script de firewall

Ae galera, gostaria da opiniao de todos sobre meu script de firewall.

#Variaveis
LAN=192.168.0.0/24

#Ativar modulos
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_nat_ftp

#Zerar regras
iptables -F
iptables -t nat -F

#Alterar policiamento
iptables -P INPUT DROP
iptables -P FORWARD DROP

#Compartilhar a conexao
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

#Proteger contra syn flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Proxy transparente
iptables -t nat -A PREROUTING -i eth1 -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128

#### Regras de INPUT

#Entrar somente o que deve
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#SSH interno
iptables -A INPUT -i eth1 -s $LAN -p tcp --syn --dport 22 -j ACCEPT

#SQUID interno
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 3128 -j ACCEPT

#WEB interno
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 80 -j ACCEPT

#Tomcat interno
iptables -A INPUT -i eth1 -s $LAN -p tcp --dport 8080 -j ACCEPT

#PING interno
iptables -A INPUT -i eth1 -s $LAN -p icmp -j ACCEPT

#### Regras de FORWARD

#Passar somente o que precisa
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#DNS
iptables -A FORWARD -o eth0 -s $LAN -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -o eth0 -s $LAN -p udp --dport 53 -j ACCEPT

#WEB
iptables -A FORWARD -o eth0 -s $LAN -p tcp --dport 80 -j ACCEPT

#HTTPS
iptables -A FORWARD -o eth0 -s $LAN -p tcp --dport 443 -j ACCEPT

#FTP
iptables -A FORWARD -o eth0 -s $LAN -p tcp --dport 21 -j ACCEPT

#SSH
iptables -A FORWARD -o eth0 -s $LAN -p tcp --syn --dport 22 -j ACCEPT

#Mensagens Claro
iptables -A FORWARD -o eth0 -s $LAN -p tcp --dport 5005 -j ACCEPT

#MSN
iptables -A FORWARD -o eth0 -s 192.168.0.129 -p tcp --dport 1863 -j ACCEPT

#Ping pra fora
iptables -A FORWARD -o eth0 -s $LAN -p icmp -j ACCEPT

echo "Regras aplicadas com sucesso!"

[gatoseco]

Esse micro é so um gateway de internet ???

é sim, um athlon 1.6

[gatoseco]

Achei bem funcional !!! Mas da pra rodar mais algumas coisas como :

# Ativando protecao contra Port Scanners
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL : port scanner:"
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER

Mas com certeza vc devera receber mais opinioes !!!

Valeu !!!

[roggy]

gatoseco,

quando ele usa

#Alterar policiamento
iptables -P INPUT DROP
iptables -P FORWARD DROP

num passa nmap nao. Testei todas as opções!!

[gatoseco]

Que bom entao !!!