Página 4 de 4 PrimeiroPrimeiro 1234
+ Responder ao Tópico



  1. #16
    fserro
    Essas são as regras de meu firewall:

    #!/bin/bash
    modprobe ip_tables
    modprobe ipt_state
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ipt_multiport
    modprobe iptable_filter
    modprobe ipt_mac
    modprobe ip_nat_ftp
    modprobe iptable_mangle

    echo "1">/proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    iptables -A INPUT -s 192.168.68.208 -p tcp --destination-port 22 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 22 -j DROP

    iptables -A INPUT -s 192.168.68.208 -p tcp --destination-port 21 -j ACCEPT
    iptables -A INPUT -s 192.168.68.208 -p udp --destination-port 21 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 21 -j DROP
    iptables -A INPUT -p udp --destination-port 21 -j DROP

    iptables -A INPUT -p tcp --destination-port 137:139 -j ACCEPT
    iptables -A INPUT -p udp --destination-port 137:139 -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 80 -j DROP

    iptables -A FORWARD -p udp -s 192.168.68.0/24 -d 200.196.48.20 --dport 53 -j ACCEPT
    iptables -A FORWARD -p udp -s 192.168.68.0/24 -d 200.196.48.21 --dport 53 -j ACCEPT
    iptables -A FORWARD -p udp -s 200.196.48.20 --sport 53 -d 192.168.68.0/24 -j ACCEPT
    iptables -A FORWARD -p udp -s 200.196.48.21 --sport 53 -d 192.168.68.0/24 -j ACCEPT

    iptables -A FORWARD -p TCP -s 192.168.68.0/24 --dport 25 -j ACCEPT
    iptables -A FORWARD -p TCP -s 192.168.68.0/24 --dport 110 -j ACCEPT
    iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
    iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

    iptables -A INPUT -p tcp -i 192.168.68.254 --dport 31337 -j DROP
    iptables -A INPUT -p udp -i 192.168.68.254 --dport 31337 -j DROP

    #Regra para proteger contra Trojans
    iptables -N TROJAN
    iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL:trojan:"
    iptables -A TROJAN -j DROP
    iptables -A INPUT -p TCP -i 192.168.68.254 --dport 666 -j TROJAN
    iptables -A INPUT -p TCP -i 192.168.68.254 --dport 4000 -j TROJAN
    iptables -A INPUT -p TCP -i 192.168.68.254 --dport 6000 -j TROJAN
    iptables -A INPUT -p TCP -i 192.168.68.254 --dport 6006 -j TROJAN
    iptables -A INPUT -p TCP -i 192.168.68.254 --dport 16660 -j TROJAN

    # Regra para proteger contra worms
    iptables -A FORWARD -p tcp --dport 135 -i 192.168.68.254 -j REJECT
    iptables -A FORWARD -p tcp --dport 1025 -i 192.168.68.254 -j REJECT
    iptables -A FORWARD -p udp --dport 1025 -i 192.168.68.254 -j REJECT

    # Abre para a interface de loopback.
    # Esta regra é essencial para o KDE e outros programas gráficos funcionarem adequadamente.
    iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Bloqueia uma porta de saída, tanto local quanto forward
    iptables -A OUTPUT -p TCP --dport 4000:5190 -j DROP
    iptables -A FORWARD -p TCP --dport 4000:5190 -j DROP
    iptables -A OUTPUT -p UDP --dport 4000:5190 -j DROP
    iptables -A FORWARD -p UDP --dport 4000:5190 -j DROP


    # Bloqueia uma porta de saída, tanto local quanto forward
    iptables -A OUTPUT -p TCP --dport 1863 -j DROP
    iptables -A FORWARD -p TCP --dport 1863 -j DROP
    iptables -A OUTPUT -p UDP --dport 1863 -j DROP
    iptables -A FORWARD -p UDP --dport 1863 -j DROP


    # Bloqueia uma porta de saída, tanto local quanto forward
    iptables -A OUTPUT -p TCP --dport 6699 -j DROP
    iptables -A FORWARD -p TCP --dport 6699 -j DROP
    iptables -A OUTPUT -p UDP --dport 6699 -j DROP
    iptables -A FORWARD -p UDP --dport 6699 -j DROP

    # Bloqueia as portas 135 e 445
    iptables -A OUTPUT -s 0/0 -d 0/0 -m tcp -m multiport -p tcp --dports 135,445 -j DROP

    # Bloqueia programas P2P
    # iMesh
    iptables -A FORWARD -d 216.35.208.0/24 -j REJECT

    # BearShare
    iptables -A FORWARD -p TCP --dport 6346 -j REJECT

    # ToadNode
    iptables -A FORWARD -p TCP --dport 6346 -j REJECT

    # WinMX
    iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
    iptables -A FORWARD -d 64.49.201.0/24 -j REJECT

    # Napigator
    iptables -A FORWARD -d 209.25.178.0/24 -j REJECT

    # Morpheus
    iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
    iptables -A FORWARD -p TCP --dport 1214 -j REJECT

    # KaZaA
    iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
    iptables -A FORWARD -p TCP --dport 1214 -j REJECT
    iptables -A INPUT -m string --string "X-Kazaa" -j DROP

    # Limewire
    iptables -A FORWARD -p TCP --dport 6346 -j REJECT

    #Audiogalaxy
    iptables -A FORWARD -d 64.245.58.0/23 -j REJECT

    iptables -A FORWARD -s 192.168.68.0/24 -d 64.233.171.85 -j REJECT
    iptables -A OUTPUT -s 192.168.68.0/24 -d 64.233.171.85 -j REJECT

    # Bloquear MSN Messenger
    iptables -A FORWARD -s 192.168.68.0/24 -p tcp --dport 1863 -j DROP

    # iptables -A FORWARD -s 192.168.68.0/24 -d loginnet.passport.com -j DROP
    iptables -A FORWARD -p TCP --dport 1863 -j DROP
    iptables -A FORWARD -d 64.4.13.0/24 -j DROP

    # Bloquear Yahoo Messenger
    iptables -A FORWARD -d cs.yahoo.com -j DROP
    iptables -A FORWARD -d scsa.yahoo.com -j DROP

    # Bloquear KaZaA
    iptables -A FORWARD -d 213.248.112.0/24 -j DROP
    iptables -A FORWARD -p TCP --dport 1214 -j DROP

    # Bloqueio do ICQ
    iptables -A FORWARD -p TCP --dport 5190 -j DROP
    iptables -A FORWARD -d login.icq.com -j DROP

    iptables -A FORWARD -s 200.226.124.8 -j DROP

    iptables -A INPUT -p tcp --syn -s 192.168.68.0/255.255.255.0 -j ACCEPT

    # Protecoes diversas contra portscanners, ping of death, ataques Dos, etc.
    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
    iptables -A INPUT -m state --state INVALID -j DROP

    # Proteção Contra IP Spoofing
    iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
    iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
    iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

    #Regra para aceitar ping da minha maquina
    # iptables -A INPUT -p icmp -j DROP
    # iptables -A INPUT -s 192.168.68.208 -p icmp -j ACCEPT

    #Regra para bloquear ping
    iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

    # Bloqueio de pings externos
    iptables -A OUTPUT -p icmp -j DROP

    iptables -A FORWARD -p tcp --destination-port 1755 -j DROP
    iptables -A FORWARD -p udp --destination-port 1755 -j DROP

    iptables -A FORWARD -m unclean -j DROP

    iptables -A INPUT -p tcp --syn -j DROP
    iptables -A INPUT -i eth0 -p udp --dport 0:30000 -j DROP

  2. #17
    Danilo_Montagna
    vc postar seu script inteiro aqui nao ajuda muito..

    eu quero apenas o retorno do comando:

    iptables -nL FORWARD



  3. #18
    fserro
    Segue o que vc me pediu:

    proxy:~# iptables -nL FORWARD
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT udp -- 192.168.68.0/24 200.196.48.20 udp dpt:53
    ACCEPT udp -- 192.168.68.0/24 200.196.48.21 udp dpt:53
    ACCEPT udp -- 200.196.48.20 192.168.68.0/24 udp spt:53
    ACCEPT udp -- 200.196.48.21 192.168.68.0/24 udp spt:53
    ACCEPT tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:25
    ACCEPT tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:110
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:110
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 reject-
    with icmp-port-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025 reject
    -with icmp-port-unreachable
    REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1025 reject
    -with icmp-port-unreachable
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
    LISHED
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:4000:5190
    DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:5190
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
    DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1863
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6699
    DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6699
    REJECT all -- 0.0.0.0/0 216.35.208.0/24 reject-with icmp-po
    rt-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
    -with icmp-port-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
    -with icmp-port-unreachable
    REJECT all -- 0.0.0.0/0 209.61.186.0/24 reject-with icmp-po
    rt-unreachable
    REJECT all -- 0.0.0.0/0 64.49.201.0/24 reject-with icmp-po
    rt-unreachable
    REJECT all -- 0.0.0.0/0 209.25.178.0/24 reject-with icmp-po
    rt-unreachable
    REJECT all -- 0.0.0.0/0 206.142.53.0/24 reject-with icmp-po
    rt-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject
    -with icmp-port-unreachable
    REJECT all -- 0.0.0.0/0 213.248.112.0/24 reject-with icmp-po
    rt-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 reject
    -with icmp-port-unreachable
    REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346 reject
    -with icmp-port-unreachable
    REJECT all -- 0.0.0.0/0 64.245.58.0/23 reject-with icmp-po
    rt-unreachable
    REJECT all -- 192.168.68.0/24 64.233.171.85 reject-with icmp-po
    rt-unreachable
    DROP tcp -- 192.168.68.0/24 0.0.0.0/0 tcp dpt:1863
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
    DROP all -- 0.0.0.0/0 64.4.13.0/24
    DROP all -- 0.0.0.0/0 216.136.233.128
    DROP all -- 0.0.0.0/0 216.136.233.138
    DROP all -- 0.0.0.0/0 216.136.226.208
    DROP all -- 0.0.0.0/0 216.136.233.137
    DROP all -- 0.0.0.0/0 213.248.112.0/24
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190
    DROP all -- 0.0.0.0/0 205.188.153.121
    DROP all -- 200.226.124.8 0.0.0.0/0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit:
    avg 1/sec burst 5
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec bu
    rst 5
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB
    LISHED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
    limit: avg 1/sec burst 5
    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x12

    DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1755
    DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1755
    DROP all -- 0.0.0.0/0 0.0.0.0/0 unclean
    proxy:~#


    Abs,

  4. #19
    Danilo_Montagna
    alguns pontos importantes que gostaria de citar..

    1 - sua police default esta em ACCEPT.. e vc tem pelo menos umas 50 linhas com REJECTS e DROPS.. e umas 6 linhas dando ACCEPT..

    eu aconselharia vc deixar a police em DROP e apenas deixar no script essas 6 linhas com ACCEPT.. nao vejo necessidade de fazer como vc esta fazendo.. so complica a administracao de um firewall..

    2 - AS regras de DROP da porta 1755 esta listadas como as ultimas regras dessa CHAIN.. provavelmente para estar passando ainda o mms.. é pq tem alguma regra antes dessa checando.. e liberando o pacote..

    o ideal mesmo é vc deixar sua POLICE em DROP .. e so ter regras de ACCEPT em sua chain.. isso ira econimizar tempo e administracao.. e provaveis furos que possam existir por ordem de regras na chain..






Tópicos Similares

  1. Plugin Windows Media Player
    Por rmars no fórum Servidores de Rede
    Respostas: 3
    Último Post: 21-07-2005, 15:22
  2. Portas WMP (Windows Media Player)
    Por whinston no fórum Servidores de Rede
    Respostas: 1
    Último Post: 24-06-2005, 16:00
  3. Servidor para rádio on-line q toque no media player windows
    Por rcfweb no fórum Servidores de Rede
    Respostas: 15
    Último Post: 13-06-2005, 11:26
  4. Windows Media Player
    Por no fórum Servidores de Rede
    Respostas: 2
    Último Post: 02-07-2003, 20:17
  5. Media Player /real player
    Por Itise no fórum Servidores de Rede
    Respostas: 3
    Último Post: 09-03-2003, 10:45

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L