+ Responder ao Tópico



  1. #1

    Padrão Bloqueado portas

    colega estou querendo bloquear todas as portas, e liberar somente o necessario, utilizo o iptables que redirreciona a porta 80 para o squid 3128.

    minha configuração original do iptables é assim:

    iptables -A INPUT -i eth0 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    Mas um colega mandou que colocasse dete jeito mas bloqueia tudo e não funciona o msn.

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth0 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p udp --dport 465 -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT

    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT
    iptables -A OUTPUT -m multiport -p udp --dport ! 53,465 -j DROP

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    alguem poderia ajudar pois meu intuito é de bloquear todas as portas e somente liberar a necessaria.

  2. #2

    Padrão

    Olha só, isso vai te dar dor de cabeça principalmente com bancos, algumas prefeituras e programas do financeiro. Pelo pouco que eu entendo você quer fazer um firewall restritivo, vai bloquear tudo e liberar conforme precisar.

    Vou postar um script de firewall que eu adapto conforme a necessidade, se te servir..

    #!/bin/bash
    # firewall

    ### definindo variaveis de programas
    ipt="/sbin/iptables"
    mod="/sbin/modprobe"

    start_fw()
    {
    echo "O firewall esta sendo ligado."

    ### definindo variaveis
    LO_IP="127.0.0.1"
    LAN_IF="eth0"
    LAN_IP="192.168.0.1"
    LAN_NET="192.168.0.0/24"
    WAN_IF="eth1"

    ### portas de saida
    FW_TCPOUT="443,1049,1364,2500,3007,3456,5017,5024,7080,8017"

    ### habilita roteamento de pacotes
    echo "1" > /proc/sys/net/ipv4/ip_forward

    ### desabilita resposta de ping de broadcast
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    ### desabilita TCP SynCookies
    echo "0" > /proc/sys/net/ipv4/tcp_syncookies

    ### carregando modulos
    $mod ip_tables
    $mod ip_conntrack
    $mod iptable_filter
    $mod iptable_mangle
    $mod ipt_LOG
    $mod ipt_limit
    $mod ipt_state
    $mod ipt_MASQUERADE
    $mod ip_nat_ftp
    $mod ip_conntrack_ftp

    ### apagando as regras, apagando as chains
    $ipt -F
    $ipt -X
    $ipt -t nat -F
    $ipt -t nat -X
    $ipt -t mangle -F
    $ipt -t mangle -X

    ### setando policies
    $ipt -P INPUT DROP
    $ipt -P FORWARD DROP
    $ipt -P OUTPUT ACCEPT
    $ipt -t nat -P OUTPUT ACCEPT
    $ipt -t nat -P PREROUTING ACCEPT
    $ipt -t nat -P POSTROUTING ACCEPT
    $ipt -t mangle -P PREROUTING ACCEPT
    $ipt -t mangle -P POSTROUTING ACCEPT

    ### tabelas adicionais
    # $ipt -N SYN_FLOOD
    # $ipt -N UNCLEAN
    # $ipt -N PING_DEATH
    $ipt -N PORT_SCANNER
    $ipt -N INVALID_SOURCE
    $ipt -N INVALID_CONECTION
    $ipt -N TRANS_PROXY -t nat
    $ipt -N SSH

    ### configura as tabelas
    $ipt -A PORT_SCANNER -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
    $ipt -A PORT_SCANNER -j LOG --log-prefix "[IPTables PortScan] : " --log-level info
    $ipt -A PORT_SCANNER -j DROP

    $ipt -A INVALID_SOURCE -j LOG --log-prefix "[IPTables Drop_Source] : " --log-level info
    $ipt -A INVALID_SOURCE -j DROP

    $ipt -A INVALID_CONECTION -j LOG --log-prefix "[IPTables Drop_Port] : " --log-level info
    $ipt -A INVALID_CONECTION -j DROP

    $ipt -A SSH -j LOG --log-prefix "[IPTables SSH] : " --log-level info
    $ipt -A SSH -j DROP

    $ipt -A TRANS_PROXY -t nat -d $LAN_IP -j RETURN
    $ipt -A TRANS_PROXY -t nat -d 200.201.174.0/24 -j RETURN #redes bloqueadas
    $ipt -A TRANS_PROXY -t nat -d 200.201.173.0/24 -j RETURN
    $ipt -A TRANS_PROXY -t nat -d 200.201.166.0/24 -j RETURN
    $ipt -A TRANS_PROXY -t nat -d 200.208.15.0/24 -j RETURN
    $ipt -A TRANS_PROXY -t nat -d 200.169.22.101/32 -j RETURN
    $ipt -A TRANS_PROXY -t nat -p tcp -j REDIRECT --to-port 3128 #redireciona para squid

    #############################################################################################
    ### tabela NAT
    #############################################################################################

    ## squid / proxy transparente
    $ipt -t nat -A PREROUTING -i $LAN_IF -s $LAN_NET -p tcp --dport 80 -j TRANS_PROXY
    $ipt -t nat -A PREROUTING -i $LAN_IF -s $LAN_NET -p tcp --dport 8080 -j TRANS_PROXY

    ### roteamento para TS
    $ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389

    # mascarando a conexao compartilhando a internet
    $ipt -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE

    ### tabela OUTPUT

    ### destinos confiaveis
    $ipt -A OUTPUT -d $LAN_NET -j ACCEPT
    $ipt -A OUTPUT -d $LO_IP -j ACCEPT

    ### origens / destinos nao confiaveis
    $ipt -A OUTPUT -s 10.0.0.0/8 -j DROP
    $ipt -A OUTPUT -s 172.16.0.0/12 -j DROP
    #$ipt -A OUTPUT -s 192.168.0.0/16 -j DROP
    $ipt -A OUTPUT -s 224.0.0.0/4 -j DROP
    $ipt -A OUTPUT -s 240.0.0.0/5 -j DROP
    $ipt -A OUTPUT -s 127.0.0.0/8 -j DROP
    $ipt -A OUTPUT -s 0.0.0.0/8 -j DROP
    $ipt -A OUTPUT -d 255.255.255.255 -j DROP
    $ipt -A OUTPUT -d 224.0.0.0/4 -j DROP

    ### tabela INPUT

    ### ssh - libera conexoes da rede interna
    $ipt -A INPUT -s $LAN_NET -p tcp --dport 22 -j ACCEPT
    $ipt -A FORWARD -d $LAN_NET -p tcp --dport 22 -j ACCEPT
    $ipt -A OUTPUT -d $LAN_NET -p tcp --dport 22 -j ACCEPT

    ### ssh - loga qualquer outra tentativa
    $ipt -A INPUT -p tcp --dport 22 -j SSH
    $ipt -A FORWARD -p tcp --dport 22 -j SSH
    $ipt -A OUTPUT -p tcp --dport 22 -j SSH

    ### Origens confiaveis
    $ipt -A INPUT -i $LO_IP -j ACCEPT
    $ipt -A INPUT -s $LAN_NET -j ACCEPT

    ### Origens nao confiaveis
    $ipt -A INPUT -s 10.0.0.0/8 -j DROP
    $ipt -A INPUT -s 172.16.0.0/12 -j INVALID_SOURCE
    #$ipt -A INPUT -s 192.168.0.0/16 -j INVALID_SOURCE
    $ipt -A INPUT -s 224.0.0.0/4 -j INVALID_SOURCE
    $ipt -A INPUT -s 240.0.0.0/5 -j INVALID_SOURCE
    $ipt -A INPUT -s 127.0.0.0/8 -j INVALID_SOURCE
    $ipt -A INPUT -s 0.0.0.0/8 -j INVALID_SOURCE
    $ipt -A INPUT -d 255.255.255.255 -j INVALID_SOURCE
    $ipt -A INPUT -d 224.0.0.0/4 -j INVALID_SOURCE

    ### permite entrar trafego ja estabelecido
    $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # liberando mensagens ICMP
    $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

    ### Terminal Service
    $ipt -A INPUT -i $WAN_IF -p tcp --dport 3389 -j ACCEPT

    ### computadores com acesso total a internet sem proxy
    for i in $(cat /etc/fw_net_free.txt)
    do
    $ipt -A INPUT -i $WAN_IF -s $i -p tcp --sport 0:65535 --dport 0:65535 -j ACCEPT
    $ipt -A INPUT -i $WAN_IF -s $i -p udp --sport 0:65535 --dport 0:65535 -j ACCEPT
    done

    ### servidor web
    $ipt -A INPUT -i $WAN_IF -p tcp --dport 80 -j ACCEPT
    $ipt -A INPUT -i $LAN_IF -p tcp --dport 80 -j ACCEPT

    ### Permitindo conexoes externas ao servidor de E-Mail (POP/IMAP/SMTP/SASL2)
    $ipt -A INPUT -i $WAN_IF -p tcp --dport 110 -j ACCEPT
    $ipt -A INPUT -i $WAN_IF -p tcp --dport 25 -j ACCEPT

