- script para avaliação
+ Responder ao Tópico
-
script para avaliação
Gostaria de que avaliacem o script
#!/bin/bash
# /etc/init.d/firewall
# processname: iptables
# pidfile : /var/run/iptabless.pid
# eth1 interface da internet
# eth0 interface da rede local
#ip 200.xxxx
#dns 255.xxxx
#gat 200.xxxxx
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
iptables=/sbin/iptables
modprobe=/sbin/modprobe
#prog=firewall
LOG="iplog -i eth1 -w -d -l /var/log/iplogs"
case "$1" in
start)
echo -n "Iniciando o servico de prog - carregando modulos"
$modprobe ip_tables
$modprobe iptable_filter
$modprobe iptable_nat #
$modprobe ip_nat_ftp #
$modprobe ip_conntrack #
$modprobe ip_conntrack_ftp #
$modprobe ipt_LOG #
$modprobe ipt_state
$modprobe ipt_REJECT
$modprobe ipt_MASQUERADE
echo " modulo carregado"
echo -n "flushing resetando firewall "
$iptables -F INPUT #pg 83
$iptables -F OUTPUT #pg 83
$iptables -F FORWARD #pg 83
$iptables -Z
$iptables -X #pg 83
$iptables -t nat -F #pg 83
$iptables -t nat -X #pg 83
$iptables -t mangle -F #nao incluso
$iptables -t mangle -X #nao incluso
echo " [ok]"
echo -n "politica geral "
$iptables -P INPUT DROP #pg81
$iptables -P FORWARD DROP #pg81
$iptables -P OUTPUT ACCEPT #pg81
echo " [ok]"
echo -n "Ativando protecao de Entrada(Kernel) "
echo 1 > /proc/sys/net/ipv4/ip_forward #LIVRO PG 81 habilitando nat
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies #pg 82
# Enable always defragging Protection
#echo 1 > /proc/sys/net/ipv4/ipv4/ip_always_defcd rag
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Protecao contra IP spoofing
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all # bloqueia ping
echo " [ok]"
echo -n "Ativando protecao de Entrada(INPUT)"
$iptables -I INPUT -i lo -j ACCEPT #LIVRO PG 81
$iptables -I OUTPUT -o lo -j ACCEPT #pg 85
$iptables -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP #pg 85
$iptables -A INPUT -p tcp ! --syn -i eth1 -j ACCEPT
echo " [ok]"
echo -n "liberar ping para minha rede"
$iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -j DROP #bloqueia fora da minha rede
echo " [ok]"
echo -n "Evitando Spoofing"
$iptables -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
$iptables -A INPUT -s 127.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
$iptables -A INPUT -s 172.16.0.0/12 -i eth1 -j DROP #pg 85 protecao de entrada
$iptables -A INPUT -s 192.168.0.0/16 -i eth1 -j DROP #pg 85 protecao de entrada
#Evitando multicast
$iptables -A INPUT -s 224.0.0.0/4 -i eth1 -j DROP # protecao de entrada
$iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -i eth1 -j DROP #pg 85 protecao de entrada
$iptables -A INPUT -s 240.0.0.0/5 -i eth1 -j DROP # protecao de entrada
$iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -i eth1 -j DROP #pg 85 protecao de entrada
echo " [ok]"
echo -n "Liberando acesso do localhost..."
$iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
echo " [ok]"
echo -n "Otimizando o roteamento..."
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " [ok]"
echo -n "Liberando o acesso ao squid e outras portas"
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 3128 -j ACCEPT
$iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 20000:30000 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 7002 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
$iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 5273 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 631 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 8080 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 8999 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 23000 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 137:139 -j ACCEPT #squid
$iptables -A INPUT -p udp -i eth1 -s 192.168.0.0/24 --dport 137:139 -j ACCEPT #squid
$iptables -A INPUT -p tcp -i eth1 --dport 20 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT #ftp
$iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT #dns
$iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #dns
$iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT #http
$iptables -A INPUT -p tcp -i eth1 --dport 110 -j ACCEPT #pop3
$iptables -A INPUT -p tcp -i eth1 --dport 443 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 --dport 445 -j ACCEPT
$iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT
echo " [ok]"
echo -n "liberando respostas"
$iptables -A INPUT -p tcp -i eth0 --dport 20 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 21 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 23 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 25 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 80 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 110 --syn -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport 443 --syn -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$iptables -A INPUT -j LOG --log-prefix "Pacote input descartado:" --log-level 6
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #LIVRO PG 81 87 Mantem a conexao das portas liberada acima
$iptables -A INPUT -j DROP #pg 82
echo " [OK]"
echo -n "Bloqueando pacotes fragmentados..."
$iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote input fragmentado:" --log-level 6
$iptables -A INPUT -i eth1 -f -j DROP
echo " [OK]"
echo -n "Monitorando portas proibidas"
$iptables -A INPUT -p tcp -i eth1 --dport 31337 -j DROP #pg 86 back orifice
$iptables -A INPUT -p udp -i eth1 --dport 31337 -j DROP #pg 86
$iptables -A INPUT -p tcp -i eth1 --dport 12345:12346 -j DROP #pg 86 netbus
$iptables -A INPUT -p udp -i eth1 --dport 12345:12346 -j DROP #pg 86
$iptables -A INPUT -p tcp -i eth1 --dport 1524 -j DROP #pg 86 trin00
$iptables -A INPUT -p tcp -i eth1 --dport 27665 -j DROP #pg 86 trinoo
$iptables -A INPUT -p tcp -i eth1 --dport 27444 -j DROP #pg 86 trinoo
$iptables -A INPUT -p tcp -i eth1 --dport 31335 -j DROP #pg 86 trinoo
$iptables -A INPUT -p tcp -i eth1 --dport 34555 -j DROP #pg 86 trinoo
$iptables -A INPUT -p tcp -i eth1 --dport 35555 -j DROP #pg 86 trinoo
$iptables -A INPUT -p tcp -i eth1 --dport 113 -j REJECT #pg 86 rejectado (nao aceito) ident requeridos
$iptables -A INPUT -p udp -i eth1 --dport 113 -j REJECT #pg 86
$iptables -A INPUT -p udp -i eth1 --dport 135 -j REJECT #worm
$iptables -A INPUT -p tcp -i eth1 --dport 5999:6003 -j DROP #pg 86 bloqueando acesso a x server
$iptables -A INPUT -p udp -i eth1 --dport 5999:6003 -j DROP #pg 86
$iptables -A INPUT -p tcp -i eth1 --dport 7100 -j DROP #pg 86
$iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP #pg 87
iptables -A INPUT -p tcp -i eth1 --dport 666 -j DROP #protecao trojan
iptables -A INPUT -p udp -i eth1 --dport 666 -j DROP #protecao trojan
iptables -A INPUT -p tcp -i eth1 --dport 4000 -j DROP #protecao trojan
iptables -A INPUT -p tcp -i eth1 --dport 6000 -j DROP #protecao trojan
iptables -A INPUT -p tcp -i eth1 --dport 6006 -j DROP #protecao trojan
iptables -A INPUT -p tcp -i eth1 --dport 16660 -j DROP #protecao trojan
echo " [OK]"
echo -n "Your internet connection is up and running. IP logs can be #found in /va/log/iplogs.n"
$iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Porta FTP:" --log-level 6
$iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Porta SSH:" --log-level 6
$iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Porta TELNET:" --log-level 6
$iptables -A INPUT -p tcp --dport 137:139 -j LOG --log-prefix "Porta NETBUI:" --log-level 6
echo " [OK]"
echo -n "Monitorando BackDoors..."
$iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Porta Wincrash:" --log-level 6
$iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Porta BackOrifice:" --log-level 6
echo " [OK]"
echo -n "Bloqueio a IP spoofing"
$iptables -N syn-flood # pg 91 bloqueio a spoofing
$iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood # pg 92 bloqueio a spoofing
$iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN #pg 83 92
$iptables -A syn-flood -j DROP # pg 92 bloqueio a spoofing
echo " [OK]"
#echo "Configurando navega??o..Repasse(FORWARD) bloqueios"
$iptables -A FORWARD -m unclean -j DROP #pg 91 bloqueio a pacotes suspeitos ou danificados
$iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #pg 91 bloqueio a syn-flood via limit
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #pg 87 92 bloquei de ping
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #pg 91 bloqueio a scan ocultos
echo " [OK]"
echo -n "Descartando pacotes invalidos para reenvio..."
