ESSE FIREWALL É MUITO BOM, EU UTILIZAVA NA ANTIGA EMPRESA QUAL TRABALHAVA, ESPERO QUE POSSA SER UTIL A TODOS, OS COMENTÁRIOS DO FIREWALL ESTÃO EM INGLÊS, MAIS É BEM DECSRITIVO E FÁCIL DE USAR.


ATÉ A PRÓXIMA PESSOAL.

ABRAÇOS.

• Download rc.fw.1
• Enviar nova versão

Esconder código-fonte

#!/bin/sh
############################################################################
############################################################################
#####################   FIREWALL PARA INTRANETS ############################
############################################################################
############################################################################
############################################################################

#Script de firewall muito facil para ser aplicado, apenas esta em ingles####
       

IPTABLES="/sbin/iptables"   # set to your iptables location, must be set
DNS="192.168.0.1"   #set to your DNS server(s), that you get zone transfers from
TCP_ALLOW="21 22 25 80 8000 8001" #TCP ports to ALLOW
UDP_ALLOW="500"            # UDP ports to ALLOW (53 not needed, covered by DNS above)
INET_IFACE="ppp0"         # the interface your internet's on (one only), must be set
LAN_IFACE="eth0"         # the interface(s) your LAN's on (currently used only as a sanity check)
USE_SSH1="TRUE"            # set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE)
USE_OPENSSH="TRUE"         # set to TRUE if you use OpenSSH (anything else is interpreted as FALSE)
INTERNAL_LAN="192.168.0.0/24"   #the internal network(s), must be set
AUTH_ALLOW=""   #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all)
DENY_ALL=""            # Internet hosts to explicitly deny from accessing your system at all
DROP="REJECT"            # What to do with packets we don't want: DROP, REJECT, LDROP (log and drop), or LREJECT (log and reject)

# Below here is experimental
MAC_LAN=""            # MAC addresses permitted to use masquerading, leave blank to not use
USE_MASQ="TRUE"         # Set to TRUE to use masquerading (anything else is interpreted as FALSE)
USE_SNAT=""            # If you have a static internet IP, put it here and set "USE_MASQ" above to FALSE
TCP_FW=""            # TCP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP"
UDP_FW=""            # Same as above but on UDP

# ----------------------------------------------------------------------|
# Do not modify configuration below here            |
# ----------------------------------------------------------------------|
DROP="REJECT" #Apparently some ISPs (@home comes to mind) have problems with denying them, so send back ICMP messages to fool them
FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here         |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Configuration Sanity Checks
echo -n "Checking configuration..."
if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then
   echo
   echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!"
   exit 1
fi
if  [ "$INET_IFACE" = "$LAN_IFACE" ] ; then
        if  [  "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then
      # This can't happen because the whole point of my masquerading code is that we don't need to know the IP.
      # While we know the IP with SNAT, I'm too lazy do change my code other than to use SNAT :)
      echo
      echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!"
      exit 1
   fi
fi
if ! [ -x $IPTABLES ] ; then
   echo
   echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!"
   exit 1
fi
echo "passed"

# Turn on IP forwarding (your kernel still needs it)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled..."

# Enable TCP Syncookies (always a 'good thing') (thanks steff)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies enabled..."
# Loading kernel modules...
echo "Loading kernel modules..."
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ip_conntrack_irc
insmod iptable_nat
insmod ip_nat_ftp
echo "Kernel modules loaded." 

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
# 
# You'll notice I give status now :)
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
   ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
   ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
   ${IPTABLES} -t filter -N ${chain}
   echo -n "${chain} "
done
echo

# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
# Policy can't be reject becuase of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo

# Local traffic to internet or crossing subnets 
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
#   obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
   ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
   ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
   echo -n "${subnet}:ACCEPT "
done
echo

# Set up basic NAT if the user wants it
if [ $USE_MASQ = TRUE ] ; then
   echo -n "Setting up NAT: "
   if [ "$MAC_LAN" = "" ] ; then
      for subnet in ${INTERNAL_LAN} ; do
         ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
         echo -n "${subnet}:MASQUERADE "
      done
   else   
      for address in ${MAC_LAN} ; do
         ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
         echo -n "${address}:MASQUERADE "
      done
   fi
   echo
elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined 
   #(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup)
   echo -n "Setting up NAT: "
        if [ "$MAC_LAN" = "" ] ; then
                for subnet in ${INTERNAL_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${subnet}:SNAT "
                done
        else
                for address in ${MAC_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT}
                        echo -n "${address}:SNAT "
                done
        fi  
        echo
fi