    ### DNS
    $ipt -A INPUT -p tcp --dport 53 -j ACCEPT
    $ipt -A INPUT -p udp --dport 53 -j ACCEPT
    $ipt -A INPUT -p tcp --dport 953 -j ACCEPT
    $ipt -A INPUT -p udp --dport 953 -j ACCEPT

    ### tabela FORWARD

    ### Permite entrar trafego ja estabelecido
    $ipt -A FORWARD -i $WAN_IF -o $LAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
    $ipt -A FORWARD -i $LAN_IF -o $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

    ### bloqueia orkut
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 64.233.171.0/24 -p tcp --dport 443 -j DROP
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 72.14.209.0/24 -p tcp --dport 443 -j DROP
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 216.239.51.0/24 -p tcp --dport 443 -j DROP

    ### libera outras conexoes HTTPS
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -p tcp --dport 443 -j ACCEPT

    ### libera portas do MSN
    for i in $(cat /etc/fw_msn_free.txt)
    do
    $ipt -A FORWARD -i $LAN_IF -s $i -p tcp --dport 1863 -j ACCEPT
    done

    ### bloqueia portas MSN
    $ipt -A FORWARD -s $LAN_NET -p tcp --dport 1863 -j REJECT
    $ipt -A FORWARD -s $LAN_NET -p tcp --dport 1864 -j REJECT
    $ipt -A FORWARD -s $LAN_NET -d loginnet.passport.com -j REJECT

    ### permite sair trafego definido
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p tcp -m multiport --dport $FW_TCPOUT -j ACCEPT

    ### permite ping a partir da rede local
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p icmp -j ACCEPT

    ### permite ftp
    $ipt -A FORWARD -i $LAN_IF -p tcp --dport 21 -j ACCEPT
    $ipt -A FORWARD -i $LAN_IF -p tcp --dport 20 -j ACCEPT

    ### Permite clientes SMTP/POP3 para Terra
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d smtp.terra.com.br -p tcp --dport 25 -j ACCEPT
    $ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d pop.terra.com.br -p tcp --dport 110 -j ACCEPT

    ### Libera completo
    for i in $(cat /etc/fw_net_free.txt)
    do
    $ipt -A FORWARD -i $WAN_IF -d $i -j ACCEPT
    $ipt -A FORWARD -i $LAN_IF -s $i -j ACCEPT
    done

    # Log do trafego nao permitido
    $ipt -A FORWARD -p tcp -j INVALID_CONECTION

    ### reconfigura o squid3
    squid3 -k reconfigure
    }

    stop_fw()
    {
    echo "O firewall esta sendo desligado. Todos policies vao ser setados para ACCEPT,"
    echo "todas regras e chains vao ser apagadas, todos os contadores vao ser zerados."

    # setando TODOS os policies para ACCEPT
    $ipt -P INPUT ACCEPT
    $ipt -P FORWARD ACCEPT
    $ipt -P OUTPUT ACCEPT
    $ipt -t nat -P OUTPUT ACCEPT
    $ipt -t nat -P PREROUTING ACCEPT
    $ipt -t nat -P POSTROUTING ACCEPT
    $ipt -t mangle -P INPUT ACCEPT
    $ipt -t mangle -P OUTPUT ACCEPT
    $ipt -t mangle -P FORWARD ACCEPT
    $ipt -t mangle -P PREROUTING ACCEPT
    $ipt -t mangle -P POSTROUTING ACCEPT

    # zerando todos contadores
    $ipt -Z
    $ipt -t nat -Z
    $ipt -t mangle -Z

    # apagando as regras, apagando as chains
    $ipt -F
    $ipt -X
    $ipt -t nat -F
    $ipt -t nat -X
    $ipt -t mangle -F
    $ipt -t mangle -X
    }

    status_fw()
    {
    echo "Estas são as regras ativas, chains, pacotes e contadores:"

    # lista as regras
    $ipt -t filter -L -v --line-numbers
    $ipt -t nat -L -v --line-numbers
    $ipt -t mangle -L -v --line-numbers
    }

    case "$1" in
    start)
    start_fw
    ;;
    stop)
    stop_fw
    ;;
    status)
    status_fw
    ;;
    restart)
    stop_fw
    start_fw
    ;;
    * )
    echo "Use: firewall {start|stop|status|restart|reload}"
    exit 1
    ;;
    esac
    exit 0