Firewall avançado
Publicado por Eduardo Vieira Mendes 21/07/2008
[ Hits: 9.048 ]
Script de firewall avançado, com várias opções, como liberação de certos ips, liberação de ip/porta, checagem de sanidade do script, compatibilidade com funções start|stop|restart do RedHat, entre outros. Tudo bem comentado.
#!/bin/sh # iptables, by Alexandre Iamamoto # $Id: iptables,v 1.61 06/06/2004 10:03:00 # chkconfig: 2345 08 80 # description: Script de configuraçao da rede e firewall # processname: iptables # Usando RedHat Linux? REDHAT="YES" # O firewall está ativado (Y/N)? ATIVADO="Y" ATIVAREDIR="Y" ATIVAPROXY="Y" # Executar teste de Sanidade do script? OVERRIDE_SANITY_CHECKS="FALSE" PROXY="192.168.0.254" # Endereco do Proxy PROXYPORTA="3128" # Porta do Proxy REDIRECIONAMENTOS=/etc/redirecionamentos.txt PORTAS_LIBERADAS_TCP=(20 21 22 25 53 80 110 1234 143 1064 1065 1723 3389) PORTAS_LIBERADAS_UDP=(1234 1723 53 5222) # Cores VERDE=$'\e[32;01m' AMARELO=$'\e[33;01m' VERMELHO=$'\e[31;01m' NORMAL=$'\e[0m' # Interfaces de Rede # Modifique suas interfaces de rede aqui # Interna e externa INTERNALIF="eth0" EXTERNALIF="eth1" # Enderecos de Rede # Rede interna INTERNALNET="192.168.0.0/24" # Broadcast INTERNALBCAST="192.168.0.255" # Especificos # Ips que sao permitidos tudo, nao passam pelo proxy IPSPERMITIDOSTUDO=(192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.9 192.168.0.10 192.168.0.74 192.168.0.65 192.168.0.54 192.168.0.53 192.168.0.94 192.168.0.55 192.168.0.92 192.168.0.82 192.168.0.95 192.168.0.77 192.198.0.66); MODULOSA=(ip_tables iptable_filter ip_conntrack ip_conntrack_ftp ip_nat_ftp); # Mude os x para os seus ips, externo e interno EXTERNAL_IP=xxx.xxx.xxx.xx INTERNAL_IP=xxx.xxx.x.xxx OVERRIDE_NO_FORWARD="FALSE" USE_SYNCOOKIES="TRUE" # Caminhos de programas DMESG="/bin/dmesg" IPTABLES="`which iptables`" MODPROBE="/sbin/modprobe" /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp # Este é uma função do Red Hat que habilita o sistema de start/stop/restart if [ X"$REDHAT" = X"YES" ]; then . /etc/rc.d/init.d/functions case "$1" in stop) action "Desligando Firewall:" echo echo -n "Limpando regras: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo exit 0 ;; status) echo "The status command is not supported for iptables" exit 0 ;; restart|reload) $0 stop exec $0 start ;; start) action "Iniciando Firewall:" echo ;; *) echo "Utilizacao: iptables (start|stop|restart)" exit 1 esac fi ################################################################ #------------------------------------------------------------ #Informa configuracoes echo Interface externa: $EXTERNALIF Ip externo: $EXTERNAL_IP echo Interface interna: $INTERNALIF Ip externo: $INTERNAL_IP #Inicia teste de sanidade no script if [ "$OVERRIDE_SANITY_CHECKS" = "TRUE" ] ; then echo "Teste Ignorado! Se acontecerem problemas não reclame!" echo "Se existe um motivo para isso por favor informe o suporte do sistema 62 205-1422" echo echo -n "Aguarde 5 segundos..." sleep 5 echo "continuando" echo echo else # Esta ativado? if ! [ "$ATIVADO" = "Y" ] ; then echo echo "${VERMELHO} SUA CONFIGURACAO INDICA QUE O FIREWALL ESTA DESATIVADO" echo -n "$VERDE" exit 99 fi # É dificil executar o firewall sem o iptables... if ! [ -x $IPTABLES ] ; then echo echo "ERRO NA CONFIGURAÇÃO: ${IPTABLES} não existe ou não é executável!" exit 4 fi fi # Insere os modulos no kernel dmesg -n 1 #Mata mensagem de carregamento let CONTADOR=0; for TEMP_VAR01 in ${MODULOSA[@]} ; do echo Carregando o modulo de kernel: $TEMP_VAR01 $MODPROBE $TEMP_VAR01 let CONTADOR=$CONTADOR+1; done; echo -n "Limpando regras: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo ##Setup sysctl controls which affect tcp/ip # if [ "$INTERNALNET" != "" ] && [ "$OVERRIDE_NO_FORWARD" != "TRUE" ] ; then echo -n "Checando por IP Forwarding..." if [ -e /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo "ativado." else echo "support not found! This will cause problems if you need to do any routing." fi fi # Enable TCP Syncookies echo -n "Checando por IP SynCookies..." if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "ativado." else echo 0 > /proc/sys/net/ipv4/tcp_syncookies echo "desativado." fi else echo "suporte nao encontrado, porem ok." fi #Disabling IP Spoofing attacks. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter #Don't respond to broadcast pings echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Defragment all Packets #Default now #Enable forwarding #echo 1 >/proc/sys/net/ipv4/ip_forward #Block source routing echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps. These have been the subject of a recent bugtraq thread echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Allow dynamic ip addresses echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Log martians (packets with impossible addresses) #RiVaL said that certain NICs don't like this. Comment out if necessary. #echo 1 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog # # Permite que pacotes oriundos da interface loopback # $IPTABLES -A INPUT -i lo -j ACCEPT # # Mata qualquer pacote venha da rede 127 # $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT # # Permite acesso ao servidor via redes locais e VPN # $IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT # # Funcao navegacao total dos ips listados na variavel # echo Ips Liberados a sair totalmente: ${IPSPERMITIDOSTUDO} let CONTADOR=0; for TEMP_VAR01 in ${IPSPERMITIDOSTUDO[@]} ; do echo Liberando acesso completo a: $TEMP_VAR01 $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -s $TEMP_VAR01 -j ACCEPT; let CONTADOR=$CONTADOR+1; done; # #Allow IPV6 tunnel traffic #$IPTABLES -A INPUT -p ipv6 -j ACCEPT #Allow IPSEC tunnel traffic #$IPTABLES -A INPUT -p 50 -j ACCEPT #Allow all traffic from the ipsec device to the internal network #$IPTABLES -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT #Kill anything from outside claiming to be from internal network $IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT ##ICMP #ping don't forward pings going inside #$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT #ping flood protection $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP #Deny icmp to broadcast address $IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP #Allow all other icmp $IPTABLES -A INPUT -p icmp -j ACCEPT #Proteçao contra tcp FIN ##Allow established connections #Unlike ipchains, we don't have to go through the business of allowing #a local port range- just allow all connections already established. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Note that unlike ipchains, the following must be enabled even with masquerading #Don't forward SMB related traffic #$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT #$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT #$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT #$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT #$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT #$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT #$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT #Allow ALL other forwarding going out #$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT #Allow replies coming in $IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT #Whack allowances #Allow DHCP- Optus users need this #$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT #Allow yourself to be a DHCP server for your inside network #Necessary because the default rule allowing valid addresses ignores broadcast $IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT #Allow nameserver packets. Different versions of iptables seem to error here. #Comment out if necessary. cat /etc/resolv.conf | \ awk '/^nameserver/ {print $2}' | \ xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s #Allow Telstra hearbeat #This section is propz to Defed #$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT #$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT #From here on, we're dealing with connection attempts. #The -m limit is a DoS protection on connects #First we allow a certain amount of connections per second #DROP the rest (so we don't DoS ourself with rejections) #We don't limit normal packets (!syn) by allowing the rest ##Basic services. Uncomment to allow in. # ftp-data # Funcao para permitir acesso externo a inteface. echo Portas abertas: let CONTADOR=0; for TEMP_VAR01 in ${PORTAS_LIBERADAS_TCP[@]} ; do echo Liberando acesso a porta TCP: $TEMP_VAR01 $IPTABLES -A INPUT -p tcp --dport $TEMP_VAR01 -j ACCEPT; let CONTADOR=$CONTADOR+1; done; let CONTADOR=0; for TEMP_VAR01 in ${PORTAS_LIBERADAS_UDP[@]} ; do echo Liberando acesso a porta UDP: $TEMP_VAR01 $IPTABLES -A INPUT -p udp --dport $TEMP_VAR01 -j ACCEPT; let CONTADOR=$CONTADOR+1; done; # smtp One per second limt -burst rate of ten $IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s \ --limit-burst 10 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT # ##DNAT if [ "$ATIVAREDIR" = "Y" ] ; then echo Ativando redirecionamentos da interface valida para maquinas internas if [ -f $REDIRECIONAMENTOS ]; then while read IP_PORT; do # extract the protocols, IPs and ports NAT_TYPE=$(echo "$IP_PORT" | awk '{print $1}') NAT_EXT_PORT=$(echo "$IP_PORT" | awk '{print $2}') NAT_INT_IP=$(echo "$IP_PORT" | awk '{print $3}') NAT_INT_PORT=$(echo "$IP_PORT" | awk '{print $4}') ${IPTABLES} -A PREROUTING -t nat -p $NAT_TYPE -d $EXTERNAL_IP --dport $NAT_EXT_PORT -j DNAT --to-destination $NAT_INT_IP:$NAT_INT_PORT ${IPTABLES} -A FORWARD -i $EXTERNALIF -o $INTERNALIF -p $NAT_TYPE -d $NAT_INT_IP --dport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -A FORWARD -i $INTERNALIF -o $EXTERNALIF -p $NAT_TYPE -s $NAT_INT_IP --sport $NAT_INT_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -t nat -A POSTROUTING -d $NAT_INT_IP -s $INTERNALNET -p $NAT_TYPE --dport $NAT_INT_PORT -j SNAT --to $INTERNAL_IP echo Inserida regra de redirecionamento dnat: $NAT_TYPE:$EXTERNAL_IP:$NAT_EXT_PORT - $NAT_INT_IP:$NAT_INT_PORT done < $REDIRECIONAMENTOS unset IP_PORT unset NAT_TYPE unset NAT_EXT_PORT unset NAT_INT_IP unset NAT_INT_PORT else echo "$REDIRECIONAMENTOS (tabela de redir) nao encontrado! Redirecionamento desabilitado." fi fi echo -n $VERMELHO echo "Enderecos q nao podem passar no proxy:"; echo -n $NORMAL let CONTADOR01=0; for TEMP_VAR02 in ${IPSNAOPROXY[@]} ; do echo -n $VERDE; echo "Permitindo acesso nao proxyado a: $TEMP_VAR02"; echo -n $NORMAL; $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -s $TEMP_VAR02 -j ACCEPT; #$IPTABLES -A FORWARD -p tcp --dport 80 -d $TEMP_VAR02 -j ACCEPT; $IPTABLES -A FORWARD -p tcp -d $TEMP_VAR02 -j ACCEPT; #$IPTABLES -A FORWARD -p tcp --dport 443 -d $TEMP_VAR02 -j ACCEPT; $IPTABLES -A FORWARD -p udp -d $TEMP_VAR02 -j ACCEPT; $IPTABLES -A PREROUTING -t nat -p tcp -d $TEMP_VAR02 -j ACCEPT; let CONTADOR01=$CONTADOR01+1; done; # Proxy transparente? if [ "$ATIVAPROXY" = "Y" ] ; then echo "Ativando Proxy Transparente para ${PROXY}: " $IPTABLES -t nat -A PREROUTING -i $INTERNALIF -p tcp --dport 80 -j REDIRECT --to-port 3128 fi ##Some ports should be denied and logged. $IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG \ --log-prefix "Firewalled packet: MSSQL " $IPTABLES -A INPUT -p tcp --dport 1433 -j DROP $IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \ --log-prefix "Firewalled packet: Deepthrt " $IPTABLES -A INPUT -p tcp --dport 6670 -j DROP $IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \ --log-prefix "Firewalled packet: Sub7 " $IPTABLES -A INPUT -p tcp --dport 6711 -j DROP $IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \ --log-prefix "Firewalled packet: Sub7 " $IPTABLES -A INPUT -p tcp --dport 6712 -j DROP $IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \ --log-prefix "Firewalled packet: Sub7 " $IPTABLES -A INPUT -p tcp --dport 6713 -j DROP $IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \ --log-prefix "Firewalled packet: Netbus " $IPTABLES -A INPUT -p tcp --dport 12345 -j DROP $IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \ --log-prefix "Firewalled packet: Netbus " $IPTABLES -A INPUT -p tcp --dport 12346 -j DROP $IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \ --log-prefix "Firewalled packet: Netbus " $IPTABLES -A INPUT -p tcp --dport 20034 -j DROP $IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \ --log-prefix "Firewalled packet: BO " $IPTABLES -A INPUT -p tcp --dport 31337 -j DROP $IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG \ --log-prefix "Firewalled packet: XWin " $IPTABLES -A INPUT -p tcp --dport 6000 -j DROP #Traceroutes depend on finding a rejected port. DROP the ones it uses $IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP #Don't log ident because it gets hit all the time eg connecting to an irc server $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT #Don't log igmp. Some people get too many of these $IPTABLES -A INPUT -p igmp -j REJECT #Don't log web or ssl because people surfing for long times lose connection #tracking and cause the system to create a new one, flooding logs. $IPTABLES -A INPUT -p tcp --dport 80 -j REJECT $IPTABLES -A INPUT -p tcp --dport 443 -j REJECT ##Catch all rules. #iptables reverts to these if it hasn't matched any of the previous rules. #Log. There's no point logging noise. There's too much of it. #Just log connection requests $IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG \ --log-prefix "Firewalled packet:" $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG \ --log-prefix "Firewalled packet:" #Reject $IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -p all -j DROP $IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p all -j DROP #Accept it anyway if it's only output $IPTABLES -A OUTPUT -j ACCEPT #Masquerade internal connections going out. $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE # Implementacao experimental de seguranca # Usuario teria que fazer conexao 3 vezes na porta 223 para somente assim # liberar a porta 221 para efetivar a conexao #iptables -A INPUT -p tcp -m tcp --dport 221 -m state --state NEW -m recent --rcheck --name SSH --rsource --seconds 60 --hitcount 3 -j ACCEPT #iptables -A INPUT -p tcp -m tcp --dport 222 -m state --state NEW -m recent --name SSH --remove -j DROP #iptables -A INPUT -p tcp -m tcp --dport 223 -m state --state NEW -m recent --set --name SSH --rsource -j DROP #iptables -A INPUT -p tcp -m tcp --dport 224 -m state --state NEW -m recent --name SSH --remove -j DROP exit 0
Alta disponibilidade de Links com CentOS 6
Criação de ports para slackware
Criação de unidades criptografadas
Nenhum comentário foi encontrado.
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
SysAdmin ou DevOps: Qual curso inicial pra essa área? (0)
Melhores Práticas de Nomenclatura: Pastas, Arquivos e Código (3)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta