- Bloqueado portas
+ Responder ao Tópico
-
Bloqueado portas
colega estou querendo bloquear todas as portas, e liberar somente o necessario, utilizo o iptables que redirreciona a porta 80 para o squid 3128.
minha configuração original do iptables é assim:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Mas um colega mandou que colocasse dete jeito mas bloqueia tudo e não funciona o msn.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 465 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -m multiport -p udp --dport ! 53,465 -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
alguem poderia ajudar pois meu intuito é de bloquear todas as portas e somente liberar a necessaria.
-
Olha só, isso vai te dar dor de cabeça principalmente com bancos, algumas prefeituras e programas do financeiro. Pelo pouco que eu entendo você quer fazer um firewall restritivo, vai bloquear tudo e liberar conforme precisar.
Vou postar um script de firewall que eu adapto conforme a necessidade, se te servir..
#!/bin/bash
# firewall
### definindo variaveis de programas
ipt="/sbin/iptables"
mod="/sbin/modprobe"
start_fw()
{
echo "O firewall esta sendo ligado."
### definindo variaveis
LO_IP="127.0.0.1"
LAN_IF="eth0"
LAN_IP="192.168.0.1"
LAN_NET="192.168.0.0/24"
WAN_IF="eth1"
### portas de saida
FW_TCPOUT="443,1049,1364,2500,3007,3456,5017,5024,7080,8017"
### habilita roteamento de pacotes
echo "1" > /proc/sys/net/ipv4/ip_forward
### desabilita resposta de ping de broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### desabilita TCP SynCookies
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
### carregando modulos
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_conntrack_ftp
### apagando as regras, apagando as chains
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
### setando policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
### tabelas adicionais
# $ipt -N SYN_FLOOD
# $ipt -N UNCLEAN
# $ipt -N PING_DEATH
$ipt -N PORT_SCANNER
$ipt -N INVALID_SOURCE
$ipt -N INVALID_CONECTION
$ipt -N TRANS_PROXY -t nat
$ipt -N SSH
### configura as tabelas
$ipt -A PORT_SCANNER -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
$ipt -A PORT_SCANNER -j LOG --log-prefix "[IPTables PortScan] : " --log-level info
$ipt -A PORT_SCANNER -j DROP
$ipt -A INVALID_SOURCE -j LOG --log-prefix "[IPTables Drop_Source] : " --log-level info
$ipt -A INVALID_SOURCE -j DROP
$ipt -A INVALID_CONECTION -j LOG --log-prefix "[IPTables Drop_Port] : " --log-level info
$ipt -A INVALID_CONECTION -j DROP
$ipt -A SSH -j LOG --log-prefix "[IPTables SSH] : " --log-level info
$ipt -A SSH -j DROP
$ipt -A TRANS_PROXY -t nat -d $LAN_IP -j RETURN
$ipt -A TRANS_PROXY -t nat -d 200.201.174.0/24 -j RETURN #redes bloqueadas
$ipt -A TRANS_PROXY -t nat -d 200.201.173.0/24 -j RETURN
$ipt -A TRANS_PROXY -t nat -d 200.201.166.0/24 -j RETURN
$ipt -A TRANS_PROXY -t nat -d 200.208.15.0/24 -j RETURN
$ipt -A TRANS_PROXY -t nat -d 200.169.22.101/32 -j RETURN
$ipt -A TRANS_PROXY -t nat -p tcp -j REDIRECT --to-port 3128 #redireciona para squid
#############################################################################################
### tabela NAT
#############################################################################################
## squid / proxy transparente
$ipt -t nat -A PREROUTING -i $LAN_IF -s $LAN_NET -p tcp --dport 80 -j TRANS_PROXY
$ipt -t nat -A PREROUTING -i $LAN_IF -s $LAN_NET -p tcp --dport 8080 -j TRANS_PROXY
### roteamento para TS
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389
# mascarando a conexao compartilhando a internet
$ipt -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE
### tabela OUTPUT
### destinos confiaveis
$ipt -A OUTPUT -d $LAN_NET -j ACCEPT
$ipt -A OUTPUT -d $LO_IP -j ACCEPT
### origens / destinos nao confiaveis
$ipt -A OUTPUT -s 10.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 172.16.0.0/12 -j DROP
#$ipt -A OUTPUT -s 192.168.0.0/16 -j DROP
$ipt -A OUTPUT -s 224.0.0.0/4 -j DROP
$ipt -A OUTPUT -s 240.0.0.0/5 -j DROP
$ipt -A OUTPUT -s 127.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 0.0.0.0/8 -j DROP
$ipt -A OUTPUT -d 255.255.255.255 -j DROP
$ipt -A OUTPUT -d 224.0.0.0/4 -j DROP
### tabela INPUT
### ssh - libera conexoes da rede interna
$ipt -A INPUT -s $LAN_NET -p tcp --dport 22 -j ACCEPT
$ipt -A FORWARD -d $LAN_NET -p tcp --dport 22 -j ACCEPT
$ipt -A OUTPUT -d $LAN_NET -p tcp --dport 22 -j ACCEPT
### ssh - loga qualquer outra tentativa
$ipt -A INPUT -p tcp --dport 22 -j SSH
$ipt -A FORWARD -p tcp --dport 22 -j SSH
$ipt -A OUTPUT -p tcp --dport 22 -j SSH
### Origens confiaveis
$ipt -A INPUT -i $LO_IP -j ACCEPT
$ipt -A INPUT -s $LAN_NET -j ACCEPT
### Origens nao confiaveis
$ipt -A INPUT -s 10.0.0.0/8 -j DROP
$ipt -A INPUT -s 172.16.0.0/12 -j INVALID_SOURCE
#$ipt -A INPUT -s 192.168.0.0/16 -j INVALID_SOURCE
$ipt -A INPUT -s 224.0.0.0/4 -j INVALID_SOURCE
$ipt -A INPUT -s 240.0.0.0/5 -j INVALID_SOURCE
$ipt -A INPUT -s 127.0.0.0/8 -j INVALID_SOURCE
$ipt -A INPUT -s 0.0.0.0/8 -j INVALID_SOURCE
$ipt -A INPUT -d 255.255.255.255 -j INVALID_SOURCE
$ipt -A INPUT -d 224.0.0.0/4 -j INVALID_SOURCE
### permite entrar trafego ja estabelecido
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# liberando mensagens ICMP
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
### Terminal Service
$ipt -A INPUT -i $WAN_IF -p tcp --dport 3389 -j ACCEPT
### computadores com acesso total a internet sem proxy
for i in $(cat /etc/fw_net_free.txt)
do
$ipt -A INPUT -i $WAN_IF -s $i -p tcp --sport 0:65535 --dport 0:65535 -j ACCEPT
$ipt -A INPUT -i $WAN_IF -s $i -p udp --sport 0:65535 --dport 0:65535 -j ACCEPT
done
### servidor web
$ipt -A INPUT -i $WAN_IF -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -i $LAN_IF -p tcp --dport 80 -j ACCEPT
### Permitindo conexoes externas ao servidor de E-Mail (POP/IMAP/SMTP/SASL2)
$ipt -A INPUT -i $WAN_IF -p tcp --dport 110 -j ACCEPT
$ipt -A INPUT -i $WAN_IF -p tcp --dport 25 -j ACCEPT
### DNS
$ipt -A INPUT -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -p tcp --dport 953 -j ACCEPT
$ipt -A INPUT -p udp --dport 953 -j ACCEPT
### tabela FORWARD
### Permite entrar trafego ja estabelecido
$ipt -A FORWARD -i $WAN_IF -o $LAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -o $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
### bloqueia orkut
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 64.233.171.0/24 -p tcp --dport 443 -j DROP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 72.14.209.0/24 -p tcp --dport 443 -j DROP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 216.239.51.0/24 -p tcp --dport 443 -j DROP
### libera outras conexoes HTTPS
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -p tcp --dport 443 -j ACCEPT
### libera portas do MSN
for i in $(cat /etc/fw_msn_free.txt)
do
$ipt -A FORWARD -i $LAN_IF -s $i -p tcp --dport 1863 -j ACCEPT
done
### bloqueia portas MSN
$ipt -A FORWARD -s $LAN_NET -p tcp --dport 1863 -j REJECT
$ipt -A FORWARD -s $LAN_NET -p tcp --dport 1864 -j REJECT
$ipt -A FORWARD -s $LAN_NET -d loginnet.passport.com -j REJECT
### permite sair trafego definido
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p tcp -m multiport --dport $FW_TCPOUT -j ACCEPT
### permite ping a partir da rede local
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p icmp -j ACCEPT
### permite ftp
$ipt -A FORWARD -i $LAN_IF -p tcp --dport 21 -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -p tcp --dport 20 -j ACCEPT
### Permite clientes SMTP/POP3 para Terra
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d smtp.terra.com.br -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d pop.terra.com.br -p tcp --dport 110 -j ACCEPT
### Libera completo
for i in $(cat /etc/fw_net_free.txt)
do
$ipt -A FORWARD -i $WAN_IF -d $i -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -s $i -j ACCEPT
done
# Log do trafego nao permitido
$ipt -A FORWARD -p tcp -j INVALID_CONECTION
### reconfigura o squid3
squid3 -k reconfigure
}
stop_fw()
{
echo "O firewall esta sendo desligado. Todos policies vao ser setados para ACCEPT,"
echo "todas regras e chains vao ser apagadas, todos os contadores vao ser zerados."
# setando TODOS os policies para ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P INPUT ACCEPT
$ipt -t mangle -P OUTPUT ACCEPT
$ipt -t mangle -P FORWARD ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
# zerando todos contadores
$ipt -Z
$ipt -t nat -Z
$ipt -t mangle -Z
# apagando as regras, apagando as chains
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
}
status_fw()
{
echo "Estas são as regras ativas, chains, pacotes e contadores:"
# lista as regras
$ipt -t filter -L -v --line-numbers
$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbers
}
case "$1" in
start)
start_fw
;;
stop)
stop_fw
;;
status)
status_fw
;;
restart)
stop_fw
start_fw
;;
* )
echo "Use: firewall {start|stop|status|restart|reload}"
exit 1
;;
esac
exit 0