Firewall avançado
Publicado por Eduardo Vieira Mendes 21/07/2008
[ Hits: 9.516 ]
Script de firewall avançado, com várias opções, como liberação de certos ips, liberação de ip/porta, checagem de sanidade do script, compatibilidade com funções start|stop|restart do RedHat, entre outros. Tudo bem comentado.
#!/bin/sh
# iptables, by Alexandre Iamamoto
# $Id: iptables,v 1.61 06/06/2004 10:03:00
# chkconfig: 2345 08 80
# description: Script de configuraçao da rede e firewall
# processname: iptables
# Usando RedHat Linux?
REDHAT="YES"
# O firewall está ativado (Y/N)?
ATIVADO="Y"
ATIVAREDIR="Y"
ATIVAPROXY="Y"
# Executar teste de Sanidade do script?
OVERRIDE_SANITY_CHECKS="FALSE"
PROXY="192.168.0.254" # Endereco do Proxy
PROXYPORTA="3128" # Porta do Proxy
REDIRECIONAMENTOS=/etc/redirecionamentos.txt
PORTAS_LIBERADAS_TCP=(20 21 22 25 53 80 110 1234 143 1064 1065 1723 3389)
PORTAS_LIBERADAS_UDP=(1234 1723 53 5222)
# Cores
VERDE=$'\e[32;01m'
AMARELO=$'\e[33;01m'
VERMELHO=$'\e[31;01m'
NORMAL=$'\e[0m'
# Interfaces de Rede
# Modifique suas interfaces de rede aqui
# Interna e externa
INTERNALIF="eth0"
EXTERNALIF="eth1"
# Enderecos de Rede
# Rede interna
INTERNALNET="192.168.0.0/24"
# Broadcast
INTERNALBCAST="192.168.0.255"
# Especificos
# Ips que sao permitidos tudo, nao passam pelo proxy
IPSPERMITIDOSTUDO=(192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.9 192.168.0.10 192.168.0.74 192.168.0.65 192.168.0.54 192.168.0.53 192.168.0.94 192.168.0.55 192.168.0.92 192.168.0.82 192.168.0.95 192.168.0.77 192.198.0.66);
MODULOSA=(ip_tables iptable_filter ip_conntrack ip_conntrack_ftp ip_nat_ftp);
# Mude os x para os seus ips, externo e interno
EXTERNAL_IP=xxx.xxx.xxx.xx
INTERNAL_IP=xxx.xxx.x.xxx
OVERRIDE_NO_FORWARD="FALSE"
USE_SYNCOOKIES="TRUE"
# Caminhos de programas
DMESG="/bin/dmesg"
IPTABLES="`which iptables`"
MODPROBE="/sbin/modprobe"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# Este é uma função do Red Hat que habilita o sistema de start/stop/restart
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Desligando Firewall:" echo
echo -n "Limpando regras: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Iniciando Firewall:" echo
;;
*)
echo "Utilizacao: iptables (start|stop|restart)"
exit 1
esac
fi
################################################################
#------------------------------------------------------------
#Informa configuracoes
echo Interface externa: $EXTERNALIF Ip externo: $EXTERNAL_IP
echo Interface interna: $INTERNALIF Ip externo: $INTERNAL_IP
#Inicia teste de sanidade no script
if [ "$OVERRIDE_SANITY_CHECKS" = "TRUE" ] ; then
echo "Teste Ignorado! Se acontecerem problemas não reclame!"
echo "Se existe um motivo para isso por favor informe o suporte do sistema 62 205-1422"
echo
echo -n "Aguarde 5 segundos..."
sleep 5
echo "continuando"
echo
echo
else
# Esta ativado?
if ! [ "$ATIVADO" = "Y" ] ; then
echo
echo "${VERMELHO} SUA CONFIGURACAO INDICA QUE O FIREWALL ESTA DESATIVADO"
echo -n "$VERDE"
exit 99
fi
# É dificil executar o firewall sem o iptables...
if ! [ -x $IPTABLES ] ; then
echo
echo "ERRO NA CONFIGURAÇÃO: ${IPTABLES} não existe ou não é executável!"
exit 4
fi
fi
# Insere os modulos no kernel
dmesg -n 1 #Mata mensagem de carregamento
let CONTADOR=0;
for TEMP_VAR01 in ${MODULOSA[@]} ; do
echo Carregando o modulo de kernel: $TEMP_VAR01
$MODPROBE $TEMP_VAR01
let CONTADOR=$CONTADOR+1;
done;
echo -n "Limpando regras: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo
##Setup sysctl controls which affect tcp/ip
#
if [ "$INTERNALNET" != "" ] && [ "$OVERRIDE_NO_FORWARD" != "TRUE" ] ; then
echo -n "Checando por IP Forwarding..."
if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "ativado."
else
echo "support not found! This will cause problems if you need to do any routing."
fi
fi
# Enable TCP Syncookies
echo -n "Checando por IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "ativado."
else
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo "desativado."
fi
else
echo "suporte nao encontrado, porem ok."
fi
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Defragment all Packets
#Default now
#Enable forwarding
#echo 1 >/proc/sys/net/ipv4/ip_forward
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
#echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
echo 0 >/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#
# Permite que pacotes oriundos da interface loopback
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Mata qualquer pacote venha da rede 127
#
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
#
# Permite acesso ao servidor via redes locais e VPN
#
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
#
# Funcao navegacao total dos ips listados na variavel
#
echo Ips Liberados a sair totalmente: ${IPSPERMITIDOSTUDO}
let CONTADOR=0;
for TEMP_VAR01 in ${IPSPERMITIDOSTUDO[@]} ; do
echo Liberando acesso completo a: $TEMP_VAR01
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -s $TEMP_VAR01 -j ACCEPT;
let CONTADOR=$CONTADOR+1;
done;
#
#Allow IPV6 tunnel traffic
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT
#Allow IPSEC tunnel traffic
#$IPTABLES -A INPUT -p 50 -j ACCEPT
#Allow all traffic from the ipsec device to the internal network
#$IPTABLES -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT
#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT
##ICMP
#ping don't forward pings going inside
#$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP
#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT
#Proteçao contra tcp FIN
##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic
#$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
#$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
#$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
#$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
#$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
#$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT
#$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT
#Allow ALL other forwarding going out
#$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT
#Allow replies coming in
$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT
#Whack allowances
#Allow DHCP- Optus users need this
#$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT
#Allow yourself to be a DHCP server for your inside network
#Necessary because the default rule allowing valid addresses ignores broadcast
$IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT
#Allow nameserver packets. Different versions of iptables seem to error here.
#Comment out if necessary.
cat /etc/resolv.conf | \
awk '/^nameserver/ {print $2}' | \
xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s
#Allow Telstra hearbeat
#This section is propz to Defed
#$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT
#From here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services. Uncomment to allow in.
# ftp-data
# Funcao para permitir acesso externo a inteface.
echo Portas abertas:
let CONTADOR=0;
for TEMP_VAR01 in ${PORTAS_LIBERADAS_TCP[@]} ; do
echo Liberando acesso a porta TCP: $TEMP_VAR01
$IPTABLES -A INPUT -p tcp --dport $TEMP_VAR01 -j ACCEPT;
let CONTADOR=$CONTADOR+1;
done;
let CONTADOR=0;
for TEMP_VAR01 in ${PORTAS_LIBERADAS_UDP[@]} ; do
echo Liberando acesso a porta UDP: $TEMP_VAR01
$IPTABLES -A INPUT -p udp --dport $TEMP_VAR01 -j ACCEPT;
let CONTADOR=$CONTADOR+1;
done;
# smtp One per second limt -burst rate of ten
$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s \
--limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
#
##DNAT
if [ "$ATIVAREDIR" = "Y" ] ; then
echo Ativando redirecionamentos da interface valida para maquinas internas
if [ -f $REDIRECIONAMENTOS ]; then
while read IP_PORT; do
# extract the protocols, IPs and ports
NAT_TYPE=$(echo "$IP_PORT" | awk '{print $1}')
NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $2}')
NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $3}')
NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $4}')
${IPTABLES} -A PREROUTING -t nat -p $NAT_TYPE -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT --to-destination $NAT_INT_IP:$NAT_INT_PORT
${IPTABLES} -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p $NAT_TYPE -d $NAT_INT_IP --dport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i $INTERNALIF -o $EXTERNALIF -p $NAT_TYPE -s $NAT_INT_IP --sport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNALNET -p $NAT_TYPE --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP
echo Inserida regra de redirecionamento dnat: $NAT_TYPE:$EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT
done < $REDIRECIONAMENTOS
unset IP_PORT
unset NAT_TYPE
unset NAT_EXT_PORT
unset NAT_INT_IP
unset NAT_INT_PORT
else
echo "$REDIRECIONAMENTOS (tabela de redir) nao encontrado! Redirecionamento desabilitado."
