Estou postando este script como colaboração para estudo das regras e do proprio iptables.
Sugestões são sempre bem vindas para melhoria deste script.
#!/bin/bash
#
#
#
## Variaveis
#
IPTABLES=$(which iptables) #Pega o caminho do iptables ex. /sbin/iptables
IP="200.xx.xx.xx" #IP externo
ETHEXTERNO="eth0" #Eth com acesso a internet
REDEINTERNA="199.168.40.0/24" #Range da rede interna
#
IPMASQUERADE="1"
TRAFEGOINTERNO="1"
BLOCKVIRUS="1"
BLOCKPORTSSH22="1"
BLOCKPORTTELNET23="1"
BLOCKMSN="0" # nao funcionou, rever
BLOCKORKUT="0"
BLOCKP2P="0" # Em testes
BLOCKATAC="1"
REDIRREDEINTERNA="1"
ATIVAPROXYTRANSPARENTE="0"
#
#
## Grava log das inicializações do Firewall
/bin/date >> /var/log/Firewall.start
## Libera repasse de pacotes entre as interfaces
# verificar se o repasse já esta habilitado
# sysctl -a | grep ip_forward
# Caso esteja net.ipv4.ip_forward = 1 , altere esta linha no aquivo /etc/sysctl.conf para que fique = 0
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------#
## Fala para o Kernel ignorar todos pacotes ICMP (ping) #
# #
#/bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #
#---------------------------------------------------------#
## Start Stop Restart
#####--------------------------
#
case "$1" in
nothing )
/bin/echo -e "Do nothing ... \c"
/bin/echo "OK !!!"
;;
stop )
/bin/echo -e "Firewall Server is OFF (Esta desligado) ... \c "
$IPTABLES -F #limpa regras
$IPTABLES -X #exclui chains
$IPTABLES -t nat -F #limpa regras
# $IPTABLES -t magle -F #limpa regras
/bin/echo "OK !!!"
;;
restart )
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;
start )
/bin/echo -e "Starting Firewall server (iniciando Firewall) ..."
$IPTABLES -F #limpa regras
$IPTABLES -X #exclui chains
$IPTABLES -t nat -F #limpa regras
# $IPTABLES -t magle -F #limpa regras
#-------------------------------------------
###### Iniciando Regras do Firewall
#-------------------------------------------
#
### Definindo politicas como DROP (Nega tudo)
#
#$IPTABLES -P INPUT DROP
#$IPTABLES -P FORWARD DROP
#$IPTABLES -P OUTPUT DROP
#
### Libera tafego interno
#
if [ "$TRAFEGOINTERNO" = "1" ]
then
$IPTABLES -A INPUT -j ACCEPT -d 127.0.0.1 -s 127.0.0.1
$IPTABLES -A INPUT -j ACCEPT -d $REDEINTERNA -s $REDEINTERNA
# $IPTABLES -A INPUT -j ACCEPT -d $IP -s $IP
fi
#
### Bloqueia portas mais comuns usadas por virus
#
if [ "$BLOCKVIRUS" = "1" ]
then
# Blaster Worm
$IPTABLES -A INPUT -p tcp --dport 135:139 -j DROP
# Mansseger Worm
$IPTABLES -A INPUT -p udp --dport 135:139 -j DROP
# Blaster Worm
$IPTABLES -A INPUT -p tcp --dport 445 -j DROP
#-------Falta o nome
$IPTABLES -A INPUT -p tcp --dport 593 -j DROP
#-------Falta o nome
$IPTABLES -A INPUT -p tcp --dport 1024:1030 -j DROP
# Mydomm
$IPTABLES -A INPUT -p tcp --dport 1080 -j DROP
$IPTABLES -A INPUT -p tcp --dport 3127:3128 -j DROP
#-------Falta o nome
$IPTABLES -A INPUT -p tcp --dport 1214 -j DROP
# Ndm Requeter
$IPTABLES -A INPUT -p tcp --dport 1363 -j DROP
# Ndm Server
$IPTABLES -A INPUT -p tcp --dport 1364 -j DROP
# Screen Cast
$IPTABLES -A INPUT -p tcp --dport 1368 -j DROP
# Hromgrafx
$IPTABLES -A INPUT -p tcp --dport 1373 -j DROP
# Cichlid
$IPTABLES -A INPUT -p tcp --dport 1377 -j DROP
# Worm
$IPTABLES -A INPUT -p tcp --dport 1433:1434 -j DROP
# Blaster Virus - Beagle A-K
$IPTABLES -A INPUT -p tcp --dport 2745 -j DROP
# DumaruY.
$IPTABLES -A INPUT -p tcp --dport 2283 -j DROP
# Beagle
$IPTABLES -A INPUT -p tcp --dport 2535 -j DROP
# Back Door OptixPro
$IPTABLES -A INPUT -p tcp --dport 3410 -j DROP
# Worm
$IPTABLES -A INPUT -p tcp --dport 4444 -j DROP
$IPTABLES -A INPUT -p udp --dport 4444 -j DROP
# Sasser
$IPTABLES -A INPUT -p tcp --dport 5554 -j DROP
# Bagle.B
$IPTABLES -A INPUT -p tcp --dport 8866 -j DROP
# Dabber.A-B
$IPTABLES -A INPUT -p tcp --dport 9898 -j DROP
# Damaru.Y
$IPTABLES -A INPUT -p tcp --dport 10000 -j DROP
# Mydoom.B
$IPTABLES -A INPUT -p tcp --dport 10080 -j DROP
# NetBus
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
# Kuang2
$IPTABLES -A INPUT -p tcp --dport 13300 -j DROP
# Sub Seven
$IPTABLES -A INPUT -p tcp --dport 27374 -j DROP
# Back Orifice
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p udp --dport 31337 -j DROP
# NetBus
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A INPUT -p udp --dport 12345:12346 -j DROP
#
# Portas do endereço: http://scan.sygatetech.com/quickscan.html
#
$IPTABLES -A FORWARD -p tcp --dport 6776 -j DROP
$IPTABLES -A FORWARD -p udp --dport 6776 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 7789 -j DROP
$IPTABLES -A FORWARD -p udp --dport 7789 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 54320 -j DROP
$IPTABLES -A FORWARD -p udp --dport 54320 -j DROP
$IPTABLES -A FORWARD -p udp --dport 1026 -j DROP
$IPTABLES -A FORWARD -p udp --dport 1027 -j DROP
$IPTABLES -A INPUT -p udp --dport 1026 -j DROP
$IPTABLES -A INPUT -p udp --dport 1027 -j DROP
/bin/echo "BLOCKPORTVIRUS Ativando ............... OK!! "
fi
#
### Bloqueia ataques diversos
#
if [ "$BLOCKATAC" = "1" ]
then
# DoS
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Port Scanners
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping da Morte
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/bin/echo "BLOCKATAC Ativando ............... OK!! "
fi
#
### Bloqueia MSN
#
if [ "$BLOCKMSN" = "1" ]
then
# Portas MSN
$IPTABLES -t filter -A FORWARD -p tcp --dport 6891:6901 -j DROP
$IPTABLES -t filter -A FORWARD -p tcp --dport 1863 -j DROP
$IPTABLES -t filter -A FORWARD -p udp --dport 1863 -j DROP
$IPTABLES -t filter -A FORWARD -p tcp --dport 5190 -j DROP
$IPTABLES -t filter -A FORWARD -p udp --dport 5190 -j DROP
# Endereços MSN
$IPTABLES -A FORWARD -s $REDEINTERNA -d hotmail.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d e-messenger.net -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d msn.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d msn.com.br -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d messenger.msn.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d login.passport.net -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d login.passport.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d hotmail.msn.com -j DROP
# $IPTABLES -A FORWARD -s $REDEINTERNA -d loginnet.msn.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d loginnet.passport.com -j DROP
# $IPTABLES -A FORWARD -s $REDEINTERNA -d login.hotmail.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d messenger.hotmail.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d rad.msn.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d ak.englishtonw.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d c.msn.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d storage.msn.com -j DROP
# $IPTABLES -A FORWARD -s $REDEINTERNA -d cp.inil.match.com -j DROP
$IPTABLES -A FORWARD -s $REDEINTERNA -d meebo.com -j DROP
$IPTABLES -I FORWARD -s $REDEINTERNA -d Meebo - Connecting AIM, MSN, Yahoo, Facebook, MySpace messengers -j DROP
$IPTABLES -I FORWARD -s $REDEINTERNA -d www1.meebo.com -j DROP
$IPTABLES -I FORWARD -s $REDEINTERNA -d wwwm.meebo.com -j DROP
$IPTABLES -I FORWARD -s $REDEINTERNA -d www34.meebo.com -j DROP
/bin/echo "BLOCKMSN Ativando ............... OK!! "
fi
#
### Bloqueia Orkut
#
if [ "$BLOCKORKUT" = "1" ]
then
route add -host 64.233.163.85 reject
route add -host 64.233.163.86 reject
route add -host 64.233.163.87 reject
route add -host 64.233.163.94 reject
/bin/echo "BLOCKORKUT Ativando ............... OK!! "
fi
# Limpa rotas bloqueadas orkut
#if [ "$BLOCKORKUT" = "0" ]
#then
# route del -host 64.233.163.85 reject
# route del -host 64.233.163.86 reject
# route del -host 64.233.163.87 reject
# route del -host 64.233.163.94 reject
#fi
# Habilitar no kernel opção layer7
### Bloqueia P2P
#
if [ "$BLOCKP2P" = "1" ]
then
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 bittrrent -j DROP
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 directconnect -j DROP
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 gnutella -j DROP
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 edonkey -j DROP
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 bearshare -j DROP
$IPTABLES -I FORWARD -p tcp -m layer7 --l7ayer7 winmx -j DROP
/bin/echo "BLOCKP2P Ativando ............... OK!! "
fi
#
### Bloqueia porta 22 SSH
#
if [ "$BLOCKPORTSSH22" = "1" ]
then
#-----------------------------------------------------------------------------
#Grava em log as tentativas de acesso na porta 22 SSH, para que funcione
#esta linha adicione no arquivo /etc/syslogd.conf a seguinte linha
#*.=alert -/var/log/firewall.log
$IPTABLES -I INPUT -p tcp --dport 22 -j LOG --log-level 1 --log-prefix 'SSH ->'
#------------------------------------------------------------------------------
$IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT -d any/0 -s 200.xx.xx.xx/255.255.255.192
# $IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT -d $IP -s any/0
# $IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT -d $IP -s 199.168.40.0/255.255.255.0
$IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT -d $IP -s 201.xx.xx.0/255.255.255.0
$IPTABLES -A INPUT -p TCP --dport 22 -j DROP
/bin/echo "BLOCKPORTSSH22 Ativando ............... OK!! "
fi
#
### Bloqueia porta 23 Telnet
#
if [ "$BLOCKPORTTELNET23" = "1" ]
then
$IPTABLES -A INPUT -p TCP --dport 23 -j ACCEPT -d $IP -s 127.0.0.1
$IPTABLES -A INPUT -p TCP --dport 23 -j ACCEPT -d $IP -s 200.xx.xx.xx/255.255.255.192
$IPTABLES -A INPUT -p TCP --dport 23 -j DROP
/bin/echo "BLOCKPRTTELNET23 Ativando ............... OK!! "
fi
#------------>>> Coninua..