+ Responder ao Tópico



  1. #1
    Notielc
    Preciso fazer uma certa segurança na minha empresa e preciso bloquear todas as portas e depois liberar apenas a q necessito, como posso estar fazendo isso e se é o melhor caminho...

    obrigado ... <IMG SRC="images/forum/smilies/icon_biggrin.gif"> <IMG SRC="images/forum/smilies/icon_lol.gif">

  2. #2
    redoctober
    Bom.. aqui está um firewall para que você estude e veja como funciona:
    ----------------------------------------------------


    #!/bin/sh
    ##################################################################

    IPTABLES="iptables"
    INTERNAL="eth1" # Internal Interface
    EXTERNAL="eth0" # External Interface
    LOOPBACK="lo" # Loopback Interface
    INTERNAL_NET="10.0.0.0/8"


    # This is another way to specify your IP addresses suggested by
    # Anders Ahl from IBM-Sweden
    #
    # This is particularly useful for getting static addresses.
    # Remember if you are running DHCP on your external interface
    # it is possible, but unlikely that your IP could change while
    # your computer is running. So, specifying your external IP
    # address could cause you to have to rerun this script in the
    # event of an IP change.
    #
    # INTERNAL_IP=`ifconfig $INTERNAL | sed -n &acute;/inet/s/^[ ]*inet addr[0-9.]*).*/1/p&acute;`
    # EXTERNAL_IP=`ifconfig $EXTERNAL | sed -n &acute;/inet/s/^[ ]*inet addr[0-9.]*).*/1/p&acute;`
    #
    # Get our broadcast addresses
    # INTERNAL_BCAST=`ifconfig $INTERNAL | sed -n &acute;/inet/s/^.*Bcast[0-9.]*).*/1/p&acute;`
    # EXTERNAL_BCAST=`ifconfig $EXTERNAL | sed -n &acute;/inet/s/^.*Bcast[0-9.]*).*/1/p&acute;`
    #
    # Define our internal network
    # INTERNAL_NET="$INTERNAL_IP/24"


    ## Attempt to Flush All Rules in Filter Table
    $IPTABLES -F

    ## Flush Built-in Rules
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD

    ## Flush Rules/Delete User Chains in Mangle Table
    $IPTABLES -F -t mangle
    $IPTABLES -t mangle -X

    ## Delete all user-defined chains, reduces dumb warnings if you run
    ## this script more than once.
    $IPTABLES -X

    ## Set Default Policies
    $IPTABLES -P INPUT DROP ## Highly Recommended
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    #$IPTABLES -A INPUT -j LOG --log-level=info

    ## Nortel Extranet Client Stuff
    # This will allow access for ipsec-based vpn clients
    # (like the nortel extranet client).
    #
    # I&acute;ve heard that the CES servers can be configured
    # differently. So, ymmv.
    #
    # This seems to work for me with version 4.10 of the
    # nortel extranet client (eac410d.exe).
    #
    # There&acute;s another rule down in the nat secton to port
    # forward 500 to a local box, and another rule to leave
    # port 500 open in the external ports section. You&acute;ll
    # need to uncomment both of those to get a reliable vpn
    # connection.
    #
    # I needed to do that in order to get my box to stay
    # connected to the CES because of the udp rekey packets
    # that are sent. (They won&acute;t route correctly otherwise).
    #
    # (uncomment the following two lines if needed)
    # $IPTABLES -A INPUT -p 50 -j ACCEPT
    # $IPTABLES -A INPUT -p 51 -j ACCEPT

    ## More variables further down near the NAT rules.

    ## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow.

    ###############################################################################
    ## Special Chains
    ###############################################################################

    ###############################################################################
    ## Special chain KEEP_STATE to handle incoming, outgoing, and
    ## established connections.

    $IPTABLES -N KEEP_STATE
    $IPTABLES -F KEEP_STATE

    ## DROP packets associated with an "INVALID" connection.
    $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP

    ## ACCEPT certain packets which are starting a new connection or are
    ## related to an established connection.
    $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT

    ## ACCEPT packets whose input interface is anything but the external interface.
    $IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT


    ###############################################################################
    ## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
    ## TCP flags set.

    ## We set some limits here to limit the amount of crap that gets sent to the logs.
    ## Keep in mind that these rules should never match normal traffic, they&acute;re
    ## are designed to capture obviously messed up packets... but there&acute;s alot of
    ## wierd shit out there, so who knows.

    ## Log facility/priority for these are kern.alert, please adjust for your taste. See
    ## the iptables and syslog.conf man pages for logging details.

    $IPTABLES -N CHECK_FLAGS
    $IPTABLES -F CHECK_FLAGS

    ## NMAP FIN/URG/PSH
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "NMAP-XMAS:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

    ## Xmas Tree
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry XMAS:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP

    ## Another Xmas Tree
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    ## Null Scan(possibly)
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

    ## SYN/RST
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/RST:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    ## SYN/FIN -- Scan(possibly)
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
    --limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/FIN:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    ## Make some types of port scans annoyingly slow, also provides some protection
    ## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
    ## INVALID state should catch most TCP packets with the RST or FIN bits set that
    ## aren&acute;t associate with an established connection. Still, these will limit the
    ## amount of stuff that is accepted through our open ports(if any). I suggest you
    ## test these for your configuration before you uncomment them, as they could cause
    ## problems.

    # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
    # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
    # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT


    ###############################################################################
    ## Special Chain DENY_PORTS
    ## This chain will DROP/LOG packets based on port number

    $IPTABLES -N DENY_PORTS
    $IPTABLES -F DENY_PORTS

    ## NFS, X, VNC, SMB, blah blah
    $IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j ACCEPT
    $IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j ACCEPT

    ## (Possibly) Evil Stuff ##

    ## Possible rpc.statd exploit shell
    $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"

    $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"

    ## NetBus and NetBus Pro
    $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "NetBus Pro:"
    $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "NetBus:"

    ## Trinoo
    $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP
    $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"
    $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"

    $IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"
    $IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"

    $IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"
    $IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "Trinoo:"

    ## Back Orifice
    $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP
    $IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP

    $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
    $IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"

    $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
    $IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute
    -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"


    ###############################################################################
    ## Special Chain SRC_EGRESS
    ## Rules to Provide Egress Filtering Based on Source IP Address.

    $IPTABLES -N SRC_EGRESS
    $IPTABLES -F SRC_EGRESS

    ##------------------------------------------------------------------------##
    ## DROP all reserved private IP addresses. Some of these may be legit
    ## for certain networks and configurations. For connection problems,
    ## traceroute is your friend.

    ## Class A Reserved
    $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j ACCEPT

    ## Class B Reserved
    $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP

    ## Class C Reserved
    $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP

    ## Class D Reserved
    $IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP

    ## Class E Reserved
    $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP

    ## Other Reserved Addresses ##
    ## The following was adapted from Jean-Sebastien Morisset&acute;s excellent IPChains
    ## firewall script, available at
    ## http://www.jsmoriss.dyndns.org/linux/rc.firewall

    RESERVED_NET="
    0.0.0.0/8 1.0.0.0/8 2.0.0.0/8
    5.0.0.0/8
    7.0.0.0/8
    23.0.0.0/8
    27.0.0.0/8
    31.0.0.0/8
    36.0.0.0/8 37.0.0.0/8
    39.0.0.0/8
    41.0.0.0/8 42.0.0.0/8
    58.0.0.0/8 59.0.0.0/8 60.0.0.0/8
    67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8
    74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8
    81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8
    88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8
    95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8
    102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8
    108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8
    114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8
    120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8
    126.0.0.0/8 127.0.0.0/8
    197.0.0.0/8
    201.0.0.0/8
    218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8
    240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8
    246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8
    252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

    for NET in $RESERVED_NET; do
    $IPTABLES -A SRC_EGRESS -s $NET -j DROP
    done

    ##------------------------------------------------------------------------##


    ###############################################################################
    ## Special Chain DST_EGRESS
    ## Rules to Provide Egress Filtering Based on Destination IP Address.

    $IPTABLES -N DST_EGRESS
    $IPTABLES -F DST_EGRESS

    ##------------------------------------------------------------------------##
    ## DROP all reserved private IP addresses. Some of these may be legit
    ## for certain networks and configurations. For connection problems,
    ## traceroute is your friend.

    ## Class A Reserved
    #$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j ACCEPT

    ## Class B Reserved
    $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP

    ## Class C Reserved
    $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP

    ## Class D Reserved
    $IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP

    ## Class E Reserved
    $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP

    ## Other Reserved Addresses ##
    ## The following was adapted from Jean-Sebastien Morisset&acute;s excellent IPChains
    ## firewall script, available at
    ## http://www.jsmoriss.dyndns.org/linux/rc.firewall

    for NET in $RESERVED_NET; do
    $IPTABLES -A DST_EGRESS -d $NET -j DROP
    done

    ##------------------------------------------------------------------------##


    ###############################################################################
    ## Special Chain MANGLE_OUTPUT
    ## Mangle values of packets created locally. Only TOS values are mangled right
    ## now.

    ## TOS stuff: (type: iptables -m tos -h)
    ## Minimize-Delay 16 (0x10)
    ## Maximize-Throughput 8 (0x08)
    ## Maximize-Reliability 4 (0x04)
    ## Minimize-Cost 2 (0x02)
    ## Normal-Service 0 (0x00)

    $IPTABLES -t mangle -N MANGLE_OUTPUT
    $IPTABLES -t mangle -F MANGLE_OUTPUT

    ##------------------------------------------------------------------------------##
    ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
    ## - To view mangle table, type: iptables -L -t mangle

    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8

    ##------------------------------------------------------------------------------##


    ###############################################################################
    ## Special Chain MANGLE_PREROUTING
    ## Rules to mangle TOS values of packets routed through the firewall. Only TOS
    ## values are mangled right now.

    ## TOS stuff: (type: iptables -m tos -h)
    ## Minimize-Delay 16 (0x10)
    ## Maximize-Throughput 8 (0x08)
    ## Maximize-Reliability 4 (0x04)
    ## Minimize-Cost 2 (0x02)
    ## Normal-Service 0 (0x00)

    $IPTABLES -t mangle -N MANGLE_PREROUTING
    $IPTABLES -t mangle -F MANGLE_PREROUTING

    ##-------------------------------------------------------------------------------##
    ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
    ## - To view mangle table, type: iptables -L -t mangle

    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
    $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8

    ##-------------------------------------------------------------------------------##


    ###############################################################################
    ## Special Chain ALLOW_EXTERNAL_PORTS
    ## Rules to allow packets destined for the external interface based on port
    ## number.

    $IPTABLES -N ALLOW_PORTS-EXTERNAL
    $IPTABLES -F ALLOW_PORTS-EXTERNAL

    ##------------------------------------------------------------------------##
    ## ALLOW foreign machines to access certain services.(Examples)
    ## SSH
    # if you want to be able to ssh into your firewall externally then uncomment this
    $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 22 -j ACCEPT

    ## FTP
    # You can uncomment this if you want ftp to work over the Internet
    # I wouldn&acute;t though because wu-ftp frequently has remote exploits
    # Leaving this line commented still allows LOCAL machines to ftp into the firewall
    # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 21 -j ACCEPT

    ## NORTEL EXTRANET CLIENT 4.10D, 4.15 PORT
    # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 500 -j ACCEPT

    ## IDENT
    # You&acute;ll likely need to enable this if you use irc.
    # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j ACCEPT

    ## REJECT port 113 ident requests.
    # You&acute;ll likely want to enable this if you use irc.
    # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j REJECT

    ## WWW
    # a lot of cable modem providers drop port 80 stuff now (because of code red).
    # this will likely have no effect if you uncomment it.
    # $IPTABLES -A ALLOW_PORTS -EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT

    ## SMTP porta para receber E mail
    $iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    $iptables -A INPUT -p udp --dport 25 -j ACCEPT

    ###############################################################################
    ## Firewall Input Chains
    ###############################################################################

    ###############################################################################
    ## New chain for input to the external interface

    $IPTABLES -N EXTERNAL-input
    $IPTABLES -F EXTERNAL-input

    ##------------------------------------------------------------------------##
    ## Check TCP packets coming in on the external interface for wierd flags
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Filter incomming packets based on port number.
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS
    ##------------------------------------------------------------------------##

    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE

    ##------------------------------------------------------------------------##
    ## Filter out Reserved/Private IP addresses.
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Filter out Reserved/Private IP addresses.
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Allow Packets On Certain External Ports
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## ICMP Stuff. Drop everything.

    ## Echo Reply (pong)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT

    ## Destination Unreachable (blah)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT

    ## Echo Request (ping) -- Several Options:
    ## Accept Pings ##
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT

    ## Accept Pings at the rate of one per second. ##
    # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit
    # --limit 1/second -j ACCEPT

    ## LOG all pings. ##
    # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit
    # --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:"

    ## TTL Exceeded (traceroute)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
    ##------------------------------------------------------------------------##


    ###############################################################################
    ## New chain for input to the internal interface

    $IPTABLES -N INTERNAL-input
    $IPTABLES -F INTERNAL-input

    ## ACCEPT internal to internal traffic
    $IPTABLES -A INTERNAL-input -i $INTERNAL -j ACCEPT

    ## DROP anything not coming from the internal network
    # $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP

    ##------------------------------------------------------------------------##
    ## Check TCP packets coming in on the external interface for wierd flags
    $IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Filter out Reserved/Private IP addresses based on Destination IP address.
    $IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS
    ##------------------------------------------------------------------------##


    ###############################################################################
    ## New chain for input to the loopback interface

    $IPTABLES -N LO-input
    $IPTABLES -F LO-input

    ## Accept packets to the loopback interface
    $IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT


    ###############################################################################
    ## Firewall Output Chains
    ###############################################################################

    ###############################################################################
    ## New chain for output from the external interface

    $IPTABLES -N EXTERNAL-output
    $IPTABLES -F EXTERNAL-output

    ## ACCEPT outgoing packets on the external interface
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT

    ##------------------------------------------------------------------------##
    ## Filter out Reserved/Private IP addresses.
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Filter out Reserved/Private IP addresses.
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS
    ##------------------------------------------------------------------------##

    ##------------------------------------------------------------------------##
    ## Filter outgoing packets based on port number.
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS
    ##------------------------------------------------------------------------##


    ###############################################################################
    ## New chain for output across the internal interface

    $IPTABLES -N INTERNAL-output
    $IPTABLES -F INTERNAL-output

    ## ACCEPT all outbound traffic across the internal interfaces
    $IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
    $IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE


    ###############################################################################
    ## New chain for output across the loopback device

    $IPTABLES -N LO-output
    $IPTABLES -F LO-output

    ## ACCEPT all traffic across loopback device
    $IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT


    ###############################################################################
    ## Main Stuff
    ###############################################################################

    ## Jumping to our INPUT chains.
    $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
    $IPTABLES -A INPUT -i $LOOPBACK -j LO-input

    $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input

    ## Sort of a Catch-all
    $IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP

    ## Jump to our OUTPUT chains.
    $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
    $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
    $IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
    $IPTABLES -A OUTPUT -j KEEP_STATE

    ## Jump to our FORWARD chains.
    $IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input
    $IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output
    $IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input
    $IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output
    # $IPTABLES -A FORWARD -j KEEP_STATE

    ## Jump to mangle table rules
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
    $IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING


    ### END FIREWALL RULES ###



    ###############################################################################
    ## IPTABLES Network Address Translation(NAT) Rules
    ###############################################################################


    INTERNAL_NET="10.0.0.0/8"
    EXT_IP="200.207.188.118" # IP address of the External Interface.