#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
   echo -n "TCP Port Forwards: "
   if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
      for rule in ${TCP_FW} ; do
         ports=`echo $rule | sed 's/>.*//g'`
         srcport=`echo $ports | sed 's/:.*//g'`
         destport=`echo $ports | sed 's/.*://g'`
         host=`echo $rule | sed 's/.*>//g'`
         ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
         echo -n "${rule} "
      done
   else
      for rule in ${TCP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
         ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
         echo -n "${rule} "
      done
   fi
   echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
        echo -n "UDP Port Forwards: "
        if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        else
                for rule in ${UDP_FW} ; do
                        ports=`echo $rule | sed 's/>.*//g'`
                        srcport=`echo $ports | sed 's/:.*//g'`
                        destport=`echo $ports | sed 's/.*://g'`
                        host=`echo $rule | sed 's/.*>//g'`
                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport}
                        echo -n "${rule} "
                done
        fi
        echo
fi

# ===============================================
# -------Chain setup before jumping to them------
# ===============================================


# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo

#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up logging chains: "
${IPTABLES} -t filter -A LDROP -p tcp -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " 
${IPTABLES} -t filter -A LDROP -f -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
        
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -j LOG --log-level info --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -j LOG --log-level info --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LREJECT -f -j LOG --log-level warning --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

#newline
echo


# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "

# TCPACCEPT
# SYN Flood Protection
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since we don't know what it is
${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done
echo

# -------------------------------------------------
# =================================================
# -------------------------------------------------


#Explicit denies
if [ "$DENY_ALL" != "" ] ; then
   echo -n "Denying hosts: "
   for host in ${DENY_ALL} ; do
      ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}
      echo -n "${host}:${DROP}"
   done
   echo
fi

#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"



# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================

#Start allowing stuff

# Flood "security"
# You'll still respond to these if they comply with the limits
# Default limits are 1/sec for ICMP pings
# SYN Flood is on a per-port basis because it's a security hole to put it here!
# This is just a packet limit, you still get the packets on the interface and 
#    still may experience lag if the flood is heavy enough
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo -n "ICMP-PING "
echo

echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"

if [ "$TCP_ALLOW" != "" ] ; then
   echo -n "TCP Input Allow: "
   for port in ${TCP_ALLOW} ; do
           if [ "0$port" == "021" ]; then #Active FTP (thanks steff)
              ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT
      fi
       ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT
      echo -n "${port} "
   done
   echo
fi

if [ "$UDP_ALLOW" != "" ] ; then
   echo -n "UDP Input Allow: "
   for port in ${UDP_ALLOW} ; do
      ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT
      echo -n "${port} "
   done
   echo
fi

if [ "$DNS" != "" ] ; then
   echo -n "DNS Zone Transfers: "
   for server in ${DNS} ; do
      ${IPTABLES} -t filter -A INETIN   -p udp -s ${server} --sport 53 -j UDPACCEPT
      echo -n "${server} "
   done
   echo
fi

#SSH Rulesets
if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then
    echo -n "Accounting for SSH..."
   if [ $USE_SSH1 = TRUE ]; then #SSH1
      ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j TCPACCEPT
      echo -n "SSH1 "
   fi
   if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
      ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j TCPACCEPT
      echo -n "OpenSSH "
   fi
   echo
fi

#AUTH(identd) host-based allows
if [ "$AUTH_ALLOW" != "" ] ; then
   echo -n "AUTH accepts: "
   for host in ${AUTH_ALLOW} ; do
      ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j TCPACCEPT
      echo -n "${host} "
   done
   echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"

#What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
#Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

#All done!
echo "Done loading the firewall!"
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.2:8000

FTS

configurar a rede wireless passando por roteador (melhorado e comentado)

Salvaguardando configurações.

Monitoração do CBQ

Controlando Fan Nagios no dialog