Under-Linux.org Fóruns - Ver Resposta Única - Script

andunno · 14-05-2008, 17:43

Pessoal,

Estou postando abaixo o meu script de firewall e gostaria de uma opinião de vocês.

#!/bin/sh

# Definindo as variaveis.
M1=192.168.x.y
M2=192.168.x.y
M3=192.168.x.y
M4=192.168.x.y
M5=192.168.x.y
M6=192.168.x.y
DG=yyy.yyy.yyy.yyy
DNS1=aaa.aaa.aaa.aaa
DNS2=aaa.aaa.aaa.aab
IPT=/sbin/iptables
FW_INT=192.168.x.y
FW_EXT=ccc.ccc.ccc.ccc
INT_INT=eth0
INT_EXT=eth1
LAN=192.168.x.y/24
MUTLEY=192.168.x.y
PABX=192.168.x.y
SIP=ddd.ddd.ddd.ddd
VPN=eee.eee.eee.eee

# Limpando as chains.
"$IPT" -F
"$IPT" -X

for tables in nat mangle filter
do
"$IPT" -t "$tables" -F
"$IPT" -t "$tables" -X
done

# Definindo a politica padrao.
for filter in INPUT OUTPUT FORWARD
do
"$IPT" -P "$filter" DROP
done

# Protecao contra IP spoofing.
"$IPT" -A INPUT -s "$LAN" -i ! "$INT_INT" -j DROP
"$IPT" -A INPUT -s ! "$LAN" -i "$INT_INT" -j DROP

# Stateful.
"$IPT" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"$IPT" -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"$IPT" -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ==========
# Tabela NAT
# ==========

# Liberando conexao no PABX.
"$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 987 -j DNAT --to "$PABX"
"$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 22 -j DNAT --to "$PABX"

# Compartilhando Internet.
"$IPT" -t nat -A POSTROUTING -s "$LAN" -i "$INT_INT" -j MASQUERADE

# ===========
# Chain INPUT
# ===========

# Liberando trafego na interface de loopback.
"$IPT" -A INPUT -i lo -j ACCEPT

# Liberando ssh.
for micro_ssh in "$M5" "$MUTLEY"
do
"$IPT" -A INPUT -s "$micro_ssh" -i "$INT_INT" -p tcp --dport 22 -j ACCEPT
done

# Liberando icmp.
for icmp_type in echo-reply echo-request
do
"$IPT" -A INPUT -s "$LAN" -i "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT
done

# ============
# Chain OUTPUT
# ============

# Liberando trafego na interface de loopback.
"$IPT" -A OUTPUT -o lo -j ACCEPT

# Liberando icmp.
for icmp_type in echo-reply echo-request
do
"$IPT" -A OUTPUT -d "$LAN" -o "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT
done

# Liberando dns.
for dns in "$DNS1" "$DNS2"
do
"$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p tcp --dport 53 -j ACCEPT
"$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p udp --dport 53 -j ACCEPT
done

# =============
# Chain FORWARD
# =============

# Liberando comunicacao entre o PABX e o servidor SIP.
"$IPT" -A FORWARD -s "$PABX" -i "$INT_INT" -d "$SIP" -p udp --dport 1024:65535 -j ACCEPT

# Liberando a VPN.
for am in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6"
do
"$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p tcp -m multiport --dport 500,4500 -j ACCEPT
"$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p udp -m multiport --dport 500,4500 -j ACCEPT
done

# Liberando dns.
for micros in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6" "$MUTLEY"
do
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p tcp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p udp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p tcp --dport 53 -j ACCEPT
"$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p udp --dport 53 -j ACCEPT
done

# Liberando conexao no PABX.
"$IPT" -A FORWARD -d "$PABX" -p tcp --dport 22 -j ACCEPT
"$IPT" -A FORWARD -d "$PABX" -p tcp --dport 987 -j ACCEPT
"$IPT" -A FORWARD -d "$PABX" -p udp --dport 987 -j ACCEPT

14-05-2008, 17:43	#1 (permalink)
Script - iptables Pessoal, Estou postando abaixo o meu script de firewall e gostaria de uma opinião de vocês. #!/bin/sh # Definindo as variaveis. M1=192.168.x.y M2=192.168.x.y M3=192.168.x.y M4=192.168.x.y M5=192.168.x.y M6=192.168.x.y DG=yyy.yyy.yyy.yyy DNS1=aaa.aaa.aaa.aaa DNS2=aaa.aaa.aaa.aab IPT=/sbin/iptables FW_INT=192.168.x.y FW_EXT=ccc.ccc.ccc.ccc INT_INT=eth0 INT_EXT=eth1 LAN=192.168.x.y/24 MUTLEY=192.168.x.y PABX=192.168.x.y SIP=ddd.ddd.ddd.ddd VPN=eee.eee.eee.eee # Limpando as chains. "$IPT" -F "$IPT" -X for tables in nat mangle filter do "$IPT" -t "$tables" -F "$IPT" -t "$tables" -X done # Definindo a politica padrao. for filter in INPUT OUTPUT FORWARD do "$IPT" -P "$filter" DROP done # Protecao contra IP spoofing. "$IPT" -A INPUT -s "$LAN" -i ! "$INT_INT" -j DROP "$IPT" -A INPUT -s ! "$LAN" -i "$INT_INT" -j DROP # Stateful. "$IPT" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT "$IPT" -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT "$IPT" -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ========== # Tabela NAT # ========== # Liberando conexao no PABX. "$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 987 -j DNAT --to "$PABX" "$IPT" -t nat -A PREROUTING -s "$DG" -d "$FW_EXT" --dport 22 -j DNAT --to "$PABX" # Compartilhando Internet. "$IPT" -t nat -A POSTROUTING -s "$LAN" -i "$INT_INT" -j MASQUERADE # =========== # Chain INPUT # =========== # Liberando trafego na interface de loopback. "$IPT" -A INPUT -i lo -j ACCEPT # Liberando ssh. for micro_ssh in "$M5" "$MUTLEY" do "$IPT" -A INPUT -s "$micro_ssh" -i "$INT_INT" -p tcp --dport 22 -j ACCEPT done # Liberando icmp. for icmp_type in echo-reply echo-request do "$IPT" -A INPUT -s "$LAN" -i "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT done # ============ # Chain OUTPUT # ============ # Liberando trafego na interface de loopback. "$IPT" -A OUTPUT -o lo -j ACCEPT # Liberando icmp. for icmp_type in echo-reply echo-request do "$IPT" -A OUTPUT -d "$LAN" -o "$INT_INT" -p icmp --icmp-type "$icmp_type" -j ACCEPT done # Liberando dns. for dns in "$DNS1" "$DNS2" do "$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p tcp --dport 53 -j ACCEPT "$IPT" -A OUTPUT -d "$dns" -o "$INT_EXT" -p udp --dport 53 -j ACCEPT done # ============= # Chain FORWARD # ============= # Liberando comunicacao entre o PABX e o servidor SIP. "$IPT" -A FORWARD -s "$PABX" -i "$INT_INT" -d "$SIP" -p udp --dport 1024:65535 -j ACCEPT # Liberando a VPN. for am in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6" do "$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p tcp -m multiport --dport 500,4500 -j ACCEPT "$IPT" -A FORWARD -s "$am" -i "$INT_INT" -d "$VPN" -p udp -m multiport --dport 500,4500 -j ACCEPT done # Liberando dns. for micros in "$M1" "$M2" "$M3" "$M4" "$M5" "$M6" "$MUTLEY" do "$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p tcp --dport 53 -j ACCEPT "$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS1" -p udp --dport 53 -j ACCEPT "$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p tcp --dport 53 -j ACCEPT "$IPT" -A FORWARD -s "$micros" -i "$INT_INT" -d "$DNS2" -p udp --dport 53 -j ACCEPT done # Liberando conexao no PABX. "$IPT" -A FORWARD -d "$PABX" -p tcp --dport 22 -j ACCEPT "$IPT" -A FORWARD -d "$PABX" -p tcp --dport 987 -j ACCEPT "$IPT" -A FORWARD -d "$PABX" -p udp --dport 987 -j ACCEPT __________________ André Unno ITIL Foundation Certified in IT Service Management GNU/LinuxCounter#390708 http://counter.li.org O sistema pediu: "Requires Windows 9x, Windows 2000 or better". Então eu instalei Linux.	andunno Registrado em: Jan 2004 Posts: 353 Agradeceu: 0 Agradecido 2 vez(es) em 2 Posts Reputação: 0