firewall está bom?

1. firewall está bom?

ton.work
(usa Debian)

Enviado em 24/08/2010 - 11:02h

Pessoal ainda estou aprendendo mas ta complicado, queria saber na opnião de vocês sobre este script que montei a partir de outros que encontrei na internet, será que é seguro usalo?

#!/bin/bash

## VARIABLES ##

IFWAN=`ifconfig | sed -n "1p" | awk {'print $1'}` # Filtra Saida do comando 'ifconfig' - Automatiza a implantação do Script
IPWAN=`ifconfig | sed -n "2p" | awk {'print $3'}`
IFLAN=`ifconfig | sed -n "11p" | awk {'print $1'}`
IPLAN=`ifconfig | sed -n "12p" | awk {'print $3'}`
LAN=192.168.1.10/24

## PROGRAMS ##

IPT=`which iptables`
EC=`which echo`
MODUP=`which modprobe`

## FIREWALL START ##

START_FW(){
echo " [ Firewall Starting ... ]"

# LOAD MODULES

$MODUP ip_tables
$MODUP ip_conntrack
$MODUP iptable_filter
$MODUP iptable_mangle
$MODUP iptable_nat
$MODUP ipt_LOG
$MODUP ipt_limit
$MODUP ipt_state
$MODUP ipt_REDIRECT
$MODUP ipt_owner
$MODUP ipt_REJECT
$MODUP ipt_MASQUERADE
$MODUP ip_conntrack_ftp
$MODUP ip_nat_ftp
######
#liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&
iptables -A OUTPUT -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&
iptables -A FORWARD -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&

#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 192.168.1.10/255.255.255.0 -o eth1 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
######
# POLICES THIS FIREWALL

$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT ACCEPT

# ENABLE LOOPBACK

$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT

# ENABLE IMPORTANT PORTS

$IPT -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -m state --state RELATED -j ACCEPT
DOOROPEN=`cat "/server/firewall/portasabertas.conf"`
for n in $DOOROPEN; do
PROTOCOL=`$EC $n | cut -d '@' -f 1`
DOOR=`$EC $n | cut -d '@' -f 2`
if [ "$PROTOCOL" = "tcp" ]; then
$IPT -t filter -A INPUT -p tcp --dport $DOOR -j ACCEPT
elif [ "$PROTOCOL" = "udp" ]; then
$IPT -t filter -A INPUT -p udp --dport $DOOR -j ACCEPT
fi
done

# BLOCK SITES FROM INTRANET

$IPT -t filter -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -m state --state RELATED -j ACCEPT
SITES=`cat "/server/firewall/sitesdesativados.conf"`
for n in $SITES ; do
$IPT -t filter -A FORWARD -s $LAN -d $n -j DROP
$IPT -t filter -A FORWARD -s $n -d $LAN -j DROP
done

# PING OF DEATH

echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
$IPT -N PING
$IPT -A INPUT -p icmp --icmp-type echo-request -j PING
$IPT -A PING -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A PING -j DROP

# SYN-FLOOD

echo "0" > /proc/sys/net/ipv4/tcp_syncookies
$IPT -N syn-flood
$IPT -A INPUT -i $IFWAN -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP

# BRUTE-SSH

$IPT -N BRUTE-SSH
$IPT -A INPUT -i $IFWAN -p tcp --dport 22 -j BRUTE-SSH
$IPT -A BRUTE-SSH -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A BRUTE-SSH -j DROP

# ANTI-SPOOFINGS

$IPT -A INPUT -s 10.0.0.0/8 -i $IFWAN -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -i $IFWAN -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -i $IFWAN -j DROP
$IPT -A INPUT -s 192.168.1.0/16 -i $IFWAN -j DROP

# SHEALT SCAN

$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT

# ENABLE FORWARDING

DOORCROSS=`cat "/server/firewall/portasfoward.conf"`
for n in $DOORCROSS; do
STAT=`$EC $n | cut -d '@' -f 1`
PROTO=`$EC $n | cut -d '@' -f 2`
PORT_IN=`$EC $n | cut -d '@' -f 3`
IPTARGET=`$EC $n | cut -d '@' -f 4`
PORT_OUT=`$EC $n | cut -d '@' -f 5`
if [ "$STAT" = "0" ]; then
$IPT -t filter -A FORWARD -p $PROTO --dport $PORT_IN -j ACCEPT
$IPT -t filter -A FORWARD -p $PROTO --sport $PORT_IN -j ACCEPT
$IPT -t nat -A PREROUTING -p $PROTO --dport $PORT_IN -j DNAT --to $IPTARGET
$IPT -t nat -A POSTROUTING -d $IPTARGET -j SNAT --to $IPLAN
elif [ "$STAT" = "1" ]; then
$IPT -t filter -A FORWARD -p $PROTO --dport $PORT_IN -j ACCEPT
$IPT -t filter -A FORWARD -p $PROTO --sport $PORT_IN -j ACCEPT
$IPT -t nat -A PREROUTING -p $PROTO --dport $PORT_IN -j DNAT --to $IPTARGET:$PORT_OUT
$IPT -t nat -A POSTROUTING -d $IPTARGET -j SNAT --to $IPLAN
fi
done

# ENABLE PROXY

#$IPT -t nat -A PREROUTING -i $IFLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.1.10/24 --dport 80,443 -j REDIRECT --to-ports 3128
#ENABLE MASQUERADE

DOORMASQ=`cat "/server/firewall/portasmascaradas.conf"`
for n in $DOORMASQ; do
PROTO=`$EC $n | cut -d '@' -f 1`
PORT=`$EC $n | cut -d '@' -f 2`
if [ "$PROTO" = 'tcp' ]; then
$IPT -t filter -A FORWARD -p tcp --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p tcp --sport $PORT -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IFWAN -p tcp --dport $PORT -j MASQUERADE
elif [ "$PROTO" = 'udp' ]; then
$IPT -t filter -A FORWARD -p udp --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp --sport $PORT -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IFWAN -p udp --dport $PORT -j MASQUERADE
fi
done

echo " [ OK ]"
}

STOP_FW(){
echo " [ Firewall Stopping ... ]"
## CLEAN RULES NETFILTER ##

$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z

## DISABLE ROUTING ##

$EC "0" > /proc/sys/net/ipv4/ip_forward

echo " [ OK ]"
}

case "$1" in
"start") START_FW ;;
"stop") STOP_FW ;;
"restart") STOP_FW; START_FW ;;
*) echo
$EC " [ FIREWALL: start, stop ou restart. ]"
$EC " [ Uso incorreto do firewall, restart em ]"
$EC " [ 3 segundos. ]"
echo
sleep 3
/server/firewall/sh.firewall.conf restart
esac

0 0

Quote