Pessoal quais regras devo adicionar ao script abaixo afim de amadurece-lo e melhora-lo no quesito protecao e qualidade:
#---------------------------------
# Configuração Básica
#---------------------------------
IPTABLES=`which iptables`
PERMITIR_TCP="22 80 3389"
PERMITIR_UDP="53"
INET_INT="eth0"
LAN_INT="eth1"
INTERNAL_LAN="10.0.0.0/24 200.x.x.163 200.x.x.162"
MASQ_LAN="10.0.0.0/24"
#---------------------------------
# DROP: com log colocar "LDROP"
#---------------------------------
#DROP="TREJECT"
DROP="LDROP"
#---------------------------------
# Tcp Forward: Pserv<IMG SRC="images/forum/icons/icon_razz.gif">estacao>Ip
#---------------------------------
TCPFORWARD="3389:3389>10.0.0.152"
UDPFORWARD=""
#---------------------------------
# Criando as Regras
#---------------------------------
REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT"
#---------------------------------
# Habilitando o Masquerade
#---------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------
# Habilitando TCP Syncookies
#---------------------------------
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#---------------------------------
# Limpando as Regras Antigas
#---------------------------------
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
for chain in ${REGRAS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
done
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
#---------------------------------
# Trafego Local
#---------------------------------
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#---------------------------------
# Habilitando NAT
#---------------------------------
if [ "$MASQ_LAN" != "" ] ; then
for subnet in ${MASQ_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_INT} -j MASQUERADE
done
fi
#---------------------------------
# TCP Forward
#---------------------------------
if [ "$TCPFORWARD" != "" ] ; then
for rule in ${TCPFORWARD} ; do
echo "$rule" | {
IFS=´:>´ read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p tcp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# UDP Forward
#---------------------------------
if [ "$UDPFORWARD" != "" ] ; then
for rule in ${UDPFORWARD} ; do
echo "$rule" | {
IFS=´:>´ read srcport destport host
${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_INT} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
${IPTABLES} -t filter -A FORWARD -p udp -d ${host} --dport ${destport} -j ACCEPT
}
done
fi
#---------------------------------
# Terminado configuraçao de regras
#---------------------------------
${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET
${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT
#---------------------------------
# Protegendo contra TCP SYN Flood
#---------------------------------
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP"
${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP}
#---------------------------------
# Pacotes com flag invalidas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP}
#---------------------------------
# Descartando Ping flood
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT
#---------------------------------
# Portas TCP a serem abertas
#---------------------------------
if [ "$PERMITIR_TCP" != "" ] ; then
for port in ${PERMITIR_TCP} ; do
${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO
done
fi
#--------------------------------
#Teste com UDP ports
#--------------------------------
if [ "$PERMITIR_UDP" != "" ] ; then
for port in ${PERMITIR_UDP} ; do
${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT
done
fi
#---------------------------------
# Pacotes com flags validas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT
#---------------------------------
# TOS
#---------------------------------
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02
#---------------------------------
# Regras padrao
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -j ${DROP}
${IPTABLES} -t filter -A SAIDANET -j ACCEPT