iptables (rc.firewall)

sh

Categoria: Segurança

Software: iptables

[ Hits: 12.696 ]

Por: Jorge Luiz Taioque


Firewall Bem Completo e poderosooo..


#!/bin/bash
########################################
# Ativa módulos
########################################
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_nat
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_TOS
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_mark
#/sbin/insmod /etc/rc.d/ipt_ipp2p.o


########################################
# Ativa roteamento no kernel
########################################
#echo "1" > /proc/sys/net/ipv4/ip_forward


########################################
# Proteção contra IP spoofing
########################################
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

########################################
#Honeypot
########################################
#inicializara o fake squid
#perl pakesquid.pl G
#---
#inicializara o fake httpd
#perl httpd-fake.pl G
#---
#inicializara o fake telnet
#perl faketelnet.pl G


########################################
# Zera regras
########################################
#iptables -F
#iptables -X
#iptables -t nat -F
#iptables -t filter -F
#iptables -t mangle -F
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT



########################################
#Determina Politica Padrao
########################################
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP 

########################################
# Tabela - Forward - Compartilhamento de Internet
########################################
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to 200.200.200.200


#Net Para Apenas Alguns Usuarios
#iptables -t nat -A POSTROUTING -s 10.0.0.10 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.0.0.20 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.5.2.41 -o eth0 -j MASQUERADE


########################################
#Abilitando Serviços
########################################
#Habilitando LocalHost:
#iptables -A INPUT -p tcp --syn -s 127.0.0.1 -j ACCEPT


#Habilitando conexões vindas da rede local (usando a seguinte faixa de IP e máscara de rede).
#iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT 


#Habilitando outras conexões nas seguinte porta:  
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT


#Portas UDP
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7777:7779 -j DNAT --to-dest 192.168.0.2
#iptables -A FORWARD -p udp -i eth0 --dport 7777:7779 -d 192.168.0.2 -j ACCEPT


########################################
# Tabela FILTER
########################################
#Contra DoS 
#iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j accept
#iptables -A FORWARD -m unclean -j DROP 


#Contra Port Scanners
# iptables -A FORWARD -o tcp -tcp-flags SYN,ACK,FIN,RST RST -m zlimit -limit 1/s -j accept


#Contra Pings 
#iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j accept


# Block Back Orifice 
#/sbin/iptables -A INPUT -p tcp --dport 31337 -j DROP
#/sbin/iptables -A INPUT -p udp --dport 31337 -j DROP 


# Block NetBus
#/sbin/iptables -A INPUT -p tcp --dport 12345:12346 -j DROP 
#/sbin/iptables -A INPUT -p udp --dport 12345:12346 -j DROP


# Dropa pacotes TCP indesejáveis
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP


# Dropa pacotes mal formados
#iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pacote mal formado: "
#iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP 


# Aceita os pacotes que realmente devem entrar
#iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


# Proteção contra trinoo
#iptables -N TRINOO
#iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
#iptables -A TRINOO -j DROP
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


# Proteção contra tronjans 
#iptables -N TROJAN
#iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
#iptables -A TROJAN -j DROP 
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


# Proteção contra worms
#iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


# Proteção contra syn-flood
#iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


# Proteção contra ping da morte
#iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Proteção contra port scanners
#iptables -N SCANNER
#iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
#iptables -A SCANNER -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER


#Bloqueio de NetBios
#iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 135 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP


# Loga tentativa de acesso a determinadas portas
#iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
#iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
#iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
#iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
#iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
#iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
#iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
#iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
#iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
#iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "

# Libera acesso externo a determinadas portas
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT


# Libera acesso de smtp para fora apenas para o IP 192.0.0.0
#iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j LOG --log-level 6 --log-prefix "FIREWALL: SMTP proibido: "
#iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j REJECT


########################################
#Bloquear Longas temtativas em determinadas portas
########################################
#iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
#iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
#iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
#iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
#iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
#iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
#iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
#iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
#iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
#iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "




# Proxy transparente
# -------------------------------------------------------
#iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128


