iptables (firewall)

script de firewall usando o iptables

Categoria: Segurança

Software: iptables

[ Hits: 12.300 ]

Por: Perfil removido


O arquivo me serve de template para a criação scripts de firewall simples. O script é aborda diversos aspectos, mas intenciona apenas uma boa proteção em micros de uso pessoal.

Esse template foi gerado com auxilio do configurador de firwall do kurumin criado por Carlos Morimoto.

Para usá-lo inicialize o script no boot


#!/bin/bash

# --------------------------------------------------------------------
# Os comandos abaixo foram obtidos a partir do script de 
# configuração de firewall (configurar-firewall) de 
# Carlos Morimoto, que acompanha o Kurumin
# --------------------------------------------------------------------
# Script de configuração do iptables
# Este script pode ser usado em outras distribuições Linux
# que utilizam o Kernel 2.4 em diante
# --------------------------------------------------------------------
# Foram executados todos os comandos do script de configuração de 
# firewall e modificados algumas questões como o layout
# O arquivo foi melhor comentado com o objetivo de fazer deste arquivo
# um arquivo de template para a configuração de outros firewalls
# --------------------------------------------------------------------
# Escrito em 01/07/2005 por J. F. Mitre
# --------------------------------------------------------------------

firewall_start(){

#############################################################
#     Abre o firewall para os endereços da rede local (TCP/UDP)     
#############################################################
# Faixa de IP é 192.168.0.0, poderia ser 10.1.0.0                    
# máscara 255.255.255.0                                              
# ou seja, os ips são do tipo 192.168.X.Y (ou 10.1.X.Y)    
#############################################################
# iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 -j ACCEPT
# iptables -A INPUT -p udp -s 192.168.0.0/255.255.255.0 -j ACCEPT
#############################################################


#############################################################
#                 Abre o firewall para a internet                    
#############################################################

# Porta 22   : Porta Padrão do SSH
# Porta 6666 : Servidor SSH em Galileu
iptables -A INPUT -p tcp --destination-port 2222 -j ACCEPT
#
# Porta 4662 : aMule (e correlatos) - INPUT tcp
# Porta 4665 : aMule (e correlatos) - OUTPUT udp
# Porta 4672 : aMule (e correlatos) - Porta Auxiliar
iptables -A INPUT -p tcp --destination-port 4662 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 4665 -j ACCEPT
#iptables -A OUTPUT -p udp --destination-port 4672 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 4672 -j ACCEPT
#
# Porta 6881 : Bittorrent
iptables -A INPUT -p tcp --destination-port 6881 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 6881 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 6881 -j ACCEPT
#iptables -A OUTPUT -p tcp --destination-port 6881 -j ACCEPT

#############################################################
#           Proteger o computador de ataques da internet   
#############################################################

# Ignora pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#
# Proteção contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Bloqueia traceroute
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
#
# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
#iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

#############################################################
#                 Abrir a interface de loopback                      
#############################################################
# Regra é essencial para o KDE, GNOME e outros programas gráficos    #
# funcionarem adequadamente.                                     
#############################################################

iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#############################################################
# Fecha as portas udp de 1 a 1024, abre para o localhost
#############################################################
iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp --dport 1:1024 -j DROP
iptables -A INPUT -p udp --dport 59229 -j DROP
#############################################################


#############################################################
# Redireciona uma faixa de portas para um micro da rede local       #############################################################
# A faixa de portas é 7000:7110                                      
# IP da máquina destino é 192.168.0.2                                
# A interface é ppp0                                                  
#############################################################
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7000:7110 -j DNAT --to-dest 192.168.0.2
# iptables -A FORWARD -p tcp -i ppp0 --dport 7000:7110 -d 192.168.0.2 -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 7000:7110 -j DNAT --to-dest 192.168.0.2
# iptables -A FORWARD -p udp -i ppp0 --dport 7000:7110 -d 192.168.0.2 -j ACCEPT
#############################################################

#############################################################
# Bloqueia programas P2P
#############################################################

# iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
# BearShare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
# ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
# WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
# Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
# Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
# KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#iptables -A INPUT -m string --string "X-Kazaa" -j DROP
# Limewire
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
# Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
# Napster
iptables -A OUTPUT -p TCP --dport 6699 -j DROP
iptables -A FORWARD -p TCP --dport 6699 -j DROP
iptables -A OUTPUT -p UDP --dport 6699 -j DROP
iptables -A FORWARD -p UDP --dport 6699 -j DROP
# # GNUtella
# iptables -A OUTPUT -p TCP --dport 6346 -j DROP
# iptables -A FORWARD -p TCP --dport 6346 -j DROP
# iptables -A OUTPUT -p UDP --dport 6346 -j DROP
# iptables -A FORWARD -p UDP --dport 6346 -j DROP
# AIM
iptables -A OUTPUT -p TCP --dport 4009 -j DROP
iptables -A FORWARD -p TCP --dport 4009 -j DROP
iptables -A OUTPUT -p UDP --dport 4009 -j DROP
iptables -A FORWARD -p UDP --dport 4009 -j DROP
# # MSN
# iptables -A OUTPUT -p TCP --dport 1863 -j DROP
# iptables -A FORWARD -p TCP --dport 1863 -j DROP
# iptables -A OUTPUT -p UDP --dport 1863 -j DROP
# iptables -A FORWARD -p UDP --dport 1863 -j DROP
# # ICQ
# iptables -A OUTPUT -p TCP --dport 4000 -j DROP
# iptables -A FORWARD -p TCP --dport 4000 -j DROP
# iptables -A OUTPUT -p UDP --dport 4000 -j DROP
# iptables -A FORWARD -p UDP --dport 4000 -j DROP
# iptables -A OUTPUT -p TCP --dport 5190 -j DROP
# iptables -A FORWARD -p TCP --dport 5190 -j DROP
# iptables -A OUTPUT -p UDP --dport 5190 -j DROP
# iptables -A FORWARD -p UDP --dport 5190 -j DROP

#############################################################
#                REGRA DE EXCLUSÃO 
#############################################################
iptables -A INPUT -p tcp --syn -j DROP


}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT   ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT  ACCEPT
}

case "$1" in
 "start")
       echo -n "O kurumin-firewall está sendo ativado ..."
       firewall_start
       echo " Ok!"
        ;;
 "stop")
        echo -n "O kurumin-firewall está sendo desativado ..."
        firewall_stop
        echo " Ok!"
        ;;
  "restart")
       echo -n "O kurumin-firewall está sendo desativado ..."
       firewall_stop
       echo " Ok!"
       echo -n "O kurumin-firewall está sendo ativado ..."
       firewall_start
       echo " Ok!"
        ;;
      *)
        echo "Essa é a sua configuração de Firewall"
        echo
        iptables -L -n
        ;;
esac



  


Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário