p/ servidor
##########################
$IPTABLES -A INPUT -p UDP -i $IFACE_EXTERNA -s 200.144.121.33 --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $IFACE_EXTERNA -d 200.144.121.33 --sport 123 -j ACCEPT


################################################################
# Bloqueia qualquer servico conhecido para IPs da Rede Interna
################################################################
#1025/tcp   listen
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1025 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1025 -j logdrop
#1026
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1026 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1026 -j logdrop
#1027
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1027 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1027 -j logdrop
#1028
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1028 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1028 -j logdrop
# KDEinit
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1029 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1029 -j logdrop
#1030
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1030 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1030 -j logdrop
#1031/udp   iad1
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1031 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1031 -j logdrop
#1032/udp   iad1
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1032 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1032 -j logdrop
#1033/tcp   netinfo
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1033 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1033 -j logdrop
#1050/tcp   java-or-OTGfileshare
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1050 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1050 -j logdrop
#1059/tcp   nimreg
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1059 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1059 -j logdrop
# instl_boots
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1067 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1067 -j logdrop
# SOCKS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1080 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1080 -j logdrop
# MSSQL
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1433 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1433 -j logdrop
# MSSQL-Monitor
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1434 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1434 -j logdrop
# VPN
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1723 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1723 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --sport 1723 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --sport 1723 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1083 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1083 -j logdrop
#1812/RADIUS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1812 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1812 -j logdrop
#1813/RADIUS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1813 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1813 -j logdrop
#2105/eklogin
$IPTABLES -A main-in -p TCP -s 0/0 --dport 2105 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 2105 -j logdrop
# Squid
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3128 -j logdrop
# 3268 globalcatLDAP
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3268 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3268 -j logdrop
# 3269 globalcatLDAPssl
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3269 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3269 -j logdrop
# MySQL
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3306 -j logdrop
# Msdtc
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3372 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3372 -j logdrop
# IISrpc-or-vat
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3456 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3456 -j logdrop
# Terminal Server
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3389 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3389 -j logdrop
# RPC
$IPTABLES -A main-in -p TCP -s 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p TCP -d 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p UDP -d 0/0 --dport 4444 -j logdrop
# Sae-Urn
$IPTABLES -A main-in -p TCP -s 0/0 --dport 4500 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 4500 -j logdrop
# VNC
$IPTABLES -A main-in -p TCP -s 0/0 --dport 5900 -j logdrop
# X
$IPTABLES -A main-in -p TCP -s 0/0 --dport 6000 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 6000 -j logdrop
# BACULA
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9101 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9101 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9102 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9102 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9103 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9103 -j logdrop

##############################################################
# REGRAS PARA REDIRECIONAMENTO DE PACOTES - FORWARD
##############################################################

# Libera acesso da Rede Interna para as outras redes:
$IPTABLES -A FORWARD -i $IFACE_INTERNA -s $REDE_INTERNA -d 0/0 -j ACCEPT

# Permite trafego de entrada de forma segura
$IPTABLES -A FORWARD -i $IFACE_EXTERNA -o $IFACE_INTERNA -j safe
$IPTABLES -A FORWARD -i $IFACE_EXTERNA -o $IFACE_INTERNA -j main-in


# Permite trafego de saida de forma segura
$IPTABLES -A FORWARD -i $IFACE_INTERNA -o $IFACE_EXTERNA -j safe
$IPTABLES -A FORWARD -i $IFACE_INTERNA -o $IFACE_EXTERNA -j main-out


#################
# Portas >= 1024
#################
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1024: -j allowed
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1024: -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 1024: -j allowed
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 1024: -j ACCEPT



#############################################################
# Redireciona o trafego internet da rede interna p/ o squid
#############################################################
$IPTABLES -t nat -A PREROUTING -p TCP -i $IFACE_INTERNA -d ! 192.168.0.1 -s $REDE_INTERNA --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A POSTROUTING -o $IFACE_EXTERNA -j MASQUERADE

###################################
# Libera pacotes ICMP p/ o Gateway
###################################
$IPTABLES -A INPUT -i $IFACE_EXTERNA -s 0/0 -p ICMP -m limit --limit 1/s -j icmptrap

#########################
# CONFIGURACOES FINAIS:
#########################

# Habilita o IP Forward:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

#####################################
# Dropa e loga todos outros pacotes
#####################################
$IPTABLES -A INPUT -j logdrop
$IPTABLES -A FORWARD -j logdrop

echo "Firewall Started!"

Scripts recomendados

Retra de iptables para DMZ na porta 80

Converter Arquivo RMVB para AVI

Backup individual de contas no ZIMBRA MAIL

Firewall utilizando iptables

Unificando arquivos de bloqueio e liberação no squid


  

Comentários
[1] Comentário enviado por y2h4ck em 18/10/2006 - 13:12h

O arquivo do codigo fonte e o arquivo do download são diferentes.
Baixem e olhem o fonte verão a diferença.

Obrigado.

[2] Comentário enviado por sequelinha em 18/10/2006 - 18:15h

Respondendo a resposta acima
Obrigado por ter verificado isso (o script verdadeiro que eu publiquei e o que esta no codigo fonte )o outro eu fiz o dowloand e dei uma olha naum foi eu que fiz
Obrigado
sequelinha


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts