Ola. Estou tentando instalar o knock em meu servidor. Porém, não estou conseguindo fazer ele funcionar corretamente junto com meu firewall (meu ssh continua com a porta aberta). Alguém poderia me ajudar ? Para quem não sabe, knock é um script para bloquear ataques ssh. Estou seguindo o tutorial deste link: knock - controle de acesso SSH - Dicas e indicações..
OBS: o knock precisa de um firewall para funcionar corretamente.
Se eu insiro esse mini-firewall abaixo, ele funciona corretamente:
#!/bin/bash
iptables=/sbin/iptables
INTERNA=eth0
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
$iptables -F
$iptables -X
$iptables -F -t mangle
$iptables -X -t mangle
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
$iptables -A INPUT -i ! $INTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -i $INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: SSH: "
Abaixo estou inserindo o firewall que eu tenho atualmente.
#!/bin/bash
##define
IPTABLES=/sbin/iptables
EXT_IF=eth1
INT_IF=eth0
LAN=192.168.7
$IPTABLES --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --flush
$IPTABLES --table nat --delete-chain
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo "25165824 25165824 25165824"> /proc/sys/net/ipv4/tcp_rmem
echo "25165824 25165824 25165824"> /proc/sys/net/ipv4/tcp_wmem
echo "25165824 25165824 25165824"> /proc/sys/net/ipv4/tcp_mem
echo 25165824 > /proc/sys/net/core/rmem_max
echo 25165824 > /proc/sys/net/core/rmem_default
echo 25165824 > /proc/sys/net/core/wmem_max
echo 25165824 > /proc/sys/net/core/wmem_default
echo 25165824 > /proc/sys/net/core/optmem_max
echo 600 > /proc/sys/net/core/netdev_max_backlog
echo 6710886 > /proc/sys/kernel/shmmax
echo 16376 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/kernel/sysrq
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i ${INT_IF} -p TCP -d ! 192.168.7.1 --dport 110 -j REDIRECT --to-port 8110
$IPTABLES -t nat -A PREROUTING -i ${INT_IF} -p TCP --destination ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i ${EXT_IF} -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.7.126:5900
$IPTABLES -t nat -A PREROUTING -i ${EXT_IF} -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.7.126:5900
$IPTABLES -t nat -A PREROUTING -i ${EXT_IF} -p tcp -m tcp --dport 6346 -j DNAT --to-destination 192.168.7.18
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 23 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m mac --mac-source 00:10:d:C:00:d:d:47 --dport 1863 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m mac --mac-source 00:10.:d:C:00:d:d:47 --dport 6891:6901 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m mac --mac-source 00:10:d:C:00:d:d:47 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m mac --mac-source 00:11:d8:4f:8c:32 --dport 1863 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m mac --mac-source 00:11:d8:4f:8c:32 --dport 6891:6901 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m mac --mac-source 00:11:d8:4f:8c:32 --dport 6901 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 5900:5910 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3350 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5222 -d 200.102.210.92 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5223 -d 200.102.210.92 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 8017 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3456 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 2631 -d 200.201.174.204 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 3007 -d 161.148.185.46 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.7.18 -j ACCEPT
$IPTABLES -A FORWARD -d 200.169.19.230 -p tcp --dport 81 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:0e:a6:77:2a:ca -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 5017 -d 200.152.32.148 -j ACCEPT
--limit-burst 50 -i ! lo -j LOG --log-prefix " IPTABLES fw drop : "
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i $EXT_IF -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i $EXT_IF -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i $EXT_IF -p udp
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 --sport 1024:65535 -j LOG --log-prefix " IPTABLES SSH: "
$IPTABLES -A INPUT -p tcp --dport 22 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 --sport 1024:65535 -j LOG --log-prefix " IPTABLES SMTP: "
$IPTABLES -A INPUT -p tcp --dport 25 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 --sport 1024:65535 -i ! lo -j LOG --log-prefix " IPTABLES POP3: "
$IPTABLES -A INPUT -p tcp --dport 110 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5900:5910 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp --dport 5222 -j LOG --log-prefix " IPTABLES JABBER: "
iptables -A INPUT -i $EXT_IF -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp --dport 5223 -j ACCEPT
$IPTABLES -A FORWARED -p tcp -d 192.168.7 --dport 5017 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.7 --dport 5017 -j MASQUERADE
$IPTABLES -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 6881:6889 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 14199 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 14199 -j ACCEPT
$IPTABLES -A INPUT -p icmp -i ! lo -j LOG --log-prefix " IPTABLES ICMP: "
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-prefix " IPTABLES DROPPED: "
$IPTABLES -A INPUT -m state --state NEW -i ! lo -j DROP
/sbin/iptables-save
[]'s, Renato