# Redireciona portas para outros servidores
# -------------------------------------------------------
#iptables -t nat -A PREROUTING -d 200.212.247.194 -p tcp --dport 1200:1400 -j DNAT --to 192.168.0.4:1200:1400
#iptables -t nat -A PREROUTING -d 192.168.200.1 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.1
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80


# Redireciona portas na própria máquina
# -------------------------------------------------------
#iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22



########################################
#Bloqueando Serviços
########################################
#Bloqueando conexões vindas em qualquer porta tcp do seu micro:
#iptables -A INPUT -p tcp --syn -j DROP

#Não Responder a Pings
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all


#Bloqueando parte das portas udp:
#iptables -A INPUT -i ppp0 -p udp --dport 0:30000 -j DROP

#Não Receber Pacotes de determinadas Paginas
#iptables -A FORWARD -s www.chat.com.br -j DROP


#Não receber Pacotes de um determinado IP
#iptables -A FORWARD -s 200.221.20.0/24 -j DROP


#Bloqueando conexão via SSh: 
#iptables -A INPUT -p tcp --destination-port 22 -j DROP

#Evitando scans do tipo "porta origem=porta destino": 
#$IPT -A INPUT -p tcp --sport $i --dport $i -j DROP


#Bloqueando AIM: 
#$IPT -A FORWARD -d login.oscar.aol.com -j REJECT


#Bloqueando ICQ: 
#$IPT -A FORWARD -p TCP --dport 5190 -j REJECT
#$IPT -A FORWARD -d login.icq.com -j REJECT 


#Bloqueando MSN:
#$IPT -A FORWARD -p TCP --dport 1863 -j REJECT
#$IPT -A FORWARD -d 64.4.13.0/24 -j REJECT


#Bloqueando Yahoo Messenger: 
#$IPT -A FORWARD -d cs.yahoo.com -j REJECT
#$IPT -A FORWARD -d scsa.yahoo.com -j REJECT 



########################################
#Bloqueando os -:P2P
########################################
#Fecha P2P
#iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

#Bittorrent: 
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.0.2
#iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT

#iMesh: 
#iptables -A FORWARD -d 216.35.208.0/24 -j REJECT

#BearShare:
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT 

#ToadNode: 
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT

#WinMX:
#iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
#iptables -A FORWARD -d 64.49.201.0/24 -j REJECT

#Napigator:
#iptables -A FORWARD -d 209.25.178.0/24 -j REJECT 

#Morpheus: 
#iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
#iptables -A FORWARD -p TCP --dport 1214 -j REJECT 

#KaZaA:
#iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
#iptables -A FORWARD -p TCP --dport 1214 -j REJECT

#KaZaA Lite
# iptables -m string --string "X-Kazaa-Username:"-j DROP
# iptables -m string --string "X-Kazaa-Network:" -j DROP
# iptables -m string --string "X-Kazaa-IP:" -j DROP
# iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP


#Limewire: 
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT

#Audiogalaxy:
#iptables -A FORWARD -d 64.245.58.0/23 -j REJECT 

########################################
# Regras para VPN
########################################
#iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -A INPUT  -p 50 -j ACCEPT
#iptables -A OUTPUT -p 50 -j ACCEPT
#iptables -A INPUT  -p 51 -j ACCEPT
#iptables -A OUTPUT -p 51 -j ACC

  


Comentários
[1] Comentário enviado por wbh16 em 14/10/2007 - 20:24h

por favor amigo tenho a seguinte dúvida após os comandos
#Bloqueando conexões vindas em qualquer porta tcp do seu micro:
#iptables -A INPUT -p tcp --syn -j DROP
Eu entendo que qualquer requisição de conexão tcp que não se encaixe nas regras anteriores serão bloqueadas.

Então, as regras relacionadas ao protocolo tcp que vem depois não fariam nada!
Estou certo? gostaria de entender isto melhor, grato....

[2] Comentário enviado por comfaa em 28/10/2008 - 10:44h

muito bom !!

[3] Comentário enviado por estevanir em 24/04/2012 - 10:30h

Meus parabéns pelo post.
Profissionais de alto conhecimento compartilham informação.



Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts