aqui eu uso fedora 10, rodando:
squid (Version 3.0.stable13) como proxy/webcache
dhcp (MACxIP)
tenho o seguinte cenario, uma rede onde nao posso barrar nada (skype, msn, hotmail, acesso a web, etc).
mas tenho que encontrar um meio de aumentar a seguranca do servidor ou/e ate mesmo dos usuarios (ataques).
esse eh o firewall atual que estou usando:
##############################################################################
#Rede Interna= eth0
#Internet= eth1
ifup eth0
ifup eth1
service dhcpd restart
service squid start
echo "Iniciando Interfaces de Rede...............................[ OK ]"
# # carregando modulos
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_MARK
modprobe ipt_mark
modprobe ipt_mac
modprobe ipt_tos
modprobe iptable_mangle
# # limpando regras
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# # Determina a politica
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
# # Aceita os pacotes que realmente devem entrar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# # Aceita todo o trafego vndo do loopback e indo para o loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
# # Protecoes # # # #
# 1> Protecao contra IP spoofing
# 2> Protege contra synflood
# 3> Protecao contra icmp Broadcasting
# 4> Bloqueia tracerout
# 5> Protecao contra Dos
# 6> Protecao diversa contra portscanners, ping of death, ataque DOS, etc.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
# Outras protecoes
# Impedimos que um atacante possa maliciosamente alterar alguma rota, e
# Impossibilita que o atacante determine o "caminho" que o pacote vai percorrer (roteadores) ate seu destino
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# # Fim Protecoes # # # #
# # Proxy Transpatent
iptables -t nat -A PREROUTING -s 172.167.0.0/24 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i 172.167.0.0/24 -p udp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
# # Ativa roteamento no kernel
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# #SSH
iptables -A INPUT -p tcp --dport 2210 --syn -j ACCEPT
# # Bandlimit
bandlimit restart
# # Fecha o resto
#iptables -A INPUT -p tcp --syn -j DROP
#iptables -A INPUT -j DROP
#iptables -A FORWARD -j DROP
###############################################################################
se eu altero as politicas padrao, e adiciono algum drop, minha rede nao navega
se no final eu fecho a resto, minha rede tbm nao navega.
1 questao >mas afinal, o que posso fazer para incrementar esse firewall, de modo que nao barre nada na navegacao da rede interna, mas tenha um pouco de seguranca referente a ataques ou acesso nao autorizado externo?
Segue meu squid
###############################################################################
http_port 192.168.70.1:3128 transparent
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 80
cache_swap_high 85
maximum_object_size 64 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 128 KB
ipcache_size 3072
ipcache_low 90
ipcache_high 93
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid/cache1 2048 16 64
cache_dir ufs /var/spool/squid/cache2 2048 16 64
cache_dir ufs /var/spool/squid/cache3 2048 16 64
cache_dir ufs /var/spool/squid/cache4 2048 16 64
cache_dir ufs /var/spool/squid/cache5 2048 16 64
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_nameservers 201.10.128.2
dns_nameservers 201.10.120.3
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
negative_ttl 3 minutes
positive_dns_ttl 5 minutes
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl BADPORTS port 7 9 11 19 22 23 25 53 110 119 513 514 3128 8080
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ---- Cache do Windows Update ----
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern msgruser.dlservice.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
##nao esquecer de trocar a faixa de ip pela da sua rede
acl rede src 192.168.70.0/255.255.255.0
http_access allow localhost
http_access allow rede
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny BADPORTS
http_access deny CONNECT !SSL_ports
http_access deny all
#icp_access allow rede
cache_effective_user squid
cache_effective_group squid
visible_hostname andrio.jasper
memory_pools off
forwarded_for off
error_directory /usr/share/squid/errors/Portuguese
strip_query_terms off
coredump_dir none
detect_broken_pconn on
pipeline_prefetch on
################################################################################
2 questao >nesse script, teria algo que poderia mudar?
3 questao> outra coisa que pensei em implementar na rede, seria vlan para cada usuario, mas nao sei como faco isso, alguem ai poderia me ajudar?