Icefusion Portal: Programação, Redes, Linux, WebDeveloper

4 mai 2011

by Icefusion

No Comments

Linux

, , ,

Linux – Iptables – Um Simples Firewall

Linux – Script de Firewall – IPTables

### Criacao de Variaveis ###
iptables=/sbin/iptables
IF_EXTERNA=ppp0  ### -> placa de rede externa -> q tem ligação com modem internet
IF_INTERNA=eth0  ### -> placa de rede interna -> q tem ligação com a rede
IP_EXTERNO= ### -> IP EXTERNO
IP_WINTS= ### IP SERVIDOR WINDOWS TERMINAL SERVER  -  NO MEU CASO EU TENHO Q FAZER UM ROTEAMENTO PARA UM SERVIDOR DO WINDOWS TERMINAL SERVER 2003 ESSE EH IP INTERNO DE MINHA REDE

### Ativa Modulos ###
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_multiport

#Ativa Roteamento no Kernel
echo “1″ > /proc/sys/net/ipv4/ip_forward

#Ativa Protecao contra IP spoofing
echo “1″ > /proc/sys/net/ipv4/conf/all/rp_filter

#Limpa as Regras
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle

#Politicas Padrao
$iptables -P INPUT   DROP
$iptables -P OUTPUT  ACCEPT
$iptables -P FORWARD DROP

#Ativa Mascaramento na Saida
$iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE

###  Fim de Configuracoes de Inicializacao  ###

#Nega Pacotes TCP indesejaveis
$iptables -A FORWARD -p tcp ! –syn -m state –state NEW -j LOG –log-level 6 –log-prefix “FIREWALL(NEW sem syn): ”
$iptables -A FORWARD -p tcp ! –syn -m state –state NEW -j DROP

#Aceita Pacotes Permitido a Entrada
$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT   -m state –state ESTABLISHED,RELATED     -j ACCEPT
$iptables -A OUTPUT  -m state –state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A INPUT -p ICMP -i $IF_EXTERNA -j ACCEPT

### Ativando Protecoes Contra Ataques ###

# 1 – Protecao contra Trinoo
$iptables -N TRINOO
$iptables -A TRINOO -m limit –limit 15/m -j LOG –log-level 6 –log-prefix “FIREWALL(Prot. Trinoo): ”
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 27444 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 27665 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 31335 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 34555 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 35555 -j TRINOO

# 2 – Protecao contra Trojans
$iptables -N TROJAN
$iptables -A TROJAN -m limit –limit 15/m -j LOG –log-level 6 –log-prefix “FIREWALL(Prot. Trojan): ”
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 666   -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 666   -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 4000  -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 6000  -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 6006  -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA –dport 16660 -j TROJAN

# 3 – Protecao contra Worms
$iptables -A FORWARD -p tcp –dport 135 -i $IF_INTERNA -j REJECT

# 4 – Protecao contra Syn-Flood
$iptables -A FORWARD -p tcp –syn -m limit –limit 2/s -j ACCEPT

# 5 – Protecao contra Ping da Morte
$iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

# 6 – Protecao contra Port Scanners
$iptables -N SCANNER
$iptables -A SCANNER -m limit –limit 15/m -j LOG –log-level 6 –log-prefix “FIREWALL(Port Scanner): ”
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH         -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags ALL NONE                -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags ALL ALL                 -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags ALL FIN,SYN             -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST         -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN         -i $IF_EXTERNA -j SCANNER

### Fim de Regras de Protecao ###

### Log de Conexao nas Portas Liberadas ###
$iptables -A INPUT -p tcp –dport 22   -i $IF_EXTERNA -j LOG –log-level 6 –log-prefix “FIREWALL(SSH): ”
$iptables -A INPUT -p tcp –dport 3389 -i $IF_EXTERNA -j LOG –log-level 6 –log-prefix “FIREWALL(WINDOWS TS): ”

### Fim Log Conexao nas Portas Liberadas ###

### Ativando Portas para Conexoes ###

# Liberando Windows Terminal Server #

# Ativando o Encaminhamento de Pacotes
$iptables -A FORWARD -p tcp -d $IP_WINTS –dport 3389 -j ACCEPT
$iptables -A FORWARD -p tcp -s $IP_WINTS –sport 3389 -j ACCEPT

# Ativando o Roteamento de Pacotes
$iptables -A PREROUTING -t nat -i $IF_EXTERNA -d $IP_EXTERNO -p tcp –dport 3389 -j DNAT –to $IP_WINTS:3389

# Fim de Liberacao Windows Terminal Server #

#Liberando portas
$iptables -A INPUT -p tcp –dport 22 -j ACCEPT

#Liberando Navegacao Interna
$iptables -A INPUT -i $IF_INTERNA -j ACCEPT

### Fim de Ativacao de Portas para Conexoes ###

echo “FIREWALL CARREGADO COM SUCESSO”

No Comments

« Previous Post 
 Next Post »

Leave a Reply

You can follow any responses to this entry through the RSS 2.0 feed.