iptables ubuntu13.10

1. iptables ubuntu13.10

Edinaldo
euedialves

(usa Ubuntu)

Enviado em 16/06/2014 - 13:29h

Prezados,

Trabalhei em um script firewall para implantar na empresa que represento, o script já está funcionando, mas eu gostaria de limpar ele o máximo possível.

Se alguém puder analisar a sugerir algumas melhorias eu agradeço.

#!/bin/bash
# Comfiguracoes do IPtables
IPT=/sbin/iptables

# Interface de rede Externa
#IF_EXTERNA="eth0"

#Conexao pppoe
IF_EXTERNA="ppp0"

# Interface de rede Interna
IF_INTERNA="eth1"

RD_LOCAL="192.168.0.0/24"

# Ativa os modulos
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe tun
/sbin/modprobe tap
# Inicio das Regras do Firewall
fw_start(){

# Ativa o rotiamento dinamico do kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Protecao conta IP spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Nao aceitamos pacotes com opcao SRR
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Ignorar todas as solicitacoes ICMP ECHO e TIMESTAMP enviadas a ele via broadcast / multicast
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Zera as regras
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle

# Define as politicas padrao
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###########################################################
# TABLEA FILTER
###########################################################

# Dropa pacotes TCP indesejaveis
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIR: NEW sem syn: "
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Aceita os pacotes que realmente devem entrat
$IPT -A INPUT -s $RD_LOCAL -j ACCEPT
$IPT -A INPUT -s 10.0.0.0/24 -j ACCEPT
$IPT -t nat -s 10.0.0.0/24 -A POSTROUTING -o $IF_INTERNA -j MASQUERADE

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

################################################################
# REGRAS DE PROTECAO
################################################################

# Protecao contra trinoo
$IPT -N TRINOO
$IPT -A TRINOO -m limit 15/m -j LOG --log-level 6 --log-prefix "FIR: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO

# Protecao contra tronjans
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIR: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN

# Protecao contra worms
$IPT -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT

# Protecao contra syn-flood
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

# Protecao contra ping da morte
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Protecao contra port scanners
$IPT -N SCANNER
$IPT -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIR: port scanner: "
$IPT -A SCANNER -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER

#######################################################################
# Loga tentativa de acesso a determinadas portas
######################################################################
$IPT -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: ftp: "
$IPT -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: ssh: "
$IPT -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: telnet: "
$IPT -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: smtp: "
$IPT -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: http: "
$IPT -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: pop3: "
$IPT -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: rpc: "
$IPT -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: identd: "
$IPT -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: samba: "
$IPT -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: samba: "
$IPT -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: snmp: "
$IPT -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: irc: "
$IPT -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: squid: "
$IPT -A INPUT -p tcp --dport 5432 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Banco: "
$IPT -A INPUT -p tcp --dport 4142 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Banco: "
$IPT -A INPUT -p tcp --dport 5900 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: VNC: "
$IPT -A INPUT -p tcp --dport 5629 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
$IPT -A INPUT -p tcp --dport 60711 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
$IPT -A INPUT -p tcp --dport 50534 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
#################################################################################
# LIBERACAO DE PORTAS
#################################################################################

$IPT -A INPUT -p udp --dport 1194 -i $IF_EXTERNA -j ACCEPT
$IPT -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tun -j ACCEPT
$IPT -A INPUT -i tap -j ACCEPT

# Libera acesso a determinadas portas de servicos para a rede Interna
#Protocolo TCP
$IPT -A INPUT -p tcp --dport 22 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 389 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 587 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 2222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 3128 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5223 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5269 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5931 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 4142 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5432 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 22403 -i $IF_INTERNA -j ACCEPT
#Protocolo UDP
$IPT -A INPUT -p udp --sport 22 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 389 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 1194 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 587 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 2222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 5931 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 4142 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 5432 -i $IF_INTERNA -j ACCEPT

# Libera acesso para fora
#Protocolo TCP
$IPT -A FORWARD -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -p tcp --sport 53 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 587 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 2500 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 5432 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 5931 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 4142 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 22403 -j ACCEPT
#Protocolo UDP
$IPT -A FORWARD -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp --sport 53 -j ACCEPT
$IPT -A FORWARD -p udp --sport 5432 -j ACCEPT
$IPT -A FORWARD -p udp --sport 1194 -j ACCEPT
$IPT -A FORWARD -p udp --sport 5931 -j ACCEPT
$IPT -A FORWARD -p udp --sport 4142 -j ACCEPT
$IPT -A FORWARD -i tun -j ACCEPT
$IPT -A FORWARD -i tap -j ACCEPT

# libera acesso para fora para as seguintes URL
$IPT -A FORWARD -d comprasnet.gov.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d soap.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d client.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d redisp.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5222:5223 -j ACCEPT
$IPT -A FORWARD -s 102.168.0.0/24 -p tcp --dport 5269 -j ACCEPT

########################################################################
# TABELA NAT
########################################################################

# Ativa mascaramento de saida
$IPT -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE

########################################################################
# NAVEGACAO FORA DO PROXY
########################################################################

#SERVIDORES
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.2 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.3 --dport 80,443 -j ACCEPT

# Diretoria
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.100 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.101 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.102 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.103 --dport 80,443 -j ACCEPT

#TI
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.104 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.105 --dport 80,443 -j ACCEPT


#######################################################
# Redireciona portas para outros servidores
#######################################################

#SERVIDOR1
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5989 -j DNAT --to-destination 192.168.0.3:3389
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5988 -j DNAT --to-destination 192.168.0.2:5900
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 4142 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 4142 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5432 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 5432 -j DNAT --to-destination 192.168.0.2

# Cameras (REDIRECIONA PARA O IP DO SERVIDOR)
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 56269 -j DNAT --to-destination 192.168.0.5
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 60711 -j DNAT --to-destination 192.168.0.5
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 50534 -j DNAT --to-destination 192.168.0.5

#openfirer
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5222 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5223 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5269 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 7574 -j DNAT --to-destination 192.168.0.4:80

###############################################################
# Redireciona portas na própria máquina
###############################################################
#$IPT -A PREROUTING -t nat -i $IF_EXTERNA -p tcp --dport 4254 -j REDIRECT --to-ports 3128

}
# Fim das regras

fw_stop(){
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACEEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}

fw_usage(){
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Ativa o firewall"
echo "stop - Desativa o firewall"
echo "restart - Reinicia o firewall"
echo "clear - Limpa os contatores"
}

fw_clear(){
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}

case $1 in
start)
fw_start;
;;
stop)
fw_stop;
;;
restart)
fw_stop;
fw_start;
;;
clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;
esac;



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts