Iptables

1. Iptables

Flavio A. Reis
(usa Ubuntu)

Enviado em 25/10/2007 - 07:56h

Olá, bom dia.
Sou usuário do Debian, mas sou novato com Firewall, estou com algumas duvidas, gostaria de expôr aqui pra trocar algumas ideias pra que posso melhorar a segurança do mesmo.

Preciso liberar o orrent e o emule, e vou trabalhar tb com squid.

Segue abaixo o scrip usado, aqui ele compartilha o velox e bloqueia tudo e libera algumas coisas.

#!/bin/bash

echo "Iniciando o IPTables..."
echo

#############
##Variáveis##
#############
ip_adm='192.168.0.0'
it_ext='ppp0'
it_int='eth0'
cmd_iptables='/sbin/iptables'

###########################################
## Limpa todas as regras ##
###########################################
echo "Limpando as regras..."
$cmd_iptables -F
$cmd_iptables -t nat -F
echo

####################################
##Habilita roteamento entre placas##
####################################
echo "1" > /proc/sys/net/ipv4/ip_forward

######################
##Carrega os módulos##
######################
echo "Carregando novas regras..."
echo
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#########################################################
##Trava o envio de entrada/saida de pacotes no Firewall##
#########################################################
$cmd_iptables -P INPUT DROP
$cmd_iptables -P FORWARD DROP
$cmd_iptables -P OUTPUT ACCEPT

########################################
##Habilita contra port scanners (NMAP)##
########################################
$cmd_iptables -A INPUT -p tcp --tcp-flags SYN, ACK -m limit --limit 1/s -j DROP
$cmd_iptables -A INPUT -p tcp --tcp-flags FIN, RST -m limit --limit 1/s -j DROP

######################################
##Habilita contra ataques syn-flood ##
######################################
$cmd_iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT

#########################
##Habilita contra ping ##
#########################
$cmd_iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

####################################
##Habilita ping para rede externa ##
####################################
$cmd_iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

###################################
##Habilita contra ping da morte ##
###################################
#$cmd_iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#########################
##Rede Administrativa ##
#########################
#NAT
$cmd_iptables -t nat -A POSTROUTING -s $ip_adm/24 -o $it_ext -j MASQUERADE

#DNS 53
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 53 -j ACCEPT
$cmd_iptables -A FORWARD -p udp -s $ip_adm/24 -d 0/0 --dport 53 -j ACCEPT

# Web 80/8080/8081
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 80 -j ACCEPT
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 8080 -j ACCEPT
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 8081 -j ACCEPT

# Web SSL 443
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 443 -j ACCEPT

#Proxy transparente (descomente as linha abaixos para configurar proxy-transparente caso o seu
#servidor tenha o squid instalado)
#$cmd_iptables -A INPUT -p tcp -s $ip_adm/24 --dport 3128 -j ACCEPT
#$cmd_iptables -t nat -A PREROUTING -p tcp -s $ip_adm/24 --dport 80 -j REDIRECT --to-port 3128
#$cmd_iptables -t nat -A PREROUTING -p tcp -s $ip_adm/24 --dport 8080 -j REDIRECT --to-port 3128

#FTP 20 21
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 20 -j LOG --log-level 1 --log-prefix "FTP "
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 20 -j ACCEPT
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 21 -j LOG --log-level 1 --log-prefix "FTP "
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 21 -j ACCEPT

# Email SMTP/POP
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 25 -j ACCEPT
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 110 -j ACCEPT

# PORTAS USADAS PELO GMAIL
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 465 -j ACCEPT
$cmd_iptables -A FORWARD -p tcp -s $ip_adm/24 -d 0/0 --dport 995 -j ACCEPT

#LIBERANDO TORRENT AZUREUS
$cmd_iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881 -j DNAT --to-dest 192.168.0.2
$cmd_iptables -A FORWARD -p tcp -i eth0 --dport 6881 -d 192.168.0.2 -j ACCEPT
$cmd_iptables -t nat -A PREROUTING -i eth0 -p udp --dport 6881 -j DNAT --to-dest 192.168.0.2
$cmd_iptables -A FORWARD -p udp -i eht0 --dport 6881 -d 192.168.0.2 -j ACCEPT

##########################################################################
##Pacotes q estabeleceram conexão de reenvio possam voltar pelo firewall##
##########################################################################
$cmd_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

##########################################################################
##Pacotes q estabeleceram conexãde entrada possam voltar pelo firewall####
##########################################################################
$cmd_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Desde já agradeço a colaboração de todos

Abraços Debianos

Alex Reis

0 0

Quote

2. Re: Iptables

Flavio A. Reis
(usa Ubuntu)

Enviado em 25/10/2007 - 07:59h

Pessoal, essa linha referente ao Torrent não está funcionado, peguei esse exemplo aqui no forum, mas não eatá dando certo, a porta está correta.

Abraços Debianos

Alex Reis

0 0

Quote