rc.firewall

iptables (rc.firewall)

taioque

sh

Categoria: Segurança

Software: iptables

[ Hits: 12.645 ]

Por: Jorge Luiz Taioque

0 0
Denuncie   Favoritos   Indicar  

Firewall Bem Completo e poderosooo..


#!/bin/bash
########################################
# Ativa módulos
########################################
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_nat
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_TOS
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_mark
#/sbin/insmod /etc/rc.d/ipt_ipp2p.o


########################################
# Ativa roteamento no kernel
########################################
#echo "1" > /proc/sys/net/ipv4/ip_forward


########################################
# Proteção contra IP spoofing
########################################
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

########################################
#Honeypot
########################################
#inicializara o fake squid
#perl pakesquid.pl G
#---
#inicializara o fake httpd
#perl httpd-fake.pl G
#---
#inicializara o fake telnet
#perl faketelnet.pl G


########################################
# Zera regras
########################################
#iptables -F
#iptables -X
#iptables -t nat -F
#iptables -t filter -F
#iptables -t mangle -F
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT



########################################
#Determina Politica Padrao
########################################
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP 

########################################
# Tabela - Forward - Compartilhamento de Internet
########################################
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to 200.200.200.200


#Net Para Apenas Alguns Usuarios
#iptables -t nat -A POSTROUTING -s 10.0.0.10 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.0.0.20 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.5.2.41 -o eth0 -j MASQUERADE


########################################
#Abilitando Serviços
########################################
#Habilitando LocalHost:
#iptables -A INPUT -p tcp --syn -s 127.0.0.1 -j ACCEPT


#Habilitando conexões vindas da rede local (usando a seguinte faixa de IP e máscara de rede).
#iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT 


#Habilitando outras conexões nas seguinte porta:  
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT


#Portas UDP
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7777:7779 -j DNAT --to-dest 192.168.0.2
#iptables -A FORWARD -p udp -i eth0 --dport 7777:7779 -d 192.168.0.2 -j ACCEPT


########################################
# Tabela FILTER
########################################
#Contra DoS 
#iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j accept
#iptables -A FORWARD -m unclean -j DROP 


#Contra Port Scanners
# iptables -A FORWARD -o tcp -tcp-flags SYN,ACK,FIN,RST RST -m zlimit -limit 1/s -j accept


#Contra Pings 
#iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j accept


# Block Back Orifice 
#/sbin/iptables -A INPUT -p tcp --dport 31337 -j DROP
#/sbin/iptables -A INPUT -p udp --dport 31337 -j DROP 


# Block NetBus
#/sbin/iptables -A INPUT -p tcp --dport 12345:12346 -j DROP 
#/sbin/iptables -A INPUT -p udp --dport 12345:12346 -j DROP


# Dropa pacotes TCP indesejáveis
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP


# Dropa pacotes mal formados
#iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pacote mal formado: "
#iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP 


# Aceita os pacotes que realmente devem entrar
#iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


# Proteção contra trinoo
#iptables -N TRINOO
#iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
#iptables -A TRINOO -j DROP
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


# Proteção contra tronjans 
#iptables -N TROJAN
#iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
#iptables -A TROJAN -j DROP 
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
#iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


# Proteção contra worms
#iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


# Proteção contra syn-flood
#iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


# Proteção contra ping da morte
#iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Proteção contra port scanners
#iptables -N SCANNER
#iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
#iptables -A SCANNER -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER


#Bloqueio de NetBios
#iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP
#iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 135 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP
#iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP


# Loga tentativa de acesso a determinadas portas
#iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
#iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
#iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
#iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
#iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
#iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
#iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
#iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
#iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
#iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "

# Libera acesso externo a determinadas portas
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT


# Libera acesso de smtp para fora apenas para o IP 192.0.0.0
#iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j LOG --log-level 6 --log-prefix "FIREWALL: SMTP proibido: "
#iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j REJECT


########################################
#Bloquear Longas temtativas em determinadas portas
########################################
#iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
#iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
#iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
#iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
#iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
#iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
#iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
#iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
#iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
#iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
#iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "




# Proxy transparente
# -------------------------------------------------------
#iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128


# Redireciona portas para outros servidores
# -------------------------------------------------------
#iptables -t nat -A PREROUTING -d 200.212.247.194 -p tcp --dport 1200:1400 -j DNAT --to 192.168.0.4:1200:1400
#iptables -t nat -A PREROUTING -d 192.168.200.1 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.1
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80
#iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80


# Redireciona portas na própria máquina
# -------------------------------------------------------
#iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22



########################################
#Bloqueando Serviços
########################################
#Bloqueando conexões vindas em qualquer porta tcp do seu micro:
#iptables -A INPUT -p tcp --syn -j DROP

#Não Responder a Pings
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all


#Bloqueando parte das portas udp:
#iptables -A INPUT -i ppp0 -p udp --dport 0:30000 -j DROP

#Não Receber Pacotes de determinadas Paginas
#iptables -A FORWARD -s www.chat.com.br -j DROP


#Não receber Pacotes de um determinado IP
#iptables -A FORWARD -s 200.221.20.0/24 -j DROP


#Bloqueando conexão via SSh: 
#iptables -A INPUT -p tcp --destination-port 22 -j DROP

#Evitando scans do tipo "porta origem=porta destino": 
#$IPT -A INPUT -p tcp --sport $i --dport $i -j DROP


#Bloqueando AIM: 
#$IPT -A FORWARD -d login.oscar.aol.com -j REJECT


#Bloqueando ICQ: 
#$IPT -A FORWARD -p TCP --dport 5190 -j REJECT
#$IPT -A FORWARD -d login.icq.com -j REJECT 


#Bloqueando MSN:
#$IPT -A FORWARD -p TCP --dport 1863 -j REJECT
#$IPT -A FORWARD -d 64.4.13.0/24 -j REJECT


#Bloqueando Yahoo Messenger: 
#$IPT -A FORWARD -d cs.yahoo.com -j REJECT
#$IPT -A FORWARD -d scsa.yahoo.com -j REJECT 



########################################
#Bloqueando os -:P2P
########################################
#Fecha P2P
#iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

#Bittorrent: 
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.0.2
#iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT

#iMesh: 
#iptables -A FORWARD -d 216.35.208.0/24 -j REJECT

#BearShare:
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT 

#ToadNode: 
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT

#WinMX:
#iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
#iptables -A FORWARD -d 64.49.201.0/24 -j REJECT

#Napigator:
#iptables -A FORWARD -d 209.25.178.0/24 -j REJECT 

#Morpheus: 
#iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
#iptables -A FORWARD -p TCP --dport 1214 -j REJECT 

#KaZaA:
#iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
#iptables -A FORWARD -p TCP --dport 1214 -j REJECT

#KaZaA Lite
# iptables -m string --string "X-Kazaa-Username:"-j DROP
# iptables -m string --string "X-Kazaa-Network:" -j DROP
# iptables -m string --string "X-Kazaa-IP:" -j DROP
# iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP


#Limewire: 
#iptables -A FORWARD -p TCP --dport 6346 -j REJECT

#Audiogalaxy:
#iptables -A FORWARD -d 64.245.58.0/23 -j REJECT 

########################################
# Regras para VPN
########################################
#iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -A INPUT  -p 50 -j ACCEPT
#iptables -A OUTPUT -p 50 -j ACCEPT
#iptables -A INPUT  -p 51 -j ACCEPT
#iptables -A OUTPUT -p 51 -j ACC
  


Comentários
[1] Comentário enviado por wbh16 em 14/10/2007 - 20:24h

por favor amigo tenho a seguinte dúvida após os comandos
#Bloqueando conexões vindas em qualquer porta tcp do seu micro:
#iptables -A INPUT -p tcp --syn -j DROP
Eu entendo que qualquer requisição de conexão tcp que não se encaixe nas regras anteriores serão bloqueadas.

Então, as regras relacionadas ao protocolo tcp que vem depois não fariam nada!
Estou certo? gostaria de entender isto melhor, grato....

[2] Comentário enviado por comfaa em 28/10/2008 - 10:44h

muito bom !!

[3] Comentário enviado por estevanir em 24/04/2012 - 10:30h

Meus parabéns pelo post.
Profissionais de alto conhecimento compartilham informação.



Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Instalar certificado digital Safesign, fornecido pela Certisign e utilizado pela OAB-SP, em qualquer distribuição Linux usando distrobox

Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg

Criatividade para TI parte 1

Melhorando o tempo de boot do Fedora e outras distribuições

Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46

Dicas

Como Atualizar Fedora 39 para 40

Instalar Google Chrome no Debian e derivados

Consertando o erro do Sushi e Wayland no Opensuse Leap 15

Instalar a última versão do PostgreSQL no Lunix mantendo atualizado

Flathub na sua distribuição Linux e comandos básicos de gerenciamento

Tópicos

40 Melhor que 24.04 (0)

ASRock H310CM-HG4 vs Linux [RESOLVIDO] (18)

Mikrotik dhcp server (6)

Microfone do meu headset não é recinhecido. Meu notebook é um Acer Asp... (12)

Atenção a quem posta conteúdo de dicas, scripts e tal (2)

Top 10 do mês

Scripts

[Python] Adicione a opção Redimensionar e rotacionar imagens ao Nautilus

[Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

[Shell Script] Script para criar certificados de forma automatizada no OpenVpn

[Shell Script] Conversor de vídeo com opção de legenda

[C/C++] BRT - Bulk Renaming Tool

A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

Site hospedado por: