Iptables - script para firewall utilizando iptables [Shell Script]

Iptables - script para firewall utilizando iptables

Publicado por José Lima 30/09/2005

[ Hits: 19.673 ]

Download ipfwadm.regras

1 0

Denuncie Favoritos Indicar

Script com regras para firewall utilizando iptables, com conexão para Conectividade Social funcionando

Esconder código-fonte

#!/bin/sh

#IP dinâmico
INET_IP=`ifconfig eth0 | grep "inet add" | awk -F: {'print $2'} | awk {'print $1'}`
INET_IFACE="eth0"

LAN_IP="192.168.0.1"
LAN="192.168.0.0/24"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"

HTTP_IP="192.168.168.168"
DMZ_HTTP_IP="192.168.168.168"
POR_HTTP="80"
POR_SQUID="3128"

LO_IP="127.0.0.1"
LO_IFACE="lo"

IPTABLES="/sbin/iptables"

/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F -t nat
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD


## LIBERACAO DA PORTA 8080 PARA O WEB SERVER - INTERFACE LOCAL

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE --dport 8080 -j ACCEPT


## LIBERACAO DA PORTA 901 PARA SWAT - INTERFACE LOCAL

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE --dport 901 -j ACCEPT


## LIBERACAO DAS PORTAS 139, 445 PARA SAMBA PELA INTERFACE LOCAL

$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -d $LAN_IP -m multiport --dports 137,138 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN -d $LAN_IP -m multiport --dports 139,445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN -d $LAN_BCAST_ADRESS --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p udp -d $LAN_IP -m multiport --dports 137,138 -j DROP
$IPTABLES -A INPUT -p tcp -d $LAN_IP -m multiport --dports 139,445 -j DROP
$IPTABLES -A OUTPUT -s $LAN_IP -d $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT


## BLOQUEIO DA PORTA 135

$IPTABLES -A INPUT -p tcp -i $INET_IFACE --dport 135 -j REJECT
$IPTABLES -A INPUT -p udp -i $INET_IFACE --dport 135 -j REJECT

$IPTABLES -A OUTPUT -p tcp -o $INET_IFACE --dport 135 -j REJECT
$IPTABLES -A OUTPUT -p udp -o $INET_IFACE --dport 135 -j REJECT

$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE --dport 135 -j REJECT
$IPTABLES -A FORWARD -p UDP -i $LAN_IFACE -o $INET_IFACE --dport 135 -j REJECT


## BLOQUEIO DA PORTA 1080

$IPTABLES -A INPUT -p tcp -i $LAN_IFACE --dport 1080 -j REJECT
$IPTABLES -A INPUT -p udp -i $LAN_IFACE --dport 1080 -j REJECT

$IPTABLES -A OUTPUT -p tcp -o $LAN_IFACE --dport 1080 -j REJECT
$IPTABLES -A OUTPUT -p udp -o $LAN_IFACE --dport 1080 -j REJECT

$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE --dport 1080 -j REJECT
$IPTABLES -A FORWARD -p UDP -i $LAN_IFACE -o $INET_IFACE --dport 1080 -j REJECT

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -N icmp_packets
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


## CAIXA ECONOMICA - CONECTIVIDADE
$IPTABLES -A FORWARD -s $LAN -p TCP -d 200.201.174.0/24 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 200.201.174.0/24 -p tcp -d $LAN --dport 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $LAN -d ! 200.201.174.0/24 -p TCP --dport 80 -j REDIRECT --to-port $POR_SQUID


$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: "

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPTABLES -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

iptables -A INPUT  -i $INET_IFACE -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: "

$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "IPT OUTPUT packet died: "

Scripts recomendados

Matrix Text Mode

zwtsc - cliente gráfico para Terminal Service

Dump de várias tabelas do MYSQL em vários arquivos

Pendetect

Text User Interface (TUI) com whiptail

Comentários

[1] Comentário enviado por Yrrak em 27/04/2007 - 15:51h

Boa tarde José,

Achei seu script pq estou procurando uma forma de fazer a Conectividade funcionar, queria saber até quais linhas são referentes a conectividade da caixa.

Obrigado

0 0