Scritp de Firewall com Iptables
Publicado por Silvio Soares da Silva Junior 01/10/2005
[ Hits: 7.709 ]
Script de firewall usando iptables. Bloqueia e loga tentativas de conexão de trojans e worms mais conhecidos na sua rede interna. Muito eficiente.
#!/bin/bash echo "Carregando o firewall..." # Definindo as variaveis IPTABLES="/usr/sbin/iptables" REDEINT="192.168.0.0/24" IPDNSPROVEDOR="192.168.0.250" INT="eth0" EXT="eth0" TROJAN_PORTS_TCP="12345,12346,1524,27665,31337" TROJAN_PORTS_UDP="12345,12346,27444,31335,31337" WORM_PORTS="33270,1234,6711,16660,60001,6000,6001,6002,10999" ###################################################################### # SYN Cookie Protection #echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Disable response to ping echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects # Disable ICMP redirect acceptance echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # Turn on reverse path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done ###################################################################### # limpando as tabelas $IPTABLES -F $IPTABLES -t nat -F ###################################################################### # Protege contra os "Ping of Death" $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Protege contra os ataques do tipo "Syn-flood, DoS, etc" $IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT # Permitir repassamento (NAT,DNAT,SNAT) de pacotes etabilizados e os relatados ... $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Logar os pacotes mortos por inatividade ... $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG # Protege contra port scanners avançados (Ex.: nmap) $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Performance - Setando acesso a web com delay minimo $IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 53 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay # Deixa passar as portas UDP do servidores DNS, e Rejeitar o restante $IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT $IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT # Responde pacotes icmp especificados e rejeita o restante #$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type host-unreachable -j ACCEPT #$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type source-quench -j ACCEPT #$IPTABLES -A INPUT -i $EXT -p icmp -j REJECT --reject-with icmp-host-unreachable # libera acesso interno da rede $IPTABLES -A INPUT -p tcp --syn -s $REDEINT -j ACCEPT $IPTABLES -A OUTPUT -p tcp --syn -s $REDEINT -j ACCEPT $IPTABLES -A FORWARD -p tcp --syn -s $REDEINT -j ACCEPT # libera o loopback #$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT # libera conexoes de fora pra dentro $IPTABLES -A INPUT -p tcp --destination-port 80 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 20 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 21 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 22 -j LOG --log-prefix "SSH: " #$IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT #libera conexoes de dentro pra fora: $IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 20 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 21 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 86 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 5190 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # Liberando NTP (ntpd) porta 123 para envio e recepção protoclo UDP #$IPTABLES -A INPUT -i $EXT -p udp --dport 123 -j ACCEPT #$IPTABLES -A OUTPUT -o $INT -p udp --sport 123 -j ACCEPT ###################################################################### # Protecao contra trojans $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT: " $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT: " $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP ###################################################################### #Protecao contra worms $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: " $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: " $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: " $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: " $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j DROP # compartilha a web na rede interna #$IPTABLES -t nat -A POSTROUTING -s $REDEINT -o ppp0 -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward # Bloqueia todas as portas udp #$IPTABLES -A INPUT -i $EXT -p udp -j REJECT # Bloqueia qualquer tentativa de conexao de fora para dentro por TCP $IPTABLES -A INPUT -i $EXT -p tcp --syn -j DROP # Mesmo assim fechar todas as portas abaixo de 32000 $IPTABLES -A INPUT -i $EXT -p tcp --dport :32000 -j DROP # Protege contra pacotes que podem procurar e obter informações da rede interna ... $IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP # Bloqueando tracertroute $IPTABLES -A INPUT -p udp -s 0/0 -i $EXT --dport 33435:33525 -j DROP # Protecoes contra ataques $IPTABLES -A INPUT -m state --state INVALID -j DROP # Nada de pacotes fragmentados $IPTABLES -A INPUT -f -j DROP # bloqueia o resto $IPTABLES -A INPUT -p tcp --syn -j DROP $IPTABLES -A OUTPUT -p tcp --syn -j DROP $IPTABLES -A FORWARD -p tcp --syn -j DROP # ---------------------------------------------------------------- echo "Firewall carregado..." # Mais regras # libera ssh de casa #$IPTABLES -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT # bloqueia acesso ssh, ftp de fora e grava no log #$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "IN: SSH " #$IPTABLES -A INPUT -p tcp --dport 22 -j REJECT #$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "IN: Telnet " #$IPTABLES -A INPUT -p tcp --dport 23 -j REJECT # bloqueia acesso netbios de fora e da rede interna para fora #$IPTABLES -A INPUT -p tcp --sport 137:139 -i ppp+ -j DROP #$IPTABLES -A INPUT -p udp --sport 137:139 -i ppp+ -j DROP #$IPTABLES -A FORWARD -p tcp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A FORWARD -p udp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A OUTPUT -p tcp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A OUTPUT -p udp --sport 137:139 -o ppp+ -j DROP # libera o bittorrent - (não testado) # troque o X.X.X.X pelo IP da máquina correspondente #$IPTABLES -A INPUT -p tcp --destination-port 1214 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 1214 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 1214 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p udp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT # faz o icq receber arquivos - (não testado) # troque o X.X.X.X pelo IP da máquina correspondente #$IPTABLES -A INPUT -p tcp --destination-port 2000:3000 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000:3000 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 2000:3000 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p udp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT # EOF
Levantamento de hardware e software no Mandriva 2006
Bloqueando o acesso à internet
Aprenda a Gerenciar Permissões de Arquivos no Linux
Como transformar um áudio em vídeo com efeito de forma de onda (wave form)
Como aprovar Pull Requests em seu repositório Github via linha de comando
Visualizar arquivos em formato markdown (ex.: README.md) pelo terminal
Dando - teoricamente - um gás no Gnome-Shell do Arch Linux
Como instalar o Google Cloud CLI no Ubuntu/Debian
Mantenha seu Sistema Leve e Rápido com a Limpeza do APT!
Procurando vídeos de YouTube pelo terminal e assistindo via mpv (2025)
Alguém já usou o framework Avalonia para desenvolver interfaces de usu... (4)
Ajuda Pra Melhoria do NFTABLES. (8)
Sinto uma leve lentidão ao arrastar, miniminizar e restauras as janela... (2)
Pastas da raiz foram para a área de trabalho [RESOLVIDO] (7)