erro no firewall [RESOLVIDO]
1. erro no firewall [RESOLVIDO]
GustavinhoO
(usa Debian)
Enviado em 11/05/2011 - 12:32h
fiz uma regra de firewall para minha empresa e esta dando o seguinte erro!script de firewall
#"| membros da comunidade viva o linux"
9 #"| Analista de Redes"
10 #"| gustavo.ti@hotmail.com.br"
11 #"| Uso: firewall start|stop|restart"
12 #"::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
13
14 #mensagem de inicializaçao
15 echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
16 echo "| Script de Firewall - IPTABLES"
17 echo "| Criado por: Guilherme Ribeiro"
18 echo "| Contribuindo por: Josemar, Marcelo, Urubatan Neto e todos os"
19 echo "| membros da comunidade viva o linux"
20 echo "| Analista de Redes"
21 echo "| gustavo.ti@hotmail.com.br"
22 echo "| Uso: firewall start|stop|restart"
23 echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
24 echo
25 echo "=========================================================|"
26 echo "|:INICIANDO A CONFIGURAÃ DO FIREWALL NETFILTER ATRAVÃ|"
27 echo "|: DO IPTABLES :|"
28 echo "=========================================================|"
29 iniciar(){
30
31 # Móos #
32 modprobe ip_tables
33 modprobe ip_conntrack
34 modprobe iptable_filter
35 modprobe iptable_mangle
36 modprobe iptable_nat
37 modprobe ipt_LOG
38 modprobe ipt_limit
39 modprobe ipt_state
40 modprobe ipt_REDIRECT
41 modprobe ipt_owner
42 modprobe ipt_REJECT
43 modprobe ipt_MASQUERADE
44 modprobe ip_conntrack_ftp
45 modprobe ip_nat_ftp
# Limpa as regras #
51 iptables -X
52 iptables -Z
53 iptables -F INPUT
54 iptables -F OUTPUT
55 iptables -F FORWARD
56 iptables -F -t nat
57 iptables -F -t mangle
58
59 # Politicas padrao #
60 iptables -t filter -P INPUT DROP
61 iptables -t filter -P OUTPUT ACCEPT
62 iptables -t filter -P FORWARD DROP
63 iptables -t nat -P PREROUTING ACCEPT
64 iptables -t nat -P OUTPUT ACCEPT
65 iptables -t nat -P POSTROUTING ACCEPT
66 iptables -t mangle -P PREROUTING ACCEPT
67 iptables -t mangle -P OUTPUT ACCEPT
68
69 #Compartilhar conexãecho 1 > /proc/sys/net/ipv4/ip_forward
70 echo .ativando o redirecionamento no arquivo ip_forward.
71 echo .ON .........................................................................................[OK].
72 # Efetivando o PROXY TRANPARENTE
73 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
74 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # (Redireciona para o squid) - eth0 -> Placa de rede local
75 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
76 iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
77 echo .Proxy Transparente Ativado.
78 echo .ON .........................................................................................[OK].
79
80 # Manter conexoes jah estabelecidas para nao parar
81 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
82 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
83 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
84
85 # Aceita todo o trafego vindo do loopback e indo pro loopback
86 iptables -t filter -A INPUT -i lo -j ACCEPT
#######################
89 ### LOG DO FIREWALL ###
90 #######################
91
92 iptables -A INPUT -d 187.115.132.6 -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 22"
93 iptables -A INPUT -d 187.115.132.6 -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
94 iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
95 iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
96
97
98 # Redireconamento de portas
99 # sql Para algum micro (192.168.0.102 = nome da pessoa)
100 iptables -t nat -A PREROUTING -d 187.115.132.6 -p tcp --dport 1433 -j DNAT --to 192.168.0.102:1433
101 iptables -t nat -A PREROUTING -d 187.115.132.6 -p tcp --dport 1434 -j DNAT --to 192.168.0.102:1434
102 iptables -t nat -A PREROUTING -d 187.115.132.6 -p udp --dport 1433 -j DNAT --to 192.168.0.102:1433
103 iptables -t nat -A PREROUTING -d 187.115.132.6 -p udp --dport 1434 -j DNAT --to 192.168.0.102:1434
104 iptables -t nat -A PREROUTING -d 187.115.132.6 -p tcp --dport 3080 -j DNAT --to 192.168.0.100:3080
105 iptables -t nat -A PREROUTING -d 187.115.132.6 -p tcp --dport 3389 -j DNAT --to 192.168.0.102:3389
106 iptables -t nat -A PREROUTING -d 187.115.132.6 -p udp --dport 3389 -j DNAT --to 192.168.0.102:3389
107 iptables -t nat -A PREROUTING -d 187.115.132.6 -p tcp --dport 80 -j DNAT --to 192.168.0.100:80
108 echo .Redirecionamento Ativado
109 echo .ON .........................................................................................[OK].
110
111 ###############################
112 # TABELA Input #
113 ###############################
114 ### Destino Externo ###
115
116 # Liberando Porta 227 (SSH)
117 iptables -A INPUT -p tcp --dport 227 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 227"
118 iptables -A INPUT -p tcp --dport 227 -j ACCEPT
119
120 # Liberando Porta 21 (ftp)
121 iptables -A INPUT -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
122 iptables -A INPUT -p tcp --dport 21 -j ACCEPT
123
124 ### Destino Interno ###
125
126 # Liberando Porta 227 (SSH)
127 iptables -A INPUT -p tcp --dport 227 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 227"
128 iptables -A INPUT -p tcp --dport 227 -j ACCEPT
129
130 # Liberando porta 3128 (Squid)
131 iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
# Liberando Porta 80 (http)
134 iptables -A INPUT -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80"
135 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
136
137
138 # Liberando Porta 21 (ftp)
139 iptables -A INPUT -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
140 iptables -A INPUT -p tcp --dport 21 -j ACCEPT
141
142 # Liberando porta 3000 (NTOP)
143 iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
144
145 ###############################
146 # TABELA Forward #
147 ###############################
148
149 ## MSN ###
150 # Libera msn para o IP #
151 # nome
152 #iptables -A FORWARD -s 192.168.0.11 -p tcp --dport 1863 -j ACCEPT
153
154 # Bloqueio de MSN #
155 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 1863 -j DROP
156 iptables -A FORWARD -s 192.168.0.0 -d loginnet.passport.com -j DROP
157 iptables -A FORWARD -s 198.168.0.0/24 -p tcp --dport 1863 -j DROP
158 iptables -A FORWARD -s 198.168.0.0/24 -d loginnet.passport.com -j DROP
159 iptables -A FORWARD -s 198.168.0.0/24 -d messenger.hotmail.com -j DROP
160 iptables -A FORWARD -s 198.168.0.0/24 -d webmessenger.msn.com -j DROP
161 iptables -A FORWARD -p tcp --dport 1080 -j DROP
162 iptables -A FORWARD -s 198.168.0.0/24 -p tcp --dport 1080 -j DROP
163 iptables -A FORWARD -p tcp --dport 1863 -j DROP
164 iptables -A FORWARD -d 64.4.13.0/24 -j DROP
165
166 # Liberando Porta 227 (SSH)
167 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 227 -j ACCEPT
168
169 # Liberando Porta 22 (SSH)
170 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 22 -j ACCEPT
171 # Liberando Porta 110 (pop-3)
172 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 110 -j ACCEPT
173
174 # Liberando Porta 995 (spop-3)
175 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 995 -j ACCEPT
176
177 # Liberando Porta 25 (smtp)
178 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 25 -j ACCEPT
# Liberando Porta 465 (smtp-s)
181 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 465 -j ACCEPT
182
183 # Liberando Porta 21 (ftp)
184 iptables -A FORWARD -s 192.168.0.0 -p udp --dport 21 -j ACCEPT
185 iptables -A FORWARD -s 192.168.0.0 -p udp --dport 20 -j ACCEPT
186
187 # Liberando porta 53 (DNS)
188 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 53 -j ACCEPT
189 iptables -A FORWARD -s 192.168.0.0 -p udp --dport 53 -j ACCEPT
190
191 # Regras forward para o funcionamento de redirecionamento de portas (NAT)
192 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 1433:1434 -j ACCEPT
193 iptables -A FORWARD -s 192.168.0.0 -p udp --dport 1433:1434 -j ACCEPT
194 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 3080 -j ACCEPT
195 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 3389 -j ACCEPT
196 iptables -A FORWARD -s 192.168.0.0 -p udp --dport 3389 -j ACCEPT
197 iptables -A FORWARD -s 192.168.0.0 -p tcp --dport 80 -j ACCEPT
198
199
200 ### regras de segurançfirewall ####
201
202 iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
203 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
204 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
205 iptables -A INPUT -m state --state INVALID -j DROP
206 ### Impedindo ataque Ping of Death no Firewall ####
207 iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
208
209 ### Descarte de pacotes nao identificados ICMP ####
210 iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
211 iptables -A INPUT -m state -p icmp --state INVALID -j DROP
212 iptables -A FORWARD -m state -p icmp --state INVALID -j DROP
213
214 ### Impedindo ataque Ping of Death na rede ####
215 iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
216
217 ### Impedindo ataque de Denial Of Service Dos na rede e servidor ####
218 iptables -I FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
219 iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT
### Impedindo ataque Port Scanners na rede e no Firewall ####
222 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
223 iptables -I INPUT -p udp --dport 33435:33525 -j LOG --log-level info --log-prefix 'SCANNERS DROPADO>'
224 iptables -A INPUT -p udp --dport 33435:33525 -j DROP
225 iptables -I FORWARD -p udp --dport 33435:33525 -j LOG --log-level info --log-prefix 'SCANNERS DROPADO NA REDE>'
226 iptables -A FORWARD -p udp --dport 33435:33525 -j DROP
227