fi
fi
echo -n $VERMELHO
echo "Enderecos q nao podem passar no proxy:";
echo -n $NORMAL
let CONTADOR01=0;
for TEMP_VAR02 in ${IPSNAOPROXY[@]} ; do
echo -n $VERDE;
echo "Permitindo acesso nao proxyado a: $TEMP_VAR02";
echo -n $NORMAL;
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -s $TEMP_VAR02 -j ACCEPT;
#$IPTABLES -A FORWARD -p tcp --dport 80 -d $TEMP_VAR02 -j ACCEPT;
$IPTABLES -A FORWARD -p tcp -d $TEMP_VAR02 -j ACCEPT;
#$IPTABLES -A FORWARD -p tcp --dport 443 -d $TEMP_VAR02 -j ACCEPT;
$IPTABLES -A FORWARD -p udp -d $TEMP_VAR02 -j ACCEPT;
$IPTABLES -A PREROUTING -t nat -p tcp -d $TEMP_VAR02 -j ACCEPT;
let CONTADOR01=$CONTADOR01+1;
done;
# Proxy transparente?
if [ "$ATIVAPROXY" = "Y" ] ; then
echo "Ativando Proxy Transparente para ${PROXY}: "
$IPTABLES -t nat -A PREROUTING -i $INTERNALIF -p tcp --dport 80 -j REDIRECT --to-port 3128
fi
##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG \
--log-prefix "Firewalled packet: MSSQL "
$IPTABLES -A INPUT -p tcp --dport 1433 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
--log-prefix "Firewalled packet: Deepthrt "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
--log-prefix "Firewalled packet: BO "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG \
--log-prefix "Firewalled packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP
#Traceroutes depend on finding a rejected port. DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP
#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT
#Don't log igmp. Some people get too many of these
$IPTABLES -A INPUT -p igmp -j REJECT
#Don't log web or ssl because people surfing for long times lose connection
#tracking and cause the system to create a new one, flooding logs.
$IPTABLES -A INPUT -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -p tcp --dport 443 -j REJECT
##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
#Log. There's no point logging noise. There's too much of it.
#Just log connection requests
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP
#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
# Implementacao experimental de seguranca
# Usuario teria que fazer conexao 3 vezes na porta 223 para somente assim
# liberar a porta 221 para efetivar a conexao
#iptables -A INPUT -p tcp -m tcp --dport 221 -m state --state NEW -m recent --rcheck --name SSH --rsource --seconds 60 --hitcount 3 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 222 -m state --state NEW -m recent --name SSH --remove -j DROP
#iptables -A INPUT -p tcp -m tcp --dport 223 -m state --state NEW -m recent --set --name SSH --rsource -j DROP
#iptables -A INPUT -p tcp -m tcp --dport 224 -m state --state NEW -m recent --name SSH --remove -j DROP
exit 0
Scripts recomendados
Aplicando layer7 sem digitar uma linha de código sequer
Detecta e bloqueia tentativa de acesso ao SSH
instalado automatico do nagio 3.3.1 no debian 6
Script recolher log's servidor
Alterando resolução de monitor externo
Comentários
Nenhum comentário foi encontrado.
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Cirurgia para acelerar o openSUSE em HD externo via USB
Void Server como Domain Control
Modo Simples de Baixar e Usar o bash-completion
Monitorando o Preço do Bitcoin ou sua Cripto Favorita em Tempo Real com um Widget Flutuante
Dicas
Script de montagem de chroot automatica
Atualizar Linux Mint 22.2 para 22.3 beta
Jogar games da Battle.net no Linux com Faugus Launcher
Como fazer a Instalação de aplicativos para acesso remoto ao Linux
Tópicos
Assisti Avatar 3: Fogo e Cinzas (4)
Conky, alerta de temperatura alta (11)
Top 10 do mês
-
Xerxes
1° lugar - 147.451 pts -
Fábio Berbert de Paula
2° lugar - 66.670 pts -
Buckminster
3° lugar - 21.876 pts -
Mauricio Ferrari
4° lugar - 20.969 pts -
Alberto Federman Neto.
5° lugar - 19.813 pts -
edps
6° lugar - 18.835 pts -
Daniel Lara Souza
7° lugar - 17.894 pts -
Andre (pinduvoz)
8° lugar - 15.937 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
9° lugar - 15.567 pts -
Jesuilton Montalvão
10° lugar - 14.694 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