    ## Flush the NAT table.
    $IPTABLES -F -t nat

    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/8 -j MASQUERADE


    ##------------------------------------------------------------------------##
    ## Destination NAT -- (DNAT)
    ##------------------------------------------------------------------------##

    ## "Redirect" packets headed for certain ports on our external interface to other
    ## machines on the network. (Examples)

    # NORTEL EXTRANET CLIENT 4.10D, 4.15 PORT
    # $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p 17 --dport 500
    # -j DNAT --to 192.168.0.2:500

    # TightVNC, VNC forwarding
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5901
    -j DNAT --to 10.10.1.158:5901

    # Serious Sam 2 - The Second Encounter Server Forwarding
    # $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 25600
    # -j DNAT --to 192.168.0.2:25600
    # $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 25600
    # -j DNAT --to 192.168.0.2:25600

    # Microsoft Netmeeting (you&acute;ll need to be running the h323 module too for this).
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 389
    -j DNAT --to 10.10.1.158:389
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 522
    -j DNAT --to 10.10.1.158:522
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1503
    -j DNAT --to 10.10.1.158:1503
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1720
    -j DNAT --to 10.10.1.158:1720
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 1731
    -j DNAT --to 10.10.1.158:1731


    ##------------------------------------------------------------------------##
    ## Source NAT -- (SNAT/Masquerading)
    ##------------------------------------------------------------------------##

    ## Source NAT allows us to "masquerade" our internal machines behind our
    ## firewall.

    ## Static IP address ##
    ## Change source address of outgoing packets on external
    ## interface to our IP address.
    # $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP

    ## Dynamic IP address ##
    $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE


    ### END NAT RULES ###


    ###############################################################################
    ## Additional Kernel Configuration
    ###############################################################################

    ## Adjust for your requirements/preferences.
    ## Please make sure you understand what these things are doing before you
    ## uncomment them. A good place to start would be some of the resources
    ## listed at the top of this script as well as the documentation that comes
    ## with the linux kernel source.
    ## For Example: linux/Documentation/filesystems/proc.txt
    ## linux/Documentation/networking/ip-sysctl.txt

    ## - Disable source routing of packets
    #if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
    # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    # echo 0 > $i;
    # done
    #fi

    ## - Enable rp_filter
    #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
    # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
    # echo 1 > $i;
    # done
    #fi

    ## - Ignore any broadcast icmp echo requests
    #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
    # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #fi

    ## - Ignore all icmp echo requests on all interfaces
    #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
    # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    #fi

    ## - Local port range for TCP/UDP connections
    #if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
    # echo -e "32768t61000" > /proc/sys/net/ipv4/ip_local_port_range
    #fi

    ## - Log packets with impossible addresses to kernel log.
    #if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
    # echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    #fi

    ## - Don&acute;t accept ICMP redirects
    #if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    # echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    #fi

    ## - Don&acute;t accept ICMP redirects
    ## (You may only want to disable on the external interface)
    #if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
    # echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
    #fi

    ## Additional options for dialup connections with a dynamic ip address
    ## See: linux/Documentation/networking/ip_dynaddr.txt
    #if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
    # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
    #fi

    ## - Enable IP Forwarding
    if [ -e /proc/sys/net/ipv4/ip_forward ]; then
    echo 1 > /proc/sys/net/ipv4/ip_forward
    else
    echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn&acute;t exist"
    echo "(That may be a problem)"
    fi



    Qualquer coisa é só comentar aqui no fórum que muita gente irá te ajudar!



  3. #3
    redoctober
    Lembra que no código acima aparecem " você deve alterar para " ... isso é devido ao interpretador do fórum!

    <IMG SRC="images/forum/smilies/icon_biggrin.gif">






Tópicos Similares

  1. Kazaa + firewall
    Por serrato no fórum Servidores de Rede
    Respostas: 3
    Último Post: 10-01-2005, 20:21
  2. Não consigo configurar firewall
    Por buosinet no fórum Servidores de Rede
    Respostas: 5
    Último Post: 29-11-2004, 19:09
  3. Squid + Firewall
    Por serrato no fórum Servidores de Rede
    Respostas: 10
    Último Post: 02-12-2002, 18:54
  4. firewall x webmail ou firewall x php?
    Por eclaudin no fórum Segurança
    Respostas: 3
    Último Post: 23-08-2002, 04:14
  5. Não consigo configurar firewall
    Por buosinet no fórum Servidores de Rede
    Respostas: 1
    Último Post: 28-03-2002, 21:44

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L