iptables (firewall)
script de firewall usando o iptables
Categoria: Segurança
Software: iptables
[ Hits: 12.829 ]
Por: Perfil removido
O arquivo me serve de template para a criação scripts de firewall simples. O script é aborda diversos aspectos, mas intenciona apenas uma boa proteção em micros de uso pessoal.
Esse template foi gerado com auxilio do configurador de firwall do kurumin criado por Carlos Morimoto.
Para usá-lo inicialize o script no boot
#!/bin/bash # -------------------------------------------------------------------- # Os comandos abaixo foram obtidos a partir do script de # configuração de firewall (configurar-firewall) de # Carlos Morimoto, que acompanha o Kurumin # -------------------------------------------------------------------- # Script de configuração do iptables # Este script pode ser usado em outras distribuições Linux # que utilizam o Kernel 2.4 em diante # -------------------------------------------------------------------- # Foram executados todos os comandos do script de configuração de # firewall e modificados algumas questões como o layout # O arquivo foi melhor comentado com o objetivo de fazer deste arquivo # um arquivo de template para a configuração de outros firewalls # -------------------------------------------------------------------- # Escrito em 01/07/2005 por J. F. Mitre # -------------------------------------------------------------------- firewall_start(){ ############################################################# # Abre o firewall para os endereços da rede local (TCP/UDP) ############################################################# # Faixa de IP é 192.168.0.0, poderia ser 10.1.0.0 # máscara 255.255.255.0 # ou seja, os ips são do tipo 192.168.X.Y (ou 10.1.X.Y) ############################################################# # iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 -j ACCEPT # iptables -A INPUT -p udp -s 192.168.0.0/255.255.255.0 -j ACCEPT ############################################################# ############################################################# # Abre o firewall para a internet ############################################################# # Porta 22 : Porta Padrão do SSH # Porta 6666 : Servidor SSH em Galileu iptables -A INPUT -p tcp --destination-port 2222 -j ACCEPT # # Porta 4662 : aMule (e correlatos) - INPUT tcp # Porta 4665 : aMule (e correlatos) - OUTPUT udp # Porta 4672 : aMule (e correlatos) - Porta Auxiliar iptables -A INPUT -p tcp --destination-port 4662 -j ACCEPT iptables -A OUTPUT -p udp --destination-port 4665 -j ACCEPT #iptables -A OUTPUT -p udp --destination-port 4672 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 4672 -j ACCEPT # # Porta 6881 : Bittorrent iptables -A INPUT -p tcp --destination-port 6881 -j ACCEPT iptables -A OUTPUT -p udp --destination-port 6881 -j ACCEPT #iptables -A INPUT -p udp --destination-port 6881 -j ACCEPT #iptables -A OUTPUT -p tcp --destination-port 6881 -j ACCEPT ############################################################# # Proteger o computador de ataques da internet ############################################################# # Ignora pings echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # # Protege contra synflood echo "1" > /proc/sys/net/ipv4/tcp_syncookies # # Proteção contra ICMP Broadcasting echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # Bloqueia traceroute iptables -A INPUT -p udp --dport 33435:33525 -j DROP # # Proteções diversas contra portscanners, ping of death, ataques DoS, etc. iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP #iptables -A FORWARD -m unclean -j DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -N VALID_CHECK iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP ############################################################# # Abrir a interface de loopback ############################################################# # Regra é essencial para o KDE, GNOME e outros programas gráficos # # funcionarem adequadamente. ############################################################# iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT ############################################################# # Fecha as portas udp de 1 a 1024, abre para o localhost ############################################################# iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT iptables -A INPUT -p udp --dport 1:1024 -j DROP iptables -A INPUT -p udp --dport 59229 -j DROP ############################################################# ############################################################# # Redireciona uma faixa de portas para um micro da rede local ############################################################# # A faixa de portas é 7000:7110 # IP da máquina destino é 192.168.0.2 # A interface é ppp0 ############################################################# # iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7000:7110 -j DNAT --to-dest 192.168.0.2 # iptables -A FORWARD -p tcp -i ppp0 --dport 7000:7110 -d 192.168.0.2 -j ACCEPT # iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 7000:7110 -j DNAT --to-dest 192.168.0.2 # iptables -A FORWARD -p udp -i ppp0 --dport 7000:7110 -d 192.168.0.2 -j ACCEPT ############################################################# ############################################################# # Bloqueia programas P2P ############################################################# # iMesh iptables -A FORWARD -d 216.35.208.0/24 -j REJECT # BearShare iptables -A FORWARD -p TCP --dport 6346 -j REJECT # ToadNode iptables -A FORWARD -p TCP --dport 6346 -j REJECT # WinMX iptables -A FORWARD -d 209.61.186.0/24 -j REJECT iptables -A FORWARD -d 64.49.201.0/24 -j REJECT # Napigator iptables -A FORWARD -d 209.25.178.0/24 -j REJECT # Morpheus iptables -A FORWARD -d 206.142.53.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT # KaZaA iptables -A FORWARD -d 213.248.112.0/24 -j REJECT iptables -A FORWARD -p TCP --dport 1214 -j REJECT #iptables -A INPUT -m string --string "X-Kazaa" -j DROP # Limewire iptables -A FORWARD -p TCP --dport 6346 -j REJECT # Audiogalaxy iptables -A FORWARD -d 64.245.58.0/23 -j REJECT # Napster iptables -A OUTPUT -p TCP --dport 6699 -j DROP iptables -A FORWARD -p TCP --dport 6699 -j DROP iptables -A OUTPUT -p UDP --dport 6699 -j DROP iptables -A FORWARD -p UDP --dport 6699 -j DROP # # GNUtella # iptables -A OUTPUT -p TCP --dport 6346 -j DROP # iptables -A FORWARD -p TCP --dport 6346 -j DROP # iptables -A OUTPUT -p UDP --dport 6346 -j DROP # iptables -A FORWARD -p UDP --dport 6346 -j DROP # AIM iptables -A OUTPUT -p TCP --dport 4009 -j DROP iptables -A FORWARD -p TCP --dport 4009 -j DROP iptables -A OUTPUT -p UDP --dport 4009 -j DROP iptables -A FORWARD -p UDP --dport 4009 -j DROP # # MSN # iptables -A OUTPUT -p TCP --dport 1863 -j DROP # iptables -A FORWARD -p TCP --dport 1863 -j DROP # iptables -A OUTPUT -p UDP --dport 1863 -j DROP # iptables -A FORWARD -p UDP --dport 1863 -j DROP # # ICQ # iptables -A OUTPUT -p TCP --dport 4000 -j DROP # iptables -A FORWARD -p TCP --dport 4000 -j DROP # iptables -A OUTPUT -p UDP --dport 4000 -j DROP # iptables -A FORWARD -p UDP --dport 4000 -j DROP # iptables -A OUTPUT -p TCP --dport 5190 -j DROP # iptables -A FORWARD -p TCP --dport 5190 -j DROP # iptables -A OUTPUT -p UDP --dport 5190 -j DROP # iptables -A FORWARD -p UDP --dport 5190 -j DROP ############################################################# # REGRA DE EXCLUSÃO ############################################################# iptables -A INPUT -p tcp --syn -j DROP } firewall_stop(){ iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT } case "$1" in "start") echo -n "O kurumin-firewall está sendo ativado ..." firewall_start echo " Ok!" ;; "stop") echo -n "O kurumin-firewall está sendo desativado ..." firewall_stop echo " Ok!" ;; "restart") echo -n "O kurumin-firewall está sendo desativado ..." firewall_stop echo " Ok!" echo -n "O kurumin-firewall está sendo ativado ..." firewall_start echo " Ok!" ;; *) echo "Essa é a sua configuração de Firewall" echo iptables -L -n ;; esac
Nenhum comentário foi encontrado.
Atenção a quem posta conteúdo de dicas, scripts e tal (1)
Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg
Melhorando o tempo de boot do Fedora e outras distribuições
Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46
Como Atualizar Fedora 39 para 40
Instalar Google Chrome no Debian e derivados
Consertando o erro do Sushi e Wayland no Opensuse Leap 15
Instalar a última versão do PostgreSQL no Lunix mantendo atualizado
Flathub na sua distribuição Linux e comandos básicos de gerenciamento
erro ao clonar repo github (7)
ASRock H310CM-HG4 vs Linux (1)
Como adicionar módulo de saúde da bateria dos notebooks Acer ao kernel... (26)
[Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse
[Shell Script] Script para criar certificados de forma automatizada no OpenVpn
[Shell Script] Conversor de vídeo com opção de legenda
[C/C++] BRT - Bulk Renaming Tool
[Shell Script] Criação de Usuarios , Grupo e instalação do servidor de arquivos samba