Scritp de Firewall com Iptables

Publicado por Silvio Soares da Silva Junior 01/10/2005

[ Hits: 7.562 ]

Download rc.firewall




Script de firewall usando iptables. Bloqueia e loga tentativas de conexão de trojans e worms mais conhecidos na sua rede interna. Muito eficiente.

  



Esconder código-fonte

#!/bin/bash

echo "Carregando o firewall..."

# Definindo as variaveis
IPTABLES="/usr/sbin/iptables"
REDEINT="192.168.0.0/24"
IPDNSPROVEDOR="192.168.0.250"
INT="eth0"
EXT="eth0"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
WORM_PORTS="33270,1234,6711,16660,60001,6000,6001,6002,10999"

######################################################################

# SYN Cookie Protection
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Disable response to ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

# Disable ICMP redirect acceptance
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done

######################################################################

# limpando as tabelas
$IPTABLES -F
$IPTABLES -t nat -F

######################################################################

# Protege contra os "Ping of Death"
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Protege contra os ataques do tipo "Syn-flood, DoS, etc"
$IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

# Permitir repassamento (NAT,DNAT,SNAT) de pacotes etabilizados e os relatados ...
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Logar os pacotes mortos por inatividade ...
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG

# Protege contra port scanners avançados (Ex.: nmap)
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT


# Performance - Setando acesso a web com delay minimo
$IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay

# Deixa passar as portas UDP do servidores DNS, e Rejeitar o restante
$IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT
$IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT


# Responde pacotes icmp especificados e rejeita o restante
#$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type host-unreachable -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type source-quench -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -p icmp -j REJECT --reject-with icmp-host-unreachable

# libera acesso interno da rede
$IPTABLES -A INPUT -p tcp --syn -s $REDEINT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn -s $REDEINT -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -s $REDEINT -j ACCEPT

# libera o loopback
#$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT

# libera conexoes de fora pra dentro
$IPTABLES -A INPUT -p tcp --destination-port 80 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --destination-port 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --destination-port 21 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --destination-port 22 -j LOG --log-prefix "SSH: "
#$IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT 



#libera conexoes de dentro pra fora:
$IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 86 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 5190 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT


# Liberando NTP (ntpd) porta 123 para envio e recepção protoclo UDP
#$IPTABLES -A INPUT -i $EXT -p udp --dport 123 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INT -p udp --sport 123 -j ACCEPT



######################################################################

# Protecao contra trojans
$IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT: "
$IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT: "
$IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP

######################################################################

#Protecao contra worms
$IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: "
$IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: "
$IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j DROP
$IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j DROP
$IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: "
$IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: "
$IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j DROP
$IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j DROP


# compartilha a web na rede interna
#$IPTABLES -t nat -A POSTROUTING -s $REDEINT -o ppp0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward


# Bloqueia todas as portas udp
#$IPTABLES -A INPUT -i $EXT -p udp -j REJECT

# Bloqueia qualquer tentativa de conexao de fora para dentro por TCP
$IPTABLES -A INPUT -i $EXT -p tcp --syn -j DROP

# Mesmo assim fechar todas as portas abaixo de 32000
$IPTABLES -A INPUT -i $EXT -p tcp --dport :32000 -j DROP

# Protege contra pacotes que podem procurar e obter informações da rede interna ...
$IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

# Bloqueando tracertroute
$IPTABLES -A INPUT -p udp -s 0/0 -i $EXT --dport 33435:33525 -j DROP

# Protecoes contra ataques
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Nada de pacotes fragmentados
$IPTABLES -A INPUT -f -j DROP

# bloqueia o resto
$IPTABLES -A INPUT -p tcp --syn -j DROP
$IPTABLES -A OUTPUT -p tcp --syn -j DROP
$IPTABLES -A FORWARD -p tcp --syn -j DROP
# ----------------------------------------------------------------
echo "Firewall carregado..."


# Mais regras

# libera ssh de casa
#$IPTABLES -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT

# bloqueia acesso ssh, ftp de fora e grava no log
#$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "IN: SSH "
#$IPTABLES -A INPUT -p tcp --dport 22 -j REJECT
#$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "IN: Telnet "
#$IPTABLES -A INPUT -p tcp --dport 23 -j REJECT

# bloqueia acesso netbios de fora e da rede interna para fora
#$IPTABLES -A INPUT -p tcp --sport 137:139 -i ppp+ -j DROP
#$IPTABLES -A INPUT -p udp --sport 137:139 -i ppp+ -j DROP
#$IPTABLES -A FORWARD -p tcp --sport 137:139 -o ppp+ -j DROP
#$IPTABLES -A FORWARD -p udp --sport 137:139 -o ppp+ -j DROP
#$IPTABLES -A OUTPUT -p tcp --sport 137:139 -o ppp+ -j DROP
#$IPTABLES -A OUTPUT -p udp --sport 137:139 -o ppp+ -j DROP

# libera o bittorrent - (não testado) 
# troque o X.X.X.X pelo IP da máquina correspondente
#$IPTABLES -A INPUT -p tcp --destination-port 1214 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 1214 -j DNAT --to-dest X.X.X.X
#$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 1214 -j DNAT --to-dest X.X.X.X
#$IPTABLES -A FORWARD -p udp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT

# faz o icq receber arquivos - (não testado)
# troque o X.X.X.X pelo IP da máquina correspondente
#$IPTABLES -A INPUT -p tcp --destination-port 2000:3000 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000:3000 -j DNAT --to-dest X.X.X.X
#$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 2000:3000 -j DNAT --to-dest X.X.X.X
#$IPTABLES -A FORWARD -p udp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT

# EOF


Scripts recomendados

Administração de Usuários

Script Nagios

iptables para cyber

Desligamento programado com interface gráfica em Zenity

Automatizando o Nagios


  

Comentários
[1] Comentário enviado por balani em 02/11/2006 - 23:26h

bem feito o seu script.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts