Ajuda script iptables.

ifortunato
(usa Fedora)

Enviado em 23/04/2007 - 14:55h

Olá Pessoal,

Eu já revirei meu script e não consigo encontrar o erro. Alguém pode me ajudar?

Meu ambiente:
DSL ROUTER > FIREWALL+DHCP > REDE

#!/bin/bash
#################################################################################
# By Ivon Fortunato
# Script de Firewall IPTABLES
# Atualizado em: 19/04/2007
################################################################################

printf " -------> Iniciando o Firewall ...\n"
WORKING=$PWD
. /etc/init.d/functions

route del default
route add default eth0
route add default gw 192.168.100.1 eth1

################################################
# >>> Declaracao das variaáveis globais
################################################

INT_NET='eth1' # Interface com a internet.
INT_REDE='eth0' # Interface com a rede.

LAN='192.168.100.0/24' # Rede Local

IP_ADM="192.168.100.100"

# IPs das Maquinas dos Adm do Servico

IP_LOCAL='192.168.100.10' # IP na Rede Local
IP_OUT='192.168.100.11' # IP na Rede Externa

#IP_PROXY='192.168.100.10' # IP do Servidor Proxy
IP_Receita='161.148.0.0/16' # Rede da Receita Federal

SQUID='S' # Configura se o servidor possue proxy squid rodando.
# (S) Sim ou (N) Não.

SQUID_PORT=3128 # Porta do squid (3128)

#TS = 'S' # Configura se possue um servidor terminal service
# na rede e redireciona a porta (S) ou (N)

TERM_IP='192.168.1.100' # IP do servidor rodando terminal service na rede

YAHOO='N' # Bloqueia Yahoo messenger
MSN='N' # Bloqueia Msn messenger
ICQ='N' # Bloqueia ICQ
AIM='N' # Bloqueia AIM
P2P='S' # Bloqueia Kazaa
SPY='S' # Bloqueia Spyares conhecidos
SSH='S' # Bloqueia acesso por SSH
MOD=`which modprobe` # Modulos do iptables

# >>> Insere modulos iptables
$MOD ip_tables
$MOD ip_nat_ftp
$MOD ip_conntrack_ftp
$MOD ipt_MASQUERADE
$MOD ipt_LOG
$MOD iptable_nat
$MOD ip_conntrack
$MOD iptable_filter

LOG='iplog -i $INT_NET -w -d -l /var/log/dsa.fw.logs' # Arquivo de Log do Firewall

# >>> Fim das definicoes de variaveis

# >>> Desabilitando o trafego IP Entre as Placas de Rede
printf "Desabilitando o tráfego entre as placas de rede..."
echo 0 > /proc/sys/net/ipv4/ip_forward
success; printf "\n"

# >> Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# >>> Remove modulos do ipchains para evitar conflitos
# rmmod ipchains

#############################################
# CRIANDO LOGs PARA A CHAIN
#############################################

printf "Criando LOGs para a chain"
iptables -N DROP
iptables -A DROP -p tcp -j LOG --log-level 3 --log-prefix "DROP"
iptables -A DROP -p udp -j LOG --log-level 3 --log-prefix "DROP"
iptables -A DROP -p icmp -j LOG --log-level 3 --log-prefix "DROP"
iptables -A DROP -f -j LOG --log-level 3 --log-prefix "DROP"
iptables -A DROP -j DROP
iptables -N LREJECT
iptables -A LREJECT -p tcp -j LOG --log-level 3 --log-prefix "REJECT"
iptables -A LREJECT -p udp -j LOG --log-level 3 --log-prefix "REJECT"
iptables -A LREJECT -p icmp -j LOG --log-level 3 --log-prefix "REJECT"
iptables -A LREJECT -f -j LOG --log-level 3 --log-prefix "REJECT"
iptables -A LREJECT -j REJECT
iptables -N LACCEPT
iptables -A LACCEPT -p tcp -j LOG --log-level 3 --log-prefix "ACCEPT"
iptables -A LACCEPT -p udp -j LOG --log-level 3 --log-prefix "ACCEPT"
iptables -A LACCEPT -p icmp -j LOG --log-level 3 --log-prefix "ACCEPT"
iptables -A LACCEPT -f -j LOG --log-level 3 --log-prefix "ACCEPT"
iptables -A LACCEPT -j ACCEPT
iptables -N TREJECT
iptables -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
iptables -A TREJECT -j REJECT
iptables -N LTREJECT
iptables -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
iptables -A LTREJECT -p tcp -j LOG --log-level 3 --log-prefix "REJECT "
iptables -A LTREJECT -p udp -j LOG --log-level 3 --log-prefix "REJECT "
iptables -A LTREJECT -p icmp -j LOG --log-level 3 --log-prefix "REJECT "
iptables -A LTREJECT -f -j LOG --log-level 3 --log-prefix "REJECT "
iptables -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
iptables -A LTREJECT -j REJECT
success; printf "\n"

#############################################
# REGRAS BASICAS DE INICIALIZACAO
#############################################

# >>> Deleta todas as regras do firewall
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X



# >>> Internet Sharing e Firewall iniciando
printf "Fazendo Nat na rede..."
iptables -t nat -A POSTROUTING -o $INT_NET -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 60/minute --limit-burst 60
success; printf "\n"

# >> Setando por padrao o DROP.
iptables -A FORWARD -i $INT_REDE -j DROP
iptables -A INPUT -i $INT_NET -j DROP
iptables -P OUTPUT -j ACCEPT

# >>> Aceita trafico em lo (loopback) device
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I INPUT -i lo -s ! 127.0.0.0/255.0.0.0 -j DROP

iptables -A FORWARD -p all -s $LAN -d 0/0 -j ACCEPT

# >>> Aceitando conexoes estabelecidas
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# >>> Bloqueando Tracertroute
# iptables -A INPUT -p udp -s 0/0 -i $INT_NET --dport 33435:33525 -j DROP

#############################################
# REGRAS BASICAS CONTRA ATAQUES CONHECIDOS
#############################################

# >>> Bloqueando Multicast
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP

# >>> Bloqueando Back Orifice
iptables -A INPUT -p tcp -i $INT_NET --dport 31337 -j DROP
iptables -A INPUT -p udp -i $INT_NET --dport 31337 -j DROP

# >>> Bloqueando Trin00
iptables -A INPUT -p tcp -i $INT_NET --dport 1524 -j DROP
iptables -A INPUT -p tcp -i $INT_NET --dport 27665 -j DROP
iptables -A INPUT -p udp -i $INT_NET --dport 27444 -j DROP
iptables -A INPUT -p udp -i $INT_NET --dport 31335 -j DROP

# >>> Configurando a Protecao anti-spoofing
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done

#Anti-Spoofings
iptables -A INPUT -j DROP -s 127.0.0.0/8 -i $INT_NET
iptables -A INPUT -j DROP -s 172.16.0.0/12 -i $INT_NET
iptables -A INPUT -j DROP -s 192.168.1.0/16 -i $INT_NET
iptables -A INPUT -j DROP -s ! 192.168.100.0/24 -i $INT_NET


# >>> Barra a porta Wincrash e cria log da tentativa de acesso
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"
iptables -A INPUT -p tcp --dport 5042 -j DROP

# >>> Barra a porta NetBus e cria log da tentativa de acesso
iptables -A INPUT -p tcp --dport 12345:12346 -j LOG --log-prefix "Servico: NetBus"
iptables -A INPUT -p tcp --dport 12345:12346 -j DROP

# >>> Barra a porta TROJANS e cria log da tentativa de acesso
#Contem erro

# TROJAN_PORTS="12345 31336 31337 31338 3024 4092 5714 5742 2583 8787 5556 5557"
# iptables -t filter -N trojans-in
# for PORTA in ${TROJAN_PORTS};do
# iptables -A trojans-in -p tcp --sport=1024: --dport=${PORTA} -j LOG \
# --log-prefix "FIREWALL: Trojan ${PORTA} "
# iptables -A trojans-in -p tcp --sport=1024: --dport=${PORTA} -j DROP
# done
# iptables -t filter -A INPUT -i $INT_NET -j trojans-in


#echo "essa tem erro!"
# >>> Protecao quanto a ataques DoS
#iptables -A FORWARD -m unclean -j DROP
#echo "aqui"



#############################################
# REGRAS PARA ATIVACAO DE SERVICOS PERMITIDOS
#############################################

# >>> Bloqueando conexão via SSh
case $SSH in
'S'|'s')
printf "Liberando acesso para Administradores."
for IP in $IP_ADM; do
iptables -A INPUT -p tcp -s $IP --destination-port 22 -j ACCEPT
done
success; printf "\n"

printf "Bloqueando Acesso por SSH."
iptables -A INPUT -p tcp --destination-port 22 -j DROP
success; printf "\n"
esac

#########################################################################################

#Liberar acesso via SSH NET
iptables -t nat -A PREROUTING -i $INT_NET -p udp --dport 22 -j DNAT --to-dest 192.168.100.11

#LIBERANDO ESTE SERVIDOR PARA ACESSAR A INTERNET
printf "Liberando este servidor para acessar a internet"
iptables -A OUTPUT -s 192.168.100.11 -p tcp -d 0/0 -j ACCEPT
iptables -A OUTPUT -s 192.168.100.10 -p tcp -d 0/0 -j ACCEPT
success; printf "\n"

#########################################################################################
# Modulo
printf "Liberando Modulo..."
iptables -A FORWARD -s 192.168.100.100 -m mac --mac-source 00:14:85:CD:A6:33 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.101 -m mac --mac-source 00:0A:E6:79:6D:DE -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.102 -m mac --mac-source 00:11:5B:6D:D8:E8 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.103 -m mac --mac-source 00:07:95:57:61:F1 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.104 -m mac --mac-source 00:08:54:DB:F7:F0 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.105 -m mac --mac-source 00:90:F5:36:F2:17 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.106 -m mac --mac-source 00:D0:09:E1:8C:C9 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.107 -m mac --mac-source 00:10:DC:18:89:E1 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.108 -m mac --mac-source 00:0D:87:A6:EF:40 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.109 -m mac --mac-source 00:0F:EA:9E:C9:15 -o $INT_NET -j ACCEPT
iptables -A FORWARD -s 192.168.100.110 -m mac --mac-source 00:D0:09:A1:D0:F0 -o $INT_NET -j ACCEPT
iptables -I FORWARD -d $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A FOWARD -s $LAN -j ACCEPT

success; printf "\n"


#---------------------------------------------------------------
# Allow port 80 (www) and 443 (https) connections from the firewall
#---------------------------------------------------------------

iptables -A OUTPUT -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED -o eth1 -p tcp

#########################################################################################

###################################################################################################
# DNS - Libera a resolucao de nomes
###################################################################################################
printf "Liberando porta para o DNS..."

iptables -A OUTPUT -p udp -o $INT_NET --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i $INT_NET --sport 53 --dport 1024:65535 -j ACCEPT

#iptables -A INPUT -p udp -s $LAN --dport 53 -j ACCEPT

# Allow DNS resolution
iptables -A OUTPUT -o $INT_NET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
iptables -A OUTPUT -o $INT_NET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT


iptables -A OUTPUT -p tcp -o $INT_NET --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -i $INT_NET --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp -o $INT_REDE --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp -i $INT_REDE --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p tcp -o $INT_REDE --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -p tcp -i $INT_REDE --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $INT_REDE -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $INT_REDE -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INT_NET --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -o $INT_NET --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i $INT_REDE --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $INT_REDE --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $LAN --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $LAN --dport 53 -j ACCEPT
success; printf "\n"
###############################################################
#Bloquear site usados por hackers
#
##############################################################
# printf "Bloqueando site usado por hackers..."
# iptables -A INPUT -p tcp -s 67.15.159.107 -j DROP
#sucess; printf "\n"

#############################################
# REGRAS PARA BLOQUEIO DE SERVICOS PROIBIDOS
#############################################

# >>> Bloqueando acesso para o X Server.
iptables -A INPUT -p tcp -i $INT_NET --dport 5999:6003 -j DROP
iptables -A INPUT -p udp -i $INT_NET --dport 5999:6003 -j DROP
iptables -A INPUT -p tcp -i $INT_NET --dport 7100 -j DROP


#############################################
# REGRAS DE BLOQUEIO A APLICATIVOS PROIBIDOS
#############################################

# >>> Bloqueando o Yahoo messenger
#case $YAHOO in
# S|s)
# iptables -A FORWARD -d cs.yahoo.com -j REJECT;
# iptables -A FORWARD -d scsa.yahoo.com -j REJECT;
#esac

# >>> Bloqueando o Msn messenger
#case $MSN in
# S|s)
# iptables -A FORWARD -p TCP --dport 1863 -j REJECT;
# iptables -A FORWARD -d 64.4.13.0/24 -j REJECT;
#esac

#Bloqueando o ICQ
#case $ICQ in
# S|s)
# iptables -A FORWARD -p TCP --dport 5190 -j REJECT;
# iptables -A FORWARD -d login.icq.com -j REJECT;
#esac

# >>> Bloqueando o AIM
#case $AIM in
# S|s)
# iptables -A FORWARD -d login.oscar.aol.com -j REJECT;
#esac

# >>> Bloqueando P2P
case $P2P in
S|s)
#iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT;

#BearShare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;

#ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;

#WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT;
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT;

#Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT;

#Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT;
iptables -A FORWARD -p TCP --dport 1214 -j REJECT;

#KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT;
iptables -A FORWARD -p TCP --dport 1214 -j REJECT;

#Limewire
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;

#Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT;

#GNUTella
iptables -A FORWARD -p tcp --dport 6346 -j REJECT;

#eDonkey
iptables -A FORWARD -p tcp --dport 4661:4662 -j REJECT;
iptables -A FORWARD -p udp --dport 4665 -j REJECT;
iptables -A FORWARD -p udp --dport 4672 -j REJECT;

#Napster
iptables -A FORWARD -d 64.124.41.0/24 -j REJECT;

#Bearshare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;

#ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT;

esac


#############################################
# REGRAS FINAIS
#############################################

# >>> Portas abertas para estabelecer conexoes
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -p tcp -i $INT_NET --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -i $INT_NET --dport 1023:65535 -j ACCEPT

# >>> Setando telnet, www, smtp, pop3 e FTP para Pouco Delay
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay

# >>> Habilitando o trafego Ip, entre as Interfaces de rede
printf "Habilitando encaminhamento entre placa de rede..."
echo 1 > /proc/sys/net/ipv4/ip_forward
success; printf "\n"

echo "16777216" > /proc/sys/net/ipv4/ip_conntrack_max


# >>> Habilita protocolo ICMP
iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i $INT_NET -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i $INT_NET -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i $INT_NET -j ACCEPT
iptables -A OUTPUT -p icmp -o $INT_NET -j ACCEPT


printf " -------> Configuracao Finalizada. \n"