228 ### Bloquear Back Orifice na rede ####
229 iptables -I INPUT -p tcp --dport 31337 -j LOG --log-level info --log-prefix 'ORIFICE DROPADO>'
230 iptables -A INPUT -p tcp --dport 31337 -j DROP
231 iptables -I INPUT -p udp --dport 31337 -j LOG --log-level info --log-prefix 'ORIFICE UDP>'
232 iptables -A INPUT -p udp --dport 31337 -j DROP
233 iptables -I FORWARD -p tcp --dport 31337 -j LOG --log-level info --log-prefix 'ORIFICE NA REDE>'
234 iptables -A FORWARD -p tcp --dport 31337 -j DROP
235 iptables -I FORWARD -p udp --dport 31337 -j LOG --log-level info --log-prefix 'ORIFICE NA REDE UDP>'
236 iptables -A FORWARD -p udp --dport 31337 -j DROP
237
238 ### Bloquear NetBus na rede ####
239 iptables -I INPUT -p tcp --dport 12345 -j LOG --log-level info --log-prefix 'NETBUS >'
240 iptables -A INPUT -p tcp --dport 12345 -j DROP
241 iptables -I INPUT -p udp --dport 12345 -j LOG --log-level info --log-prefix 'NETBUS UDP>'
242 iptables -A INPUT -p udp --dport 12345 -j DROP
243 iptables -I FORWARD -p tcp --dport 12345 -j LOG --log-level info --log-prefix 'NETBUS NA REDE>'
244 iptables -A FORWARD -p tcp --dport 12345 -j DROP
245 iptables -I FORWARD -p udp --dport 12345 -j LOG --log-level info --log-prefix 'NETBUS UDP>'
246 iptables -A FORWARD -p udp --dport 12345 -j DROP
247
248 ### Desabilita resposta para pingecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
249
250 ### Desabilita port scan ####
251 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
252
253 ### Desabilita redirecionamento de ICMP ####
254 for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
255 echo 0 >$f
256 done
257
258 ### Protecao contra synflood ####
259 echo "1" > /proc/sys/net/ipv4/tcp_syncookies
260
261 ### Ativando protecao contra responses bogus ####
262 echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### Protecao contra worms ####
265 iptables -I FORWARD -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS REDE>'
266 iptables -A FORWARD -p tcp --dport 135 -j DROP
267 iptables -I INPUT -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS >'
268 iptables -A INPUT -p tcp --dport 135 -j DROP
269
270 ### Bloqueando tracertroute ####
271 iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j REJECT
272
273 ### Permite o redirecionamento seguro dos pacotes ####
274 echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
275
276 ### IMPEDINDO O REDIRECIONAMENTO E UMA ROTA ####
277 echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
278 echo Seguranca Carregada e logs gerados ..... [ok]
279
280 # Aceita Pacotes Estabilizados ####
281
282 echo Estabilizando Pacotes
283 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
284 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
285 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
286 echo Pacotes Estabilizado ..... [ok]
287
288
289
290 # Mascaramento de rede para acesso externo #
291 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
292
293 #Bloqueia todo o resto
294 #iptables -A INPUT -p tcp -j LOG --log-level 6 --log-prefix "FIREWALL: GERAL "
295 iptables -A INPUT -p tcp --syn -j DROP
296 iptables -A INPUT -p tcp -j DROP
297 iptables -A INPUT -p udp -j DROP
298 echo "Regras de firewall e compartilhamento desativados"
}
301
302 parar(){
303 iptables -F
304 iptables -t nat -F
305 iptables -P INPUT DROP
306 iptables -P OUTPUT ACCEPT
307 iptables -p FORWARD DROP
308 echo 0 > /proc/sys/net/ipv4/ip_forward
309 echo "Regras de firewall e compartilhamento desativados"
310 }
311 case "$1" in
312 "start") iniciar ;;
313 "stop") parar ;;
314 "restart") parar; iniciar ;;
315 *) echo "Use os parâtros start ou stop"
316 esac
e este é o erro que esta dando quando inicio ele
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
| Script de Firewall - IPTABLES
| Criado por: Guilherme Ribeiro
| Contribuindo por: Josemar, Marcelo, Urubatan Neto e todos os
| membros da comunidade viva o linux
| Analista de Redes
| gustavo.ti@hotmail.com.br
| Uso: firewall start|stop|restart
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=========================================================|
|:INICIANDO A CONFIGURAÃ DO FIREWALL NETFILTER ATRAVÃ|
|: DO IPTABLES :|
=========================================================|
iptables v1.4.8: unknown protocol `forward' specified
Try `iptables -h' or 'iptables --help' for more information.
Regras de firewall e compartilhamento desativados
.ativando o redirecionamento no arquivo ip_forward.
.ON .........................................................................................[OK].
.Proxy Transparente Ativado.
.ON .........................................................................................[OK].
.Redirecionamento Ativado
.ON .........................................................................................[OK].
Seguranca Carregada e logs gerados ..... [ok]
Estabilizando Pacotes
Pacotes Estabilizado ..... [ok]
Regras de firewall e compartilhamento desativados
tbm gostaria de verificar sugestoes sobre o script e ver se esta tudo certinho....
grato!
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
