Slackware: Ajuda Firewall

lucianofrc
(usa Slackware)

Enviado em 26/06/2012 - 17:01h

Olá a Todos da Comunidade.

Uso o script de firewall abaixo já há algum tempo, porém realmente não sei se o mesmo está com as regras de forma correta, ou mesmo se é eficiente, estou postando a todos da comunidade, com o Objetivo de receber sugestões para um script melhor, ou mesmo alterações.
Agradeço desde já a todos.
Aqueles que quiserem usar o mesmo fiquem a vontade.
Grande abraço.

Aqui Link no pastebin >> http://pastebin.com/raw.php?i=xTNpMZZG

Abaixo o Script

########################################################################################################


#! /bin/bash

echo "Script Firewall"

######################
# Carregando Modulos #
######################

echo "Carregando Modulos"

modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_gre

########################
# Configurações Locais #
########################

echo "Definindo Configurações Locais"

SYSCTL="/etc/sysctl -w"

########################
# Localização IPTables #
########################

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

######################
# Internet Interface #
######################

INET_IFACE="eth0"

###################
# Local Interface #
###################

LOCAL_IFACE="eth1" #Rede Local
LOCAL_IP="192.168.0.1" #IP Servidor
LOCAL_NET="192.168.0.0/24" #Faixa IP Local
LOCAL_BCAST="192.168.0.255" #Broadcast Local

#######################
# Localhost Interface #
#######################

LO_IFACE="lo"
LO_IP="127.0.0.1"

case "$1" in
start)

###############
# TITULO ABRE #
###############

echo "Iniciando a Configuração do Firewall"

########################
# Zera todas as Regras #
########################

echo "Regras Zeradas"

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t mangle -F
iptables -t nat -F
iptables -X

########################################
# Bloqueia tudo, nada entra e nada sai #
########################################

echo "Fechando todas as Portas"

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

############################################################################
# Impede ataques DoS a maquina limitando a quantidade de respostas do ping #
############################################################################

echo "Previne ataques DoS"

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

##################################################
# bloqueando os pacotes ICMP do tipo echo-request#
##################################################

echo "bloqueando os pacotes ICMP do tipo echo-request"

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

##########################
# Bloqueio total do ICMP #
##########################

#echo "Bloqueio do Ping"

#iptables -A INPUT -p icmp -j DROP

##########################
# Politicas de segurança #
##########################

echo "Implementação de politicas de segurança"

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Impede falsear pacote
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Perigo de descobrimento de rotas de roteamento (desativar em roteador)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Risco de DoS
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Ignorar Mensagens Falsas de icmp_error_responses
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Só inicia a conexão quando recebe a confirmação, diminuindo a banda gasta
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Faz o firewall responder apenas a placa de rede que recebeu o pacote
iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes invalidos

for i in /proc/sys/net/ipv4/conf/*; do
# Não Redirecionar Mensagens ICMP
echo 0 > $i/accept_redirects
# Proteção a Ataques IP Spoofing
echo 0 > $i/accept_source_route
# O kernel decide se envia resposta pelo mesmo endereço ou não.
echo 1 > $i/arp_filter
# Permitir que Pacotes Forjados sejam logados pelo próprio kernel
echo 1 > $i/log_martians
# Verificar Endereço de Origem do Pacote (Proteção a Ataques IP Spoofing)
echo 1 > $i/rp_filter
done

#################################
# Libera conexoes estabelecidas #
#################################

echo "Liberando conexões estabelecidas"

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

#######################################################################################
# Libera o acesso via SSH e Limita o número de tentativas de acesso a 4 a cada minuto #
#######################################################################################

echo "Liberando o SSH"

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT

############################################
# Liberando acesso Email Portas TCP 25/110 #
############################################

#echo "Portas Email TCP 25/110 Sendo Liberadas"

#iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -s 200.204.0.10 --sport 53 -d 192.168.10.0/24 -j ACCEPT
#iptables -A FORWARD -p udp -s 200.204.0.138 --sport 53 -d 192.168.10.0/24 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 25 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 110 -j ACCEPT
#iptables -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT
#iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
#iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

###########################################################
# Liberando a Rede Interna para acesso total internamente #
###########################################################

#echo "Aceitando todas Solicitacoes vindas das placas Internas"

#iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
#iptables -A INPUT -p ALL -s 192.168.10.0/24 -i -lo -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT

##################
# Abrindo portas #
##################

echo "Liberando a portas"

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p udp --dport 20 -j ACCEPT

###############################
# Redirecionamentos Portas IP #
###############################

echo "Redirecionando Portas"

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.1 #acesso ao meu micro


################
# TITULO FECHA #
################

echo "Configuração do Firewall Concluida."

;;

stop)
echo "Finalizando o Firewall"
rm -rf /var/lock/subsys/firewall

# -----------------------------------------------------------------
# Remove todas as regras existentes
# -----------------------------------------------------------------
iptables -F
iptables -X
iptables -t mangle -F
# -----------------------------------------------------------------
# Reseta as politicas padrões, aceitar tudo
# -----------------------------------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

;;

restart|reload)
$0 stop
$0 start
;;

*)
echo "Selecione uma opção valida {start|stop|status|restart|reload}"
exit 1

esac

exit 0



######################################################################################################