$iptables -A FORWARD -m state --state INVALID -j DROP
echo " [OK]"
echo -n "forward portas 20 21 22 53 "
$iptables -A FORWARD -o eth1 -m state --state NEW,INVALID -j DROP #pg 81
$iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #pg 82
$iptables -A FORWARD -p tcp --sport 53 -j ACCEPT
$iptables -A FORWARD -p udp --sport 53 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 21 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
echo " [OK]"
#$iptables -A FORWARD -j LOG --log-prefix "Pacote forward descartado:" --log-level 6
echo -n "forward portas bloqueios "
$iptables -A FORWARD -d 64.49.201.0/24 -j REJECT #pg 88 winMx
$iptables -A FORWARD -d 64.245.58.0/23 -j REJECT #pg 89 audiogalaxy
$iptables -A FORWARD -d 206.142.53.0/24 -j REJECT #pg 89 morpheus
$iptables -A FORWARD -d 209.61.186.0/24 -j REJECT #pg 88 winMx
$iptables -A FORWARD -d 209.25.178.0/24 -j REJECT #pg 89 napigator
$iptables -A FORWARD -d 213.248.112.0/24 -j REJECT #pg 88 Kazaa
$iptables -A FORWARD -d 216.35.208.0/24 -j REJECT #pg 88 imesh
$iptables -A FORWARD -p tcp -- dport 6346 -j REJECT #pg 88 bearshare limewire
$iptables -A FORWARD -p tcp -- dport 1214 -j REJECT #pg 89 morpheus kazaa
$iptables -A FORWARD -p tcp -- dport 135 -i eth0 -j REJECT #protecao contra worm
$iptables -A FORWARD -j DROP #pg 82
echo " [OK]"
echo -n " ATIVANDO NAT "
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # ATIVANDO NAT
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT -- to-port 3128
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6588 -j REDIRECT -- to-port 3128 #tentativa de proxy dentro de proxy
$iptables -t nat -A PREROUTING -i eth0 -p tcp -m -multport --dport 21,22,25,53,80,110 -j REDIRECT -- to-port 3128
$iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #LIVRO PG 81 mascara a saida
echo " [OK]"
echo " Diminuindo delay da rede para servi?os essenciais "
$iptables -t mangle -A INPUT -p tcp --dport 22 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A INPUT -p tcp --dport 25 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A INPUT -p tcp --dport 80 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A INPUT -p tcp --dport 110 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A INPUT -p tcp --dport 443 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A INPUT -p tcp --dport 3128 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A FORWARD -p udp --sport 8999 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A FORWARD -p udp --sport 23000 -j TOS --set-to Minimize-Delay
#$iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j TOS --set-to Minimize-Delay
#$iptables -t mangle -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A FORWARD -p tcp --sport 25 -j TOS --set-to Minimize-Delay
$iptables -t mangle -A FORWARD -p tcp --sport 110 -j TOS --set-to Minimize-Delay
echo " [OK]"
echo -n " kazaa"
#$iptables -A INPUT -m string --string "X-Kazaa-Username:" -j DROP
#$iptables -A INPUT -m string --string "X-Kazaa-Network:" -j DROP
$iptables -A INPUT -m string --string "X-Kazaa" -j DROP
$iptables -A INPUT -m string --string "cmd.exe"-j DROP #pg 92 protege server microsoft IIs em background -p tcp -s 0.0.0.0/0
echo " [ok]"
echo -n " teste"
$iptables -A INPUT -m string -i eth0 --string "www.submarino.com.br" -j DROP
$iptables -A INPUT -p tcp --dport 6588 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 6588 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 6588 -j ACCEPT
$iptables -A INPUT -p udp --dport 6588 -j ACCEPT
$iptables -A FORWARD -p udp --dport 6588 -j ACCEPT
$iptables -A OUTPUT -p udp --dport 6588 -j ACCEPT
echo " [ok]"
;;
stop)
echo -n $"Parando o servi?o de $prog:"
#gprintf "Parando o servi?o de %s: " "IPtables"
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -F -t mangle
echo
;;
restart)
echo -n $"Reiniciando o servi?o de $prog:"
#gprintf "Reiniciando o servi?o de %s: " "IPtables"
$0 stop
$0 start
echo
;;
status)
echo -n $"Status do servi?o de $prog:"
#gprintf "Status do servi?o de $prog"
$iptables -L
$iptables -L -t nat
$iptables -L -t mangle
echo
;;
*)
echo -n $"Uso: iptables (start|stop|restart|status)"
#gprintf "Uso: iptables {start|stop|restart|status}"
echo
;;
esac
exit 0
Obrigado
Max_mori
-
avaliar
max_mori
Esta questao de avaliacao é muito relativa pois ira depender do que vc esta buscando de resultados com a implementacao do firewall. Entao para que possamos avaliar seu firewall poderia nos responder as seguintes perguntas?
- O que voce quer bloquear com esse firewall? TROJANS, PORT SCANNERS, WORMS....?
- Voce ira liberar acesso ssh para alguem em particular?
- Fara direcionamento para algum proxy?
- Vc pretende liberar algumas portas para programas especificos?
Isto é apenas o basico....poste qual a sua filosofia, ideia de protecao para seu server ou rede
Abraços