euedialves
(usa Ubuntu)
Enviado em 16/06/2014 - 14:12h
firewall de borda,
#interface externa = eth0 (pppoe)
#Interface interna = eth1
rede local 192.168.0.0/24
Script firewall
#!/bin/bash
# Comfiguracoes do IPtables
IPT=/sbin/iptables
# Interface de rede Externa
#IF_EXTERNA="eth0"
#Conexao pppoe
IF_EXTERNA="ppp0"
# Interface de rede Interna
IF_INTERNA="eth1"
RD_LOCAL="192.168.0.0/24"
# Ativa os modulos
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe tun
/sbin/modprobe tap
# Inicio das Regras do Firewall
fw_start(){
# Ativa o rotiamento dinamico do kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Protecao conta IP spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Nao aceitamos pacotes com opcao SRR
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Ignorar todas as solicitacoes ICMP ECHO e TIMESTAMP enviadas a ele via broadcast / multicast
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Zera as regras
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle
# Define as politicas padrao
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###########################################################
# TABLEA FILTER
###########################################################
# Dropa pacotes TCP indesejaveis
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIR: NEW sem syn: "
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Aceita os pacotes que realmente devem entrat
$IPT -A INPUT -s $RD_LOCAL -j ACCEPT
$IPT -A INPUT -s 10.0.0.0/24 -j ACCEPT
$IPT -t nat -s 10.0.0.0/24 -A POSTROUTING -o $IF_INTERNA -j MASQUERADE
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
################################################################
# REGRAS DE PROTECAO
################################################################
# Protecao contra trinoo
$IPT -N TRINOO
$IPT -A TRINOO -m limit 15/m -j LOG --log-level 6 --log-prefix "FIR: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO
# Protecao contra tronjans
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIR: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN
# Protecao contra worms
$IPT -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
# Protecao contra syn-flood
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Protecao contra ping da morte
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Protecao contra port scanners
$IPT -N SCANNER
$IPT -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIR: port scanner: "
$IPT -A SCANNER -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER
#######################################################################
# Loga tentativa de acesso a determinadas portas
######################################################################
$IPT -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: ftp: "
$IPT -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: ssh: "
$IPT -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: telnet: "
$IPT -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: smtp: "
$IPT -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: http: "
$IPT -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: pop3: "
$IPT -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: rpc: "
$IPT -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: identd: "
$IPT -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: samba: "
$IPT -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: samba: "
$IPT -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: snmp: "
$IPT -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: irc: "
$IPT -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: squid: "
$IPT -A INPUT -p tcp --dport 5432 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Banco: "
$IPT -A INPUT -p tcp --dport 4142 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Banco: "
$IPT -A INPUT -p tcp --dport 5900 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: VNC: "
$IPT -A INPUT -p tcp --dport 5629 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
$IPT -A INPUT -p tcp --dport 60711 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
$IPT -A INPUT -p tcp --dport 50534 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIR: Hamachi: "
#################################################################################
# LIBERACAO DE PORTAS
#################################################################################
$IPT -A INPUT -p udp --dport 1194 -i $IF_EXTERNA -j ACCEPT
$IPT -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tun -j ACCEPT
$IPT -A INPUT -i tap -j ACCEPT
# Libera acesso a determinadas portas de servicos para a rede Interna
#Protocolo TCP
$IPT -A INPUT -p tcp --dport 22 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 389 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 587 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 2222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 3128 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5223 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5269 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5931 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 4142 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 5432 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p tcp --dport 22403 -i $IF_INTERNA -j ACCEPT
#Protocolo UDP
$IPT -A INPUT -p udp --sport 22 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 389 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 1194 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 587 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 2222 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 5931 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 4142 -i $IF_INTERNA -j ACCEPT
$IPT -A INPUT -p udp --sport 5432 -i $IF_INTERNA -j ACCEPT
# Libera acesso para fora
#Protocolo TCP
$IPT -A FORWARD -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -p tcp --sport 53 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 587 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 2500 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 5432 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 5931 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 4142 -j ACCEPT
$IPT -A FORWARD -p tcp --dport 22403 -j ACCEPT
#Protocolo UDP
$IPT -A FORWARD -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp --sport 53 -j ACCEPT
$IPT -A FORWARD -p udp --sport 5432 -j ACCEPT
$IPT -A FORWARD -p udp --sport 1194 -j ACCEPT
$IPT -A FORWARD -p udp --sport 5931 -j ACCEPT
$IPT -A FORWARD -p udp --sport 4142 -j ACCEPT
$IPT -A FORWARD -i tun -j ACCEPT
$IPT -A FORWARD -i tap -j ACCEPT
# libera acesso para fora para as seguintes URL
$IPT -A FORWARD -d comprasnet.gov.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d soap.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d client.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -d redisp.smedi.com.br -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5222:5223 -j ACCEPT
$IPT -A FORWARD -s 102.168.0.0/24 -p tcp --dport 5269 -j ACCEPT
########################################################################
# TABELA NAT
########################################################################
# Ativa mascaramento de saida
$IPT -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
########################################################################
# NAVEGACAO FORA DO PROXY
########################################################################
#SERVIDORES
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.2 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.3 --dport 80,443 -j ACCEPT
# Diretoria
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.100 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.101 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.102 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.103 --dport 80,443 -j ACCEPT
#TI
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.104 --dport 80,443 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.105 --dport 80,443 -j ACCEPT
#######################################################
# Redireciona portas para outros servidores
#######################################################
#SERVIDOR1
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5989 -j DNAT --to-destination 192.168.0.3:3389
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5988 -j DNAT --to-destination 192.168.0.2:5900
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 4142 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 4142 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5432 -j DNAT --to-destination 192.168.0.2
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 5432 -j DNAT --to-destination 192.168.0.2
# Cameras (REDIRECIONA PARA O IP DO SERVIDOR)
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 56269 -j DNAT --to-destination 192.168.0.5
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 60711 -j DNAT --to-destination 192.168.0.5
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 50534 -j DNAT --to-destination 192.168.0.5
#openfirer
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5222 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5223 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5269 -j DNAT --to-destination 192.168.0.4
$IPT -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 7574 -j DNAT --to-destination 192.168.0.4:80
###############################################################
# Redireciona portas na própria máquina
###############################################################
#$IPT -A PREROUTING -t nat -i $IF_EXTERNA -p tcp --dport 4254 -j REDIRECT --to-ports 3128
}
# Fim das regras
fw_stop(){
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACEEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
fw_usage(){
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Ativa o firewall"
echo "stop - Desativa o firewall"
echo "restart - Reinicia o firewall"
echo "clear - Limpa os contatores"
}
fw_clear(){
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
}
case $1 in
start)
fw_start;
;;
stop)
fw_stop;
;;
restart)
fw_stop;
fw_start;
;;
clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;
esac;