Página 3 de 4 PrimeiroPrimeiro 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. #11
    pflamellas
    Amigo,
    eu uso o RH9 ... e meu script de firewall tah assim:
    #######################
    #!/bin/bash
    # /etc/init.d/firewall
    # chkconfig: 2345 100 20
    # description: Inicializacao do iptables
    # processname: iptables
    # pidfile : /var/run/iptabless.pid
    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network
    if [ ${NETWORKING} = "no" ]
    then
    exit 0
    fi
    iptables=/sbin/iptables
    modprobe=/sbin/modprobe
    prog=firewall
    LOG="iplog -i eth1 -w -d -l /var/log/iplogs"
    case "$1" in
    start)
    echo -n $"Iniciando o serviço de $prog"
    #gprintf "Iniciando o serviço de %s: " "IPtables"
    $modprobe ip_tables
    $modprobe iptable_filter
    $modprobe iptable_nat
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_nat_ftp
    $modprobe ipt_LOG
    $modprobe ipt_state
    $modprobe ipt_MASQUERADE
    $iptables -F
    $iptables -Z
    $iptables -X
    $iptables -t nat -F
    $iptables -t nat -X
    $iptables -t mangle -F
    $iptables -t mangle -X
    $iptables -P INPUT DROP
    $iptables -P FORWARD DROP
    $iptables -P OUTPUT ACCEPT
    #echo "Ativando protecao de Entrada(Kernel)"
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    for i in /proc/sys/net/ipv4/conf/*; do
    echo 0 > $i/accept_redirects
    echo 0 > $i/accept_source_route
    echo 1 > $i/log_martians
    echo 0 > $i/rp_filter
    done
    #echo "Ativando protecao de Entrada(INPUT)"
    $iptables -I INPUT -i lo -j ACCEPT
    $iptables -I OUTPUT -o lo -j ACCEPT
    $iptables -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
    $iptables -A INPUT -p tcp ! --syn -i eth1 -j ACCEPT
    #printf "."
    $iptables -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
    $iptables -A INPUT -s 172.16.0.0/12 -i eth1 -j DROP
    #$iptables -A INPUT -s 192.168.0.0/16 -i eth1 -j DROP
    $iptables -A INPUT -s 224.0.0.0/4 -i eth1 -j DROP
    $iptables -A INPUT -s 240.0.0.0/5 -i eth1 -j DROP
    $iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
    $iptables -A INPUT -p ALL -s 192.168.1.5 -i lo -j ACCEPT
    $iptables -A INPUT -p ALL -s 192.168.0.1 -i lo -j ACCEPT
    $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    #echo "Liberando o acesso ao squid e outras portas"
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 3128 -j ACCEPT
    $iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 --dport 20000:30000 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 7002 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
    $iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 --dport 5273 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 631 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 8080 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 8999 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 137:139 -j ACCEPT
    $iptables -A INPUT -p udp --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    $iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    $iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    $iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    #liberando respostas
    $iptables -A INPUT -p tcp -i eth1 --dport 20 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 21 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 23 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 25 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 80 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 110 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 443 --syn -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    $iptables -A INPUT -j LOG --log-prefix "Pacote input descartado:" --log-level 6
    $iptables -A INPUT -j DROP
    #echo "Liberando resposta DNS"
    $iptables -A INPUT -p udp -s 200.196.99.2 --sport 53 -d 192.168.1.5 -j ACCEPT
    $iptables -A INPUT -p udp -s 200.196.99.3 --sport 53 -d 192.168.1.5 -j ACCEPT
    $iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote input fragmentado:" --log-level 6
    $iptables -A INPUT -i eth1 -f -j DROP
    #echo "Monitorando portas proibidas"
    $iptables -A INPUT -p tcp -i eth1 --dport 31337 -j DROP
    $iptables -A INPUT -p udp -i eth1 --dport 31337 -j DROP
    $iptables -A INPUT -p tcp -i eth1 --dport 12345:12346 -j DROP
    $iptables -A INPUT -p udp -i eth1 --dport 12345:12346 -j DROP
    $iptables -A INPUT -p tcp -i eth1 --dport 1524 -j DROP
    $iptables -A INPUT -p tcp -i eth1 --dport 27665 -j DROP
    $iptables -A INPUT -p udp -i eth1 --dport 27444 -j DROP
    $iptables -A INPUT -p udp -i eth1 --dport 31335 -j DROP
    $iptables -A INPUT -p tcp -i eth1 --dport 113 -j REJECT
    $iptables -A INPUT -p udp -i eth1 --dport 113 -j REJECT
    $iptables -A INPUT -p tcp -i eth1 --dport 5999:6003 -j DROP
    $iptables -A INPUT -p udp -i eth1 --dport 5999:6003 -j DROP
    $iptables -A INPUT -p tcp -i eth1 --dport 7100 -j DROP
    $iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
    #printf "."
    #$LOG
    #printf ".n"
    #prontf "Your internet connection is up and running. IP logs can be #found in /va/log/iplogs.n"
    $iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Porta FTP:" --log-level 6
    $iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Porta SSH:" --log-level 6
    $iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Porta TELNET:" --log-level 6
    $iptables -A INPUT -p tcp --dport 137:139 -j LOG --log-prefix "Porta NETBUI:" --log-level 6
    #echo "Monitorando BackDoors..."
    $iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Porta Wincrash:" --log-level 6
    $iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Porta BackOrifice:" --log-level 6
    #Bloqueio a IP spoofing
    $iptables -N syn-flood
    $iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
    $iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
    $iptables -A syn-flood -j DROP
    #echo "Configurando navegação..Repasse(FORWARD)"
    $iptables -A FORWARD -m unclean -j DROP
    $iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
    $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    $iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    $iptables -A FORWARD -m state --state INVALID -j DROP
    $iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    $iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.196.99.2 --dport 53 -j ACCEPT
    $iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.196.99.3 --dport 53 -j ACCEPT
    $iptables -A FORWARD -p udp -s 200.196.99.2 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    $iptables -A FORWARD -p udp -s 200.196.99.3 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 53 -j ACCEPT
    $iptables -A FORWARD -p udp --sport 53 -j ACCEPT
    $iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 20 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
    $iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 21 -j ACCEPT
    $iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
    $iptables -A FORWARD -j LOG --log-prefix "Pacote forward descartado:" --log-level 6
    $iptables -A FORWARD -j DROP
    $iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    #Diminuindo delay da rede para serviços essenciais
    $iptables -t mangle -A INPUT -p tcp --dport 22 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 25 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 80 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 110 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 443 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 3128 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p udp --sport 8999 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p udp --sport 23000 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp --sport 25 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp --sport 110 -j TOS --set-to Minimize-Delay
    ;;
    stop)
    echo -n $"Parando o serviço de $prog:"
    #gprintf "Parando o serviço de %s: " "IPtables"
    $iptables -F
    $iptables -X
    $iptables -F -t nat
    $iptables -F -t mangle
    echo
    ;;
    restart)
    echo -n $"Reiniciando o serviço de $prog:"
    #gprintf "Reiniciando o serviço de %s: " "IPtables"
    $0 stop
    $0 start
    echo
    ;;
    status)
    echo -n $"Status do serviço de $prog:"
    #gprintf "Status do serviço de $prog"
    $iptables -L
    $iptables -L -t nat
    $iptables -L -t mangle
    echo
    ;;
    *)
    echo -n $"Uso: iptables (start|stop|restart|status)"
    #gprintf "Uso: iptables {start|stop|restart|status}"
    echo
    ;;
    esac
    exit 0
    #############3
    antes de copiar de uma olhada onde estão os seus módulos!!!!
    tipo:
    iptables=/sbin/iptables
    modprobe=/sbin/modprobe
    caso não saiba de o comando which iptables ou which modprobe
    o meu iptables também é 1.2.7
    um Abraço
    Paulo Fernando Lamellas

  2. #12
    guardian_metal
    Valeu, vou dar uma testada e ver se funciona.



  3. #13
    pflamellas
    Kra,
    qual é sua distro???

  4. me diz uma coisa porque vc nao bloquei as portas de backoriffice e wincrash em vem de so fazer logs?

    [] dotta



  5. #15
    Amigo,
    pq eu preciso saber quais máquinas que são colocadas na rede e foram atacadas ou já possuiam as pragas






Tópicos Similares

  1. Respostas: 2
    Último Post: 16-08-2012, 08:20
  2. Meu Emule não esta baixando mais nada
    Por gullivernobrega no fórum Servidores de Rede
    Respostas: 4
    Último Post: 19-09-2005, 20:58
  3. Redirecionamento Não está funcionando no meu Firewall
    Por SpecOps no fórum Servidores de Rede
    Respostas: 7
    Último Post: 29-05-2005, 15:21
  4. Troquei de monitor, não me aparece mais nada!!!
    Por Antelo no fórum Sistemas Operacionais
    Respostas: 2
    Último Post: 09-09-2004, 15:21
  5. HD louko nao recenhe mais nada !! filha da pu.....
    Por aspenbr no fórum Servidores de Rede
    Respostas: 0
    Último Post: 28-07-2003, 11:13

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L