rc.firewall

IPTables (rc.firewall)

neonx

Firewall simples utilizando apenas PREROUTING para fechar sua rede liberando apenas o necessário

Categoria: Segurança

Software: IPTables

[ Hits: 16.001 ]

Por: Ânderson P. R. Rodrigues

0 0

Denuncie Favoritos Indicar

Firewall que utilizo na empresa usando iptables e algumas regras de PREROUTING ao qual achei mais fácil de manusear e utilizar.

Primeiramente fechei todas as portas e liberei apenas o necessário, levei como base a seguinte regra:a 2 (dois) INPUT ou OUTPUT equivalem a um PREROUTING com NAT.

#!/bin/bash

stop ()
{
        echo "0" > /proc/sys/net/ipv4/ip_forward
        iptables -F
        iptables -X
}

start ()
{

############################# Limpar as regras primeiro
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X -t mangle


############################# Insere os modulos kernel
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_multiport 
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "0" > /proc/sys/net/ipv4/tcp_ecn

###########################################
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

########### LOGS ######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j LOG --log-prefix "LOG ICQ: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j LOG --log-prefix "LOG MSN: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "Serviço SSH: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j LOG --log-prefix "Serviço FTP: "

#####################################
# PROTECAO EXTRA
#####################################

############## Brute Force ############
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

############# Proteção contra trojans ################
/usr/sbin/iptables -N TROJAN
/usr/sbin/iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
/usr/sbin/iptables -A TROJAN -j DROP
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN

############## Proteção contra worms #################
/usr/sbin/iptables -A FORWARD -p tcp --dport 135 -i eth0 -j REJECT 

############## SYN-flood ############
/usr/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

############## ping da morte ########
/usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

########### Port Scanners ###########
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP

########## IP Spoofing ##############
/usr/sbin/iptables -N syn-flood
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

######## anomalias de pacotes #######
/usr/sbin/iptables -A FORWARD -m unclean -j DROP

################### CEF ########################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

############################# Redirecionar 80, 3128 -> 3128

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j DNAT --to-destination 192.168.0.1:3128
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80   -s 192.168.0.0/24 -j DNAT --to-destination 192.168.0.1:3128

############################# Aceitar lista de portas padrao
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 23   -j ACCEPT -s 192.168.0.145
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25   -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80   -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110  -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 443  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 465  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 500  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 587  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3306 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5017 -j ACCEPT -s 192.168.0.0/24

########## ICQ ################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j ACCEPT -s 192.168.0.50

########### MSN #######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j ACCEPT -s 192.168.0.128 


######################################
# Filtros de portas udp
######################################
/usr/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT


########### Apos feitas as regras rejeitar todos os outros pacotes
/usr/sbin/iptables -t nat -p tcp -A PREROUTING -j DROP
/usr/sbin/iptables -t nat -p udp -A PREROUTING -j DROP

}

if [ $# -lt 1 ]; then
        echo "$1 { start | stop | restart }";
        exit 1;
fi

if [ $1 == "start" ]; then
        echo "Iniciando o servidor firewall iptables v1.3.3 ... ";
        start;
fi

if [ $1 == "stop" ]; then
        echo "Parando o servidor firewall iptables v1.3.3 ... ";
        stop;
fi

if [ $1 == "restart" ]; then
        echo "Parando o servidor firewall iptables v1.3.3 ... ";
        stop;
        echo "Iniciando o servidor firewall iptables v1.3.3 ... ";
        start;
fi

Comentários

[1] Comentário enviado por russosummer em 16/11/2006 - 08:44h

Bom dia!! se fosse inserir um regra para liberar o skype, ficaria como?? outra coisa ele funciona utilizando um squid com autenticação de usuários??

Muito Obrigado!!

0 0

[2] Comentário enviado por gilberto.russo em 20/11/2006 - 21:38h

Colega,

regras bem montadas. Parabéns!

Gilberto Russo
Conductor Tecnologia SA

0 0

[3] Comentário enviado por neonx em 06/12/2006 - 14:22h

russosummer... o skype está liberado nessa condição de regra pois está usando com squid transparente.. tirando o redirecionamento do squid e usando squid autenticado o skype estaria bloqueado (usando as regras do squid)...

0 0

[4] Comentário enviado por jogador em 08/12/2006 - 11:36h

onde coloca esse aaarquivo?
ou faz um script?

0 0

[5] Comentário enviado por neonx em 08/12/2006 - 13:07h

jogador... coloque esse arquivo na inicialização do seu linux... vc pode criar um arquivo rc.firewall com permissao de execução...

0 0

[6] Comentário enviado por lutamos em 11/12/2006 - 14:33h

Bem escrita. Os comentários tornam o entendimento mais fácil
Parabéns

0 0

[7] Comentário enviado por eduardomiranda em 04/01/2007 - 17:25h

Dúvidas no iptables --->

Configurei meu iptables para que houvesse o minímo de acesso possível (eu acredito nisso ....).

Porém apos o funcionamento do mesmo e a uma boa experiência com seu uso.
Agora que instalei o ntop e seu uso na porta 3000,

inseri as seguinte regras no iptables

#Acesso localhost
IPTABLES -A INPUT -p TCP -s 127.0.0.1/8 --dport 3000 ACCEPT

#ACESSO DA MINHA REDE AO HOST QUE ESTA RODANDO O NTOP
IPTABLES -A INPUT -p TCP -s 192.168.0.0/24 --dport 3000 ACCEPT

#REJEITO TODAS AS OUTRAS CONEXÕES, EVITANDO QUE O ACESSO A PORTA 3000 (NTOP) SEJA DISPONIBILIZADA VIA INTERNET
IPTABLES -A INPUT -p TCP -s 0/0 --dport 3000 REJECT

Peço a todos, que se possível avaliem e comentem essas instruções, considerando que anterior a isto o iptables bloqueia tudo e quem sabe esse poderá ser um artigo para liberar o NTOP na REDE interna auxiliando outros usuários iniciantes no Mundo LINUX.

Grato !

0 0

[8] Comentário enviado por neonx em 15/01/2007 - 18:16h

eduardomiranda.... seria legal vc postar o seu conf pra gente dar uma analisada e tratar melhor os dados.... aí acho que ficaria mais facil para entender

0 0

[9] Comentário enviado por comfaa em 28/10/2008 - 10:44h

muito bom !!

0 0

[10] Comentário enviado por carlosbboy em 25/12/2008 - 19:59h

Firewall que utilizo na empresa usando iptables e algumas regras de PREROUTING ao qual achei mais fácil de manusear e utilizar.

Primeiramente fechei todas as portas e liberei apenas o necessário, levei como base a seguinte regra:a 2 (dois) INPUT ou OUTPUT equivalem a um PREROUTING com NAT.

#!/bin/bash

stop ()
{
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
}

start ()
{

############################# Limpar as regras primeiro
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X -t mangle

############################# Insere os modulos kernel
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "0" > /proc/sys/net/ipv4/tcp_ecn

###########################################
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

########### LOGS ######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j LOG --log-prefix "LOG ICQ: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j LOG --log-prefix "LOG MSN: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "Serviço SSH: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j LOG --log-prefix "Serviço FTP: "

#####################################
# PROTECAO EXTRA
#####################################

############## Brute Force ############
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

############# Proteção contra trojans ################
/usr/sbin/iptables -N TROJAN
/usr/sbin/iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
/usr/sbin/iptables -A TROJAN -j DROP
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN

############## Proteção contra worms #################
/usr/sbin/iptables -A FORWARD -p tcp --dport 135 -i eth0 -j REJECT

############## SYN-flood ############
/usr/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

############## ping da morte ########
/usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

########### Port Scanners ###########
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP

########## IP Spoofing ##############
/usr/sbin/iptables -N syn-flood
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

######## anomalias de pacotes #######
/usr/sbin/iptables -A FORWARD -m unclean -j DROP

################### CEF ########################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

############################# Redirecionar 80, 3128 -> 3128

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j DNAT --to-destination 192.168.0.1:3128
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -j DNAT --to-destination 192.168.0.1:3128

############################# Aceitar lista de portas padrao
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 23 -j ACCEPT -s 192.168.0.145
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 465 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 500 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 587 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3306 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5017 -j ACCEPT -s 192.168.0.0/24

########## ICQ ################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j ACCEPT -s 192.168.0.50

########### MSN #######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j ACCEPT -s 192.168.0.128

######################################
# Filtros de portas udp
######################################
/usr/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT

########### Apos feitas as regras rejeitar todos os outros pacotes
/usr/sbin/iptables -t nat -p tcp -A PREROUTING -j DROP
/usr/sbin/iptables -t nat -p udp -A PREROUTING -j DROP

}

if [ $# -lt 1 ]; then
echo "$1 { start | stop | restart }";
exit 1;
fi

if [ $1 == "start" ]; then
echo "Iniciando o servidor firewall iptables v1.3.3 ... ";
start;
fi

if [ $1 == "stop" ]; then
echo "Parando o servidor firewall iptables v1.3.3 ... ";
stop;
fi

if [ $1 == "restart" ]; then
echo "Parando o servidor firewall iptables v1.3.3 ... ";
stop;
echo "Iniciando o servidor firewall iptables v1.3.3 ... ";
start;
fi

0 0