- Firewall
+ Responder ao Tópico
-
Firewall
Preciso fazer uma certa segurança na minha empresa e preciso bloquear todas as portas e depois liberar apenas a q necessito, como posso estar fazendo isso e se é o melhor caminho...
obrigado ... <IMG SRC="images/forum/smilies/icon_biggrin.gif"> <IMG SRC="images/forum/smilies/icon_lol.gif">
-
Firewall
Bom.. aqui está um firewall para que você estude e veja como funciona:
----------------------------------------------------
#!/bin/sh
##################################################################
IPTABLES="iptables"
INTERNAL="eth1" # Internal Interface
EXTERNAL="eth0" # External Interface
LOOPBACK="lo" # Loopback Interface
INTERNAL_NET="10.0.0.0/8"
# This is another way to specify your IP addresses suggested by
# Anders Ahl from IBM-Sweden
#
# This is particularly useful for getting static addresses.
# Remember if you are running DHCP on your external interface
# it is possible, but unlikely that your IP could change while
# your computer is running. So, specifying your external IP
# address could cause you to have to rerun this script in the
# event of an IP change.
#
# INTERNAL_IP=`ifconfig $INTERNAL | sed -n ´/inet/s/^[ ]*inet addr[0-9.]*).*/1/p´`
# EXTERNAL_IP=`ifconfig $EXTERNAL | sed -n ´/inet/s/^[ ]*inet addr[0-9.]*).*/1/p´`
#
# Get our broadcast addresses
# INTERNAL_BCAST=`ifconfig $INTERNAL | sed -n ´/inet/s/^.*Bcast[0-9.]*).*/1/p´`
# EXTERNAL_BCAST=`ifconfig $EXTERNAL | sed -n ´/inet/s/^.*Bcast[0-9.]*).*/1/p´`
#
# Define our internal network
# INTERNAL_NET="$INTERNAL_IP/24"
## Attempt to Flush All Rules in Filter Table
$IPTABLES -F
## Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
## Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
## Delete all user-defined chains, reduces dumb warnings if you run
## this script more than once.
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#$IPTABLES -A INPUT -j LOG --log-level=info
## Nortel Extranet Client Stuff
# This will allow access for ipsec-based vpn clients
# (like the nortel extranet client).
#
# I´ve heard that the CES servers can be configured
# differently. So, ymmv.
#
# This seems to work for me with version 4.10 of the
# nortel extranet client (eac410d.exe).
#
# There´s another rule down in the nat secton to port
# forward 500 to a local box, and another rule to leave
# port 500 open in the external ports section. You´ll
# need to uncomment both of those to get a reliable vpn
# connection.
#
# I needed to do that in order to get my box to stay
# connected to the CES because of the udp rekey packets
# that are sent. (They won´t route correctly otherwise).
#
# (uncomment the following two lines if needed)
# $IPTABLES -A INPUT -p 50 -j ACCEPT
# $IPTABLES -A INPUT -p 51 -j ACCEPT
## More variables further down near the NAT rules.
## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow.
###############################################################################
## Special Chains
###############################################################################
###############################################################################
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## DROP packets associated with an "INVALID" connection.
$IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT
###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that these rules should never match normal traffic, they´re
## are designed to capture obviously messed up packets... but there´s alot of
## wierd shit out there, so who knows.
## Log facility/priority for these are kern.alert, please adjust for your taste. See
## the iptables and syslog.conf man pages for logging details.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
## Another Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## Null Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN -- Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## Make some types of port scans annoyingly slow, also provides some protection
## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
## INVALID state should catch most TCP packets with the RST or FIN bits set that
## aren´t associate with an established connection. Still, these will limit the
## amount of stuff that is accepted through our open ports(if any). I suggest you
## test these for your configuration before you uncomment them, as they could cause
## problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
###############################################################################
## Special Chain DENY_PORTS
## This chain will DROP/LOG packets based on port number
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j ACCEPT
$IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j ACCEPT
## (Possibly) Evil Stuff ##
## Possible rpc.statd exploit shell
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
## NetBus and NetBus Pro
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "NetBus Pro:"
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "NetBus:"
## Trinoo
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "Trinoo:"
## Back Orifice
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
###############################################################################
## Special Chain SRC_EGRESS
## Rules to Provide Egress Filtering Based on Source IP Address.
$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j ACCEPT
## Class B Reserved
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
## Class C Reserved
$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP
## Class D Reserved
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP
## Class E Reserved
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
## Other Reserved Addresses ##
## The following was adapted from Jean-Sebastien Morisset´s excellent IPChains
## firewall script, available at
## http://www.jsmoriss.dyndns.org/linux/rc.firewall
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8
5.0.0.0/8
7.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/8 37.0.0.0/8
39.0.0.0/8
41.0.0.0/8 42.0.0.0/8
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8
67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8
81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8
126.0.0.0/8 127.0.0.0/8
197.0.0.0/8
201.0.0.0/8
218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
for NET in $RESERVED_NET; do
$IPTABLES -A SRC_EGRESS -s $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain DST_EGRESS
## Rules to Provide Egress Filtering Based on Destination IP Address.
$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
#$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j ACCEPT
## Class B Reserved
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
## Class C Reserved
$IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP
## Class D Reserved
$IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP
## Class E Reserved
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
## Other Reserved Addresses ##
## The following was adapted from Jean-Sebastien Morisset´s excellent IPChains
## firewall script, available at
## http://www.jsmoriss.dyndns.org/linux/rc.firewall
for NET in $RESERVED_NET; do
$IPTABLES -A DST_EGRESS -d $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally. Only TOS values are mangled right
## now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_OUTPUT
$IPTABLES -t mangle -F MANGLE_OUTPUT
##------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
##------------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_PREROUTING
## Rules to mangle TOS values of packets routed through the firewall. Only TOS
## values are mangled right now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_PREROUTING
$IPTABLES -t mangle -F MANGLE_PREROUTING
##-------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
##-------------------------------------------------------------------------------##
###############################################################################
## Special Chain ALLOW_EXTERNAL_PORTS
## Rules to allow packets destined for the external interface based on port
## number.
$IPTABLES -N ALLOW_PORTS-EXTERNAL
$IPTABLES -F ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
## ALLOW foreign machines to access certain services.(Examples)
## SSH
# if you want to be able to ssh into your firewall externally then uncomment this
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 22 -j ACCEPT
## FTP
# You can uncomment this if you want ftp to work over the Internet
# I wouldn´t though because wu-ftp frequently has remote exploits
# Leaving this line commented still allows LOCAL machines to ftp into the firewall
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 21 -j ACCEPT
## NORTEL EXTRANET CLIENT 4.10D, 4.15 PORT
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 500 -j ACCEPT
## IDENT
# You´ll likely need to enable this if you use irc.
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j ACCEPT
## REJECT port 113 ident requests.
# You´ll likely want to enable this if you use irc.
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j REJECT
## WWW
# a lot of cable modem providers drop port 80 stuff now (because of code red).
# this will likely have no effect if you uncomment it.
# $IPTABLES -A ALLOW_PORTS -EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT
## SMTP porta para receber E mail
$iptables -A INPUT -p tcp --dport 25 -j ACCEPT
$iptables -A INPUT -p udp --dport 25 -j ACCEPT
###############################################################################
## Firewall Input Chains
###############################################################################
###############################################################################
## New chain for input to the external interface
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter incomming packets based on port number.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Allow Packets On Certain External Ports
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## ICMP Stuff. Drop everything.
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Several Options:
## Accept Pings ##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
## Accept Pings at the rate of one per second. ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit
# --limit 1/second -j ACCEPT
## LOG all pings. ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit
# --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:"
## TTL Exceeded (traceroute)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the internal interface
$IPTABLES -N INTERNAL-input
$IPTABLES -F INTERNAL-input
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL-input -i $INTERNAL -j ACCEPT
## DROP anything not coming from the internal network
# $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses based on Destination IP address.
$IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the loopback interface
$IPTABLES -N LO-input
$IPTABLES -F LO-input
## Accept packets to the loopback interface
$IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT
###############################################################################
## Firewall Output Chains
###############################################################################
###############################################################################
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## ACCEPT outgoing packets on the external interface
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter outgoing packets based on port number.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
###############################################################################
## New chain for output across the internal interface
$IPTABLES -N INTERNAL-output
$IPTABLES -F INTERNAL-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
$IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE
###############################################################################
## New chain for output across the loopback device
$IPTABLES -N LO-output
$IPTABLES -F LO-output
## ACCEPT all traffic across loopback device
$IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT
###############################################################################
## Main Stuff
###############################################################################
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
$IPTABLES -A INPUT -i $LOOPBACK -j LO-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
## Sort of a Catch-all
$IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
$IPTABLES -A OUTPUT -j KEEP_STATE
## Jump to our FORWARD chains.
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input
$IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output
# $IPTABLES -A FORWARD -j KEEP_STATE
## Jump to mangle table rules
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
$IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING
### END FIREWALL RULES ###
###############################################################################
## IPTABLES Network Address Translation(NAT) Rules
###############################################################################
INTERNAL_NET="10.0.0.0/8"
EXT_IP="200.207.188.118" # IP address of the External Interface.
## Flush the NAT table.
$IPTABLES -F -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j MASQUERADE
##------------------------------------------------------------------------##
## Destination NAT -- (DNAT)
##------------------------------------------------------------------------##
## "Redirect" packets headed for certain ports on our external interface to other
## machines on the network. (Examples)
# NORTEL EXTRANET CLIENT 4.10D, 4.15 PORT
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p 17 --dport 500
# -j DNAT --to 192.168.0.2:500
# TightVNC, VNC forwarding
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5901
-j DNAT --to 10.10.1.158:5901
# Serious Sam 2 - The Second Encounter Server Forwarding
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 25600
# -j DNAT --to 192.168.0.2:25600
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 25600
# -j DNAT --to 192.168.0.2:25600
# Microsoft Netmeeting (you´ll need to be running the h323 module too for this).
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 389
-j DNAT --to 10.10.1.158:389
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 522
-j DNAT --to 10.10.1.158:522
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1503
-j DNAT --to 10.10.1.158:1503
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1720
-j DNAT --to 10.10.1.158:1720
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1731
-j DNAT --to 10.10.1.158:1731
##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##
## Source NAT allows us to "masquerade" our internal machines behind our
## firewall.
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
# $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
## Dynamic IP address ##
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
### END NAT RULES ###
###############################################################################
## Additional Kernel Configuration
###############################################################################
## Adjust for your requirements/preferences.
## Please make sure you understand what these things are doing before you
## uncomment them. A good place to start would be some of the resources
## listed at the top of this script as well as the documentation that comes
## with the linux kernel source.
## For Example: linux/Documentation/filesystems/proc.txt
## linux/Documentation/networking/ip-sysctl.txt
## - Disable source routing of packets
#if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
# for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
# echo 0 > $i;
# done
#fi
## - Enable rp_filter
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo 1 > $i;
# done
#fi
## - Ignore any broadcast icmp echo requests
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#fi
## - Ignore all icmp echo requests on all interfaces
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#fi
## - Local port range for TCP/UDP connections
#if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
# echo -e "32768t61000" > /proc/sys/net/ipv4/ip_local_port_range
#fi
## - Log packets with impossible addresses to kernel log.
#if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#fi
## - Don´t accept ICMP redirects
#if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#fi
## - Don´t accept ICMP redirects
## (You may only want to disable on the external interface)
#if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
# echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
#fi
## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
#if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#fi
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn´t exist"
echo "(That may be a problem)"
fi
Qualquer coisa é só comentar aqui no fórum que muita gente irá te ajudar!
-
Firewall
Lembra que no código acima aparecem " você deve alterar para " ... isso é devido ao interpretador do fórum!
<IMG SRC="images/forum/smilies/icon_biggrin.gif">