-
Windows Media Player
Essas são as regras de meu firewall:
#!/bin/bash
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_multiport
modprobe iptable_filter
modprobe ipt_mac
modprobe ip_nat_ftp
modprobe iptable_mangle
echo "1">/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -s 192.168.68.208 -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
iptables -A INPUT -s 192.168.68.208 -p tcp --destination-port 21 -j ACCEPT
iptables -A INPUT -s 192.168.68.208 -p udp --destination-port 21 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 21 -j DROP
iptables -A INPUT -p udp --destination-port 21 -j DROP
iptables -A INPUT -p tcp --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p udp --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -j DROP
iptables -A FORWARD -p udp -s 192.168.68.0/24 -d 200.196.48.20 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.68.0/24 -d 200.196.48.21 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.196.48.20 --sport 53 -d 192.168.68.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 200.196.48.21 --sport 53 -d 192.168.68.0/24 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.68.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.68.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A INPUT -p tcp -i 192.168.68.254 --dport 31337 -j DROP
iptables -A INPUT -p udp -i 192.168.68.254 --dport 31337 -j DROP
#Regra para proteger contra Trojans
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL:trojan:"
iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i 192.168.68.254 --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i 192.168.68.254 --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i 192.168.68.254 --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i 192.168.68.254 --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i 192.168.68.254 --dport 16660 -j TROJAN
# Regra para proteger contra worms
iptables -A FORWARD -p tcp --dport 135 -i 192.168.68.254 -j REJECT
iptables -A FORWARD -p tcp --dport 1025 -i 192.168.68.254 -j REJECT
iptables -A FORWARD -p udp --dport 1025 -i 192.168.68.254 -j REJECT
# Abre para a interface de loopback.
# Esta regra é essencial para o KDE e outros programas gráficos funcionarem adequadamente.
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Bloqueia uma porta de saída, tanto local quanto forward
iptables -A OUTPUT -p TCP --dport 4000:5190 -j DROP
iptables -A FORWARD -p TCP --dport 4000:5190 -j DROP
iptables -A OUTPUT -p UDP --dport 4000:5190 -j DROP
iptables -A FORWARD -p UDP --dport 4000:5190 -j DROP
# Bloqueia uma porta de saída, tanto local quanto forward
iptables -A OUTPUT -p TCP --dport 1863 -j DROP
iptables -A FORWARD -p TCP --dport 1863 -j DROP
iptables -A OUTPUT -p UDP --dport 1863 -j DROP
iptables -A FORWARD -p UDP --dport 1863 -j DROP
# Bloqueia uma porta de saída, tanto local quanto forward
iptables -A OUTPUT -p TCP --dport 6699 -j DROP
iptables -A FORWARD -p TCP --dport 6699 -j DROP
iptables -A OUTPUT -p UDP --dport 6699 -j DROP
iptables -A FORWARD -p UDP --dport 6699 -j DROP
# Bloqueia as portas 135 e 445
iptables -A OUTPUT -s 0/0 -d 0/0 -m tcp -m multiport -p tcp --dports 135,445 -j DROP
# Bloqueia programas P2P
# iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
# BearShare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
# ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
# WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
# Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
# Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
# KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
iptables -A INPUT -m string --string "X-Kazaa" -j DROP
# Limewire
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
iptables -A FORWARD -s 192.168.68.0/24 -d 64.233.171.85 -j REJECT
iptables -A OUTPUT -s 192.168.68.0/24 -d 64.233.171.85 -j REJECT
# Bloquear MSN Messenger
iptables -A FORWARD -s 192.168.68.0/24 -p tcp --dport 1863 -j DROP
# iptables -A FORWARD -s 192.168.68.0/24 -d loginnet.passport.com -j DROP
iptables -A FORWARD -p TCP --dport 1863 -j DROP
iptables -A FORWARD -d 64.4.13.0/24 -j DROP
# Bloquear Yahoo Messenger
iptables -A FORWARD -d cs.yahoo.com -j DROP
iptables -A FORWARD -d scsa.yahoo.com -j DROP
# Bloquear KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j DROP
iptables -A FORWARD -p TCP --dport 1214 -j DROP
# Bloqueio do ICQ
iptables -A FORWARD -p TCP --dport 5190 -j DROP
iptables -A FORWARD -d login.icq.com -j DROP
iptables -A FORWARD -s 200.226.124.8 -j DROP
iptables -A INPUT -p tcp --syn -s 192.168.68.0/255.255.255.0 -j ACCEPT
# Protecoes diversas contra portscanners, ping of death, ataques Dos, etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
# Proteção Contra IP Spoofing
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
#Regra para aceitar ping da minha maquina
# iptables -A INPUT -p icmp -j DROP
# iptables -A INPUT -s 192.168.68.208 -p icmp -j ACCEPT
#Regra para bloquear ping
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Bloqueio de pings externos
iptables -A OUTPUT -p icmp -j DROP
iptables -A FORWARD -p tcp --destination-port 1755 -j DROP
iptables -A FORWARD -p udp --destination-port 1755 -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p udp --dport 0:30000 -j DROP
-
Windows Media Player
vc postar seu script inteiro aqui nao ajuda muito..
eu quero apenas o retorno do comando:
iptables -nL FORWARD
-
Windows Media Player
Segue o que vc me pediu:
proxy:~# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 192.168.68.0/24 200.196.48.20 udp dpt:53
ACCEPT udp -- 192.168.68.0/24 200.196.48.21 udp dpt:53
ACCEPT udp -- 200.196.48.20 192.168.68.0/24 udp spt:53
ACCEPT udp -- 200.196.48.21 192.168.68.0/24 udp spt:53
ACCEPT tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:110
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 reject-
with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025 reject
-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1025 reject
-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
LISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:4000:5190
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:5190
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1863
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6699
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6699
REJECT all -- 0.0.0.0/0 216.35.208.0/24 reject-with icmp-po
rt-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 209.61.186.0/24 reject-with icmp-po
rt-unreachable
REJECT all -- 0.0.0.0/0 64.49.201.0/24 reject-with icmp-po
rt-unreachable
REJECT all -- 0.0.0.0/0 209.25.178.0/24 reject-with icmp-po
rt-unreachable
REJECT all -- 0.0.0.0/0 206.142.53.0/24 reject-with icmp-po
rt-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject
-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 213.248.112.0/24 reject-with icmp-po
rt-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject
-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 64.245.58.0/23 reject-with icmp-po
rt-unreachable
REJECT all -- 192.168.68.0/24 64.233.171.85 reject-with icmp-po
rt-unreachable
DROP tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:1863
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
DROP all -- 0.0.0.0/0 64.4.13.0/24
DROP all -- 0.0.0.0/0 216.136.233.128
DROP all -- 0.0.0.0/0 216.136.233.138
DROP all -- 0.0.0.0/0 216.136.226.208
DROP all -- 0.0.0.0/0 216.136.233.137
DROP all -- 0.0.0.0/0 213.248.112.0/24
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190
DROP all -- 0.0.0.0/0 205.188.153.121
DROP all -- 200.226.124.8 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit:
avg 1/sec burst 5
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec bu
rst 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
LISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
limit: avg 1/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x12
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1755
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1755
DROP all -- 0.0.0.0/0 0.0.0.0/0 unclean
proxy:~#
Abs,
-
Windows Media Player
alguns pontos importantes que gostaria de citar..
1 - sua police default esta em ACCEPT.. e vc tem pelo menos umas 50 linhas com REJECTS e DROPS.. e umas 6 linhas dando ACCEPT..
eu aconselharia vc deixar a police em DROP e apenas deixar no script essas 6 linhas com ACCEPT.. nao vejo necessidade de fazer como vc esta fazendo.. so complica a administracao de um firewall..
2 - AS regras de DROP da porta 1755 esta listadas como as ultimas regras dessa CHAIN.. provavelmente para estar passando ainda o mms.. é pq tem alguma regra antes dessa checando.. e liberando o pacote..
o ideal mesmo é vc deixar sua POLICE em DROP .. e so ter regras de ACCEPT em sua chain.. isso ira econimizar tempo e administracao.. e provaveis furos que possam existir por ordem de regras na chain..