Firewall (iptables) (firewall)
Script de firewall
Categoria: Segurança
Software: Firewall (iptables)
[ Hits: 25.922 ]
Por: Marcone Gledson de Almeida
Script de firewall com bloqueios de portas, regras de segurança de rede, liberação de portas específicas, bloqueios a programas P2P e messengers e regras de redirecionamento (VNC e PcAnyWhere).
Escrito originalmente por Leonardo Pimenta Gonzalez
#! /bin/sh # /sbin/init.d/<skeleton> # # and symbolic its link # ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network cron # X-UnitedLinux-Should-Start: # Required-Stop: # Default-Start: 3 5 # Default-Stop: # Description: FW ### END INIT INFO # /sbin/rc<skeleton> . /etc/rc.status # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status LAN=192.168.4.0/24 NET=eth0 # First reset status of this service rc_reset case "$1" in start) echo -n "Starting Firewall Rules" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. #startproc /usr/sbin/foo iptables -F iptables -t nat -F for module in ip_tables ip_conntrack ip_conntrack_ftp ip_nat_ftp iptable_nat iptable_filter; do if ! modprobe $module; then echo "Can't load module $module"; return=$rc_failed fi done ################### CRIA�O DOS LOGS DE ACESSO ###################### # Monitoramento de acessos iptables -N LACCEPT iptables -A LACCEPT -j LOG --log-level info --log-prefix "ACCESS: " iptables -A LACCEPT -j ACCEPT # Monitoramento de pacotes rejeitados iptables -N FDROP iptables -A FDROP -j LOG --log-level debug --log-prefix "FDROP: " iptables -A FDROP -j DROP # Monitoramento dos programas VNC e Terminal Server (respectivamente) iptables -t nat -A PREROUTING -p tcp --dport 5900 -j LOG --log-prefix="VNC:" iptables -t nat -A PREROUTING -p tcp --dport 3389 -j LOG --log-prefix="Terminal Server:" ################### REGRAS DE SEGURAN� DA REDE ###################### # Descarte de pacotes nao-identificado ICMP (ping) iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP # Contra DoS: iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # Contra Port Scanners: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Contra Pings da morte iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Bloquear Back Orifice: iptables -A INPUT -p tcp --dport 31337 -j DROP iptables -A INPUT -p udp --dport 31337 -j DROP # Bloquear NetBus: iptables -A INPUT -p tcp --dport 12345:12346 -j DROP iptables -A INPUT -p udp --dport 12345:12346 -j DROP ################### LIBERACAO DE PORTAS ###################### # Liberacao de acesso SSH para acesso remoto iptables -A INPUT -p tcp -i $NET \ --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Liberacao das portas TCP altas (1022 a 65535) iptables -A INPUT -p tcp -i $NET --dport 1022:65535 \ -m state --state ESTABLISHED,RELATED -j ACCEPT # Liberacao das portas TCP altas (1022 a 65535)para pesquisa DNS iptables -A INPUT -p udp -i $NET --sport 53 --dport 1024:65535 \ -m state --state ESTABLISHED -j ACCEPT # Bloqueio de todas as outras portas #iptables -A INPUT -i $NET -j FDROP ################ BLOQUEIO DE PROGRAMAS P2P e Messengers #################### # Bloqueio de MSN Messenger #iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT #iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT # Bloqueio de Kazaa iptables -A FORWARD -p tcp --dport 1214 -j REJECT iptables -A FORWARD -p udp --dport 1214 -j REJECT iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -d 206.142.53.0/24 -j REJECT ################# REGRAS DE REDIRECIONAMENTO ################################# # Redirecionamento do Man do Oracle #iptables -t nat -A PREROUTING -i $NET -p tcp --dport 1158 -m state --state \ #NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.252 #iptables -t nat -A PREROUTING -i $NET -p udp --dport 1158 -m state --state \ #NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.252 # Redirecionamento do Terminal Server #iptables -t nat -A PREROUTING -i $NET -p tcp --dport 5900 -m state --state \ #NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.70 # Regras para redirecionamento de IP para o PCAnywhere #iptables -t nat -A PREROUTING -i $NET -p tcp -s 201.24.152.2 --dport 5631 -j DNAT \ #--to-destination 192.168.0.70 #iptables -t nat -A PREROUTING -i $NET -p tcp -s 201.24.152.2 --dport 5632 -j DNAT \ #--to-destination 192.168.0.70 # Redirecionamento do VNC #iptables -t nat -A PREROUTING -i $NET -p tcp --dport 5900 -m state --state \ #NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.70 ############### REGRAS DE PARA COMPARTILHAMENTO DA INTERNET ################### # Libera�o da LoopBack (127.0.0.1) iptables -t nat -A POSTROUTING -o lo -j ACCEPT # Compartilha a Internet echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s $LAN -j MASQUERADE # Redirecionamento de porta para Proxy Transparente Squid #iptables -t nat -A PREROUTING -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128 ##################### # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down Firewall Rules" ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. iptables -F iptables -t nat -F #Deletar regras de log iptables -X LACCEPT iptables -X FDROP #killproc -TERM /usr/sbin/foo # Remember status and be verbose rc_status -v ;; restart) ## If first returns OK call the second, if first or ## second command fails, set echo return value. $0 stop && $0 start # Remember status and be quiet rc_status ;; reload) ## Choose ONE of the following two cases: ## First possibility: A few services accepts a signal ## to reread the (changed) configuration. #echo -n "Reload service foo" #killproc -HUP /usr/sbin/foo #rc_status -v ## Exclusive possibility: Some services must be stopped ## and started to force a new load of the configuration. #$0 stop && $0 start # Remember status and be verbose #rc_status -v ;; status) echo -n "Checking for Firewall Rules: " iptables -nL ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. #checkproc /usr/sbin/foo && echo OK || echo No process ;; *) echo "Usage: $0 {start|stop|status}" exit 1 ;; esac rc_exit
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Não to conseguindo resolver este problemas ao instalar o playonelinux (1)
Excluir banco de dados no xampp (1)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta