+ Responder ao Tópico



  1. #1
    max_mori
    Gostaria de que avaliacem o script




    #!/bin/bash
    # /etc/init.d/firewall
    # processname: iptables
    # pidfile : /var/run/iptabless.pid
    # eth1 interface da internet
    # eth0 interface da rede local
    #ip 200.xxxx
    #dns 255.xxxx
    #gat 200.xxxxx
    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network
    if [ ${NETWORKING} = "no" ]
    then
    exit 0
    fi
    iptables=/sbin/iptables
    modprobe=/sbin/modprobe
    #prog=firewall
    LOG="iplog -i eth1 -w -d -l /var/log/iplogs"
    case "$1" in
    start)

    echo -n "Iniciando o servico de prog - carregando modulos"
    $modprobe ip_tables
    $modprobe iptable_filter
    $modprobe iptable_nat #
    $modprobe ip_nat_ftp #
    $modprobe ip_conntrack #
    $modprobe ip_conntrack_ftp #
    $modprobe ipt_LOG #
    $modprobe ipt_state
    $modprobe ipt_REJECT
    $modprobe ipt_MASQUERADE
    echo " modulo carregado"

    echo -n "flushing resetando firewall "
    $iptables -F INPUT #pg 83
    $iptables -F OUTPUT #pg 83
    $iptables -F FORWARD #pg 83
    $iptables -Z
    $iptables -X #pg 83
    $iptables -t nat -F #pg 83
    $iptables -t nat -X #pg 83
    $iptables -t mangle -F #nao incluso
    $iptables -t mangle -X #nao incluso
    echo " [ok]"

    echo -n "politica geral "
    $iptables -P INPUT DROP #pg81
    $iptables -P FORWARD DROP #pg81
    $iptables -P OUTPUT ACCEPT #pg81
    echo " [ok]"

    echo -n "Ativando protecao de Entrada(Kernel) "
    echo 1 > /proc/sys/net/ipv4/ip_forward #LIVRO PG 81 habilitando nat
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    # Enable TCP SYN Cookie Protection
    echo 1 >/proc/sys/net/ipv4/tcp_syncookies #pg 82
    # Enable always defragging Protection
    #echo 1 > /proc/sys/net/ipv4/ipv4/ip_always_defcd rag
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Protecao contra IP spoofing
    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all # bloqueia ping
    echo " [ok]"

    echo -n "Ativando protecao de Entrada(INPUT)"
    $iptables -I INPUT -i lo -j ACCEPT #LIVRO PG 81
    $iptables -I OUTPUT -o lo -j ACCEPT #pg 85
    $iptables -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP #pg 85
    $iptables -A INPUT -p tcp ! --syn -i eth1 -j ACCEPT
    echo " [ok]"

    echo -n "liberar ping para minha rede"
    $iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -j DROP #bloqueia fora da minha rede
    echo " [ok]"


    echo -n "Evitando Spoofing"
    $iptables -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
    $iptables -A INPUT -s 127.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
    $iptables -A INPUT -s 172.16.0.0/12 -i eth1 -j DROP #pg 85 protecao de entrada
    $iptables -A INPUT -s 192.168.0.0/16 -i eth1 -j DROP #pg 85 protecao de entrada
    #Evitando multicast
    $iptables -A INPUT -s 224.0.0.0/4 -i eth1 -j DROP # protecao de entrada
    $iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -i eth1 -j DROP #pg 85 protecao de entrada
    $iptables -A INPUT -s 240.0.0.0/5 -i eth1 -j DROP # protecao de entrada
    $iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
    echo " [ok]"

    echo -n "Liberando acesso do localhost..."
    $iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
    echo " [ok]"

    echo -n "Otimizando o roteamento..."
    $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo " [ok]"

    echo -n "Liberando o acesso ao squid e outras portas"
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 3128 -j ACCEPT
    $iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 20000:30000 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 7002 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
    $iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 5273 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 631 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 8080 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 8999 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 137:139 -j ACCEPT #squid
    $iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 137:139 -j ACCEPT #squid
    $iptables -A INPUT -p tcp -i eth1 --dport 20 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT #ftp
    $iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT #dns
    $iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #dns
    $iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT #http
    $iptables -A INPUT -p tcp -i eth1 --dport 110 -j ACCEPT #pop3
    $iptables -A INPUT -p tcp -i eth1 --dport 443 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 445 -j ACCEPT
    $iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT
    echo " [ok]"


    echo -n "liberando respostas"
    $iptables -A INPUT -p tcp -i eth0 --dport 20 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 21 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 23 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 25 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 80 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 110 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -i eth0 --dport 443 --syn -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
    $iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    $iptables -A INPUT -j LOG --log-prefix "Pacote input descartado:" --log-level 6
    $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #LIVRO PG 81 87 Mantem a conexao das portas liberada acima
    $iptables -A INPUT -j DROP #pg 82
    echo " [OK]"

    echo -n "Bloqueando pacotes fragmentados..."
    $iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote input fragmentado:" --log-level 6
    $iptables -A INPUT -i eth1 -f -j DROP
    echo " [OK]"

    echo -n "Monitorando portas proibidas"
    $iptables -A INPUT -p tcp -i eth1 --dport 31337 -j DROP #pg 86 back orifice
    $iptables -A INPUT -p udp -i eth1 --dport 31337 -j DROP #pg 86
    $iptables -A INPUT -p tcp -i eth1 --dport 12345:12346 -j DROP #pg 86 netbus
    $iptables -A INPUT -p udp -i eth1 --dport 12345:12346 -j DROP #pg 86
    $iptables -A INPUT -p tcp -i eth1 --dport 1524 -j DROP #pg 86 trin00
    $iptables -A INPUT -p tcp -i eth1 --dport 27665 -j DROP #pg 86 trinoo
    $iptables -A INPUT -p tcp -i eth1 --dport 27444 -j DROP #pg 86 trinoo
    $iptables -A INPUT -p tcp -i eth1 --dport 31335 -j DROP #pg 86 trinoo
    $iptables -A INPUT -p tcp -i eth1 --dport 34555 -j DROP #pg 86 trinoo
    $iptables -A INPUT -p tcp -i eth1 --dport 35555 -j DROP #pg 86 trinoo
    $iptables -A INPUT -p tcp -i eth1 --dport 113 -j REJECT #pg 86 rejectado (nao aceito) ident requeridos
    $iptables -A INPUT -p udp -i eth1 --dport 113 -j REJECT #pg 86
    $iptables -A INPUT -p udp -i eth1 --dport 135 -j REJECT #worm
    $iptables -A INPUT -p tcp -i eth1 --dport 5999:6003 -j DROP #pg 86 bloqueando acesso a x server
    $iptables -A INPUT -p udp -i eth1 --dport 5999:6003 -j DROP #pg 86
    $iptables -A INPUT -p tcp -i eth1 --dport 7100 -j DROP #pg 86
    $iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP #pg 87
    iptables -A INPUT -p tcp -i eth1 --dport 666 -j DROP #protecao trojan
    iptables -A INPUT -p udp -i eth1 --dport 666 -j DROP #protecao trojan
    iptables -A INPUT -p tcp -i eth1 --dport 4000 -j DROP #protecao trojan
    iptables -A INPUT -p tcp -i eth1 --dport 6000 -j DROP #protecao trojan
    iptables -A INPUT -p tcp -i eth1 --dport 6006 -j DROP #protecao trojan
    iptables -A INPUT -p tcp -i eth1 --dport 16660 -j DROP #protecao trojan
    echo " [OK]"

    echo -n "Your internet connection is up and running. IP logs can be #found in /va/log/iplogs.n"
    $iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Porta FTP:" --log-level 6
    $iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Porta SSH:" --log-level 6
    $iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Porta TELNET:" --log-level 6
    $iptables -A INPUT -p tcp --dport 137:139 -j LOG --log-prefix "Porta NETBUI:" --log-level 6
    echo " [OK]"

    echo -n "Monitorando BackDoors..."
    $iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Porta Wincrash:" --log-level 6
    $iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Porta BackOrifice:" --log-level 6
    echo " [OK]"

    echo -n "Bloqueio a IP spoofing"
    $iptables -N syn-flood # pg 91 bloqueio a spoofing
    $iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood # pg 92 bloqueio a spoofing
    $iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN #pg 83 92
    $iptables -A syn-flood -j DROP # pg 92 bloqueio a spoofing
    echo " [OK]"

    #echo "Configurando navega??o..Repasse(FORWARD) bloqueios"
    $iptables -A FORWARD -m unclean -j DROP #pg 91 bloqueio a pacotes suspeitos ou danificados
    $iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #pg 91 bloqueio a syn-flood via limit
    $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #pg 87 92 bloquei de ping
    $iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #pg 91 bloqueio a scan ocultos
    echo " [OK]"

    echo -n "Descartando pacotes invalidos para reenvio..."
    $iptables -A FORWARD -m state --state INVALID -j DROP
    echo " [OK]"

    echo -n "forward portas 20 21 22 53 "
    $iptables -A FORWARD -o eth1 -m state --state NEW,INVALID -j DROP #pg 81
    $iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #pg 82
    $iptables -A FORWARD -p tcp --sport 53 -j ACCEPT
    $iptables -A FORWARD -p udp --sport 53 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 21 -j ACCEPT
    $iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
    echo " [OK]"

    #$iptables -A FORWARD -j LOG --log-prefix "Pacote forward descartado:" --log-level 6

    echo -n "forward portas bloqueios "
    $iptables -A FORWARD -d 64.49.201.0/24 -j REJECT #pg 88 winMx
    $iptables -A FORWARD -d 64.245.58.0/23 -j REJECT #pg 89 audiogalaxy
    $iptables -A FORWARD -d 206.142.53.0/24 -j REJECT #pg 89 morpheus
    $iptables -A FORWARD -d 209.61.186.0/24 -j REJECT #pg 88 winMx
    $iptables -A FORWARD -d 209.25.178.0/24 -j REJECT #pg 89 napigator
    $iptables -A FORWARD -d 213.248.112.0/24 -j REJECT #pg 88 Kazaa
    $iptables -A FORWARD -d 216.35.208.0/24 -j REJECT #pg 88 imesh
    $iptables -A FORWARD -p tcp -- dport 6346 -j REJECT #pg 88 bearshare limewire
    $iptables -A FORWARD -p tcp -- dport 1214 -j REJECT #pg 89 morpheus kazaa
    $iptables -A FORWARD -p tcp -- dport 135 -i eth0 -j REJECT #protecao contra worm
    $iptables -A FORWARD -j DROP #pg 82
    echo " [OK]"

    echo -n " ATIVANDO NAT "
    $iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # ATIVANDO NAT
    $iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT -- to-port 3128
    $iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6588 -j REDIRECT -- to-port 3128 #tentativa de proxy dentro de proxy
    $iptables -t nat -A PREROUTING -i eth0 -p tcp -m -multport --dport 21,22,25,53,80,110 -j REDIRECT -- to-port 3128
    $iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #LIVRO PG 81 mascara a saida
    echo " [OK]"

    echo " Diminuindo delay da rede para servi?os essenciais "
    $iptables -t mangle -A INPUT -p tcp --dport 22 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 25 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 80 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 110 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 443 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A INPUT -p tcp --dport 3128 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p udp --sport 8999 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p udp --sport 23000 -j TOS --set-to Minimize-Delay
    #$iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j TOS --set-to Minimize-Delay
    #$iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp --sport 25 -j TOS --set-to Minimize-Delay
    $iptables -t mangle -A FORWARD -p tcp --sport 110 -j TOS --set-to Minimize-Delay
    echo " [OK]"

    echo -n " kazaa"
    #$iptables -A INPUT -m string --string "X-Kazaa-Username:" -j DROP
    #$iptables -A INPUT -m string --string "X-Kazaa-Network:" -j DROP
    $iptables -A INPUT -m string --string "X-Kazaa" -j DROP
    $iptables -A INPUT -m string --string "cmd.exe"-j DROP #pg 92 protege server microsoft IIs em background -p tcp -s 0.0.0.0/0
    echo " [ok]"


    echo -n " teste"
    $iptables -A INPUT -m string -i eth0 --string "www.submarino.com.br" -j DROP


    $iptables -A INPUT -p tcp --dport 6588 -j ACCEPT
    $iptables -A FORWARD -p tcp --dport 6588 -j ACCEPT
    $iptables -A OUTPUT -p tcp --dport 6588 -j ACCEPT

    $iptables -A INPUT -p udp --dport 6588 -j ACCEPT
    $iptables -A FORWARD -p udp --dport 6588 -j ACCEPT
    $iptables -A OUTPUT -p udp --dport 6588 -j ACCEPT

    echo " [ok]"




    ;;
    stop)
    echo -n $"Parando o servi?o de $prog:"
    #gprintf "Parando o servi?o de %s: " "IPtables"
    $iptables -F
    $iptables -X
    $iptables -F -t nat
    $iptables -F -t mangle
    echo
    ;;
    restart)
    echo -n $"Reiniciando o servi?o de $prog:"
    #gprintf "Reiniciando o servi?o de %s: " "IPtables"
    $0 stop
    $0 start
    echo
    ;;
    status)
    echo -n $"Status do servi?o de $prog:"
    #gprintf "Status do servi?o de $prog"
    $iptables -L
    $iptables -L -t nat
    $iptables -L -t mangle
    echo
    ;;
    *)
    echo -n $"Uso: iptables (start|stop|restart|status)"
    #gprintf "Uso: iptables {start|stop|restart|status}"
    echo
    ;;
    esac
    exit 0


    Obrigado

    Max_mori

  2. #2
    muganga
    max_mori

    Esta questao de avaliacao é muito relativa pois ira depender do que vc esta buscando de resultados com a implementacao do firewall. Entao para que possamos avaliar seu firewall poderia nos responder as seguintes perguntas?

    - O que voce quer bloquear com esse firewall? TROJANS, PORT SCANNERS, WORMS....?
    - Voce ira liberar acesso ssh para alguem em particular?
    - Fara direcionamento para algum proxy?
    - Vc pretende liberar algumas portas para programas especificos?

    Isto é apenas o basico....poste qual a sua filosofia, ideia de protecao para seu server ou rede

    Abraços






Tópicos Similares

  1. Script para Pegar IP, Enviar e-mail e escrever no pptp.conf
    Por Skill no fórum Linguagens de Programação
    Respostas: 21
    Último Post: 26-06-2003, 11:34
  2. Script para Pegar IP da ETH ou PPP0, e enviar por email
    Por Skill no fórum Servidores de Rede
    Respostas: 0
    Último Post: 28-03-2003, 15:55
  3. Script para pegar IP
    Por Skill no fórum Servidores de Rede
    Respostas: 6
    Último Post: 15-03-2003, 14:30
  4. script para criação de contas
    Por no fórum Linguagens de Programação
    Respostas: 1
    Último Post: 08-02-2003, 16:08
  5. scripts para logs do Radius
    Por dboom no fórum Servidores de Rede
    Respostas: 1
    Último Post: 15-09-2002, 15:00

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L