IPTABLES - A procura do Script Perfeito

1. IPTABLES - A procura do Script Perfeito

abelfrancia
(usa Debian)

Enviado em 15/01/2013 - 11:27h

Bom dia pessoal,

estou procurando um script para IPTABLES para usuários "domésticos"...

Há algum tempo que eu tinha um script (que por sinal eu o perdi), que pra mim era perfeito, fazia o bloqueio de INPUT e FORWARD, só aceitava INPUT se fosse solicitacão do OUTPUT e o padrão de segurança como ping da morte, dentre outros...

Estou com um script que achei aqui no site mesmo, mas acho que não está funcionando como devia, segue script e logo o resultado de "#iptables -NVL"...

#!/bin/sh

#

# /etc/rc.d/firewall

#

# Start/stop/restart the Firewall.

#

# To make Firewall start automatically at boot, make this

# file executable:  chmod 755 /etc/rc.d/rc.firewall

# Author: Daniel - d4n1h4ck3r@gmail.com

# Criation: 04/04/2009

# Atualization: 13/06/2009

 

# Modules

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

/sbin/modprobe ipt_owner

/sbin/modprobe ipt_REJECT

/sbin/modprobe ip_conntrack_ftp

 

# Firewall Start

firewall_start() {

    # Clean

    iptables -X

    iptables -Z

    iptables -F

    iptables -t nat -F

 

    # Politics default

    iptables -P INPUT DROP

    iptables -P FORWARD DROP

    iptables -P OUTPUT ACCEPT

 

    # Loopback Access

    iptables -A INPUT -i lo -j ACCEPT

 

    # Conections enabled

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

   # Security

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    iptables -A FORWARD -p tcp -m limit --limit 1\s -j ACCEPT

    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

 

    echo "Firewall Start."

}

 

# Firewall Stop

firewall_stop() {

    # Clean

    iptables -X

    iptables -Z

    iptables -F

    iptables -t nat -F

 

    # Politics default

    iptables -P INPUT ACCEPT

    iptables -P FORWARD ACCEPT

    iptables -P OUTPUT ACCEPT

 

    # Loopback access

    iptables -A INPUT -i lo -j ACCEPT

 

    # Conections enabled

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

    echo "Firewall Stop (without security)."

}

 

# Firewall Restart

firewall_restart() {

    firewall_stop

    sleep 3

    firewall_start

}

 

# Options

case "$1" in

'start')

    firewall_start

    ;;

'stop')

    firewall_stop

    ;;

'restart')

    firewall_restart

    ;;

*)

    echo "rc.firewall start"

    echo "rc.firewall stop"

    echo "rc.firewall restart"

esac

Comandos em sequência:

/etc/init.d$ sudo ./firewall.sh

rc.firewall start

rc.firewall stop

rc.firewall restart

$sudo iptables -NVL

iptables: Chain already exists.

$sudo iptables -L



Chain INPUT (policy ACCEPT)

target     prot opt source               destination         



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         



Chain VL (0 references)

target     prot opt source               destination

Alguém poderia me ajudar, pelo que entendi não funcionou o script, pois está tudo ACCEPT... poderiam segerir melhorias...

Foi dada permissão +x no arquivo de script...

uso um note Pavilon dv4 2160us...

0 0

Quote

2. Re: IPTABLES - A procura do Script Perfeito

abelfrancia
(usa Debian)

Enviado em 15/01/2013 - 15:49h

Esqueçam o script acima, achei outro, e reduzi ele, pois era de servidor, porém está dando alguns problemas, queria ver com vocês o que pode ser...

#!/bin/sh

# 

# 

# 

#

internet="wlan0" "eth0"

Primeira observaçao, pode ser feito isso? Quero que os filtros sejam aplicados nos dois dipositivos.....???

 



echo "####################ATIVANDO IPTABLES#######################"

### Passo 1: Limpando as regras ###

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -F -t nat

echo "Limpando as regras ..................................[ OK ]"

 

# Definindo a Politica Default das Cadeias

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

echo "Politica Default das Cadeias ........................[ OK ]"



 

# Configurando a Protecao anti-spoofing

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do

#        echo "1" > $spoofing

#done

echo "Protecao anti-spoofing ..............................[ OK ]"

 



# Impedimos que um atacante possa maliciosamente alterar alguma rota

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "Impedimos alterar alguma rota .......................[ OK ]"

 



# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu

# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "Impossibilita que o atacante determine o "caminho" ....[ OK ]"

 



# Protecao contra responses bogus

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "Protecao contra responses bogus .....................[ OK ]"

 



# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Protecao contra ataques de syn ......................[ OK ]"

 



### Passo 3: Carregando os modulos do iptables ###

# Ativa modulos

# -------------------------------------------------------

/sbin/modprobe iptable_nat

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_REJECT

/sbin/modprobe ipt_MASQUERADE

echo "Carregando os modulos ...............................[ OK ]"

 

#################################################

# FIM DA Tabela FILTER

#################################################

 

# Proteção contra port scanners

iptables -N SCANNER

iptables -A SCANNER -m limit --limit 15/m -j LOG --log-prefix "FIREWALL: port scanner: "

iptables -A SCANNER -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags ALL NONE -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags ALL ALL -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i  $internet -j SCANNER

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i  $internet -j SCANNER

echo "Scaner de Portas ....................................[ OK ]"

 

# Libera acesso externo a determinadas portas

 

##Algumas portas devem ser negadas.

iptables -A INPUT -p tcp --dport 1433 -j DROP

iptables -A INPUT -p tcp --dport 6670 -j DROP

iptables -A INPUT -p tcp --dport 6711 -j DROP

iptables -A INPUT -p tcp --dport 6712 -j DROP

iptables -A INPUT -p tcp --dport 6713 -j DROP

iptables -A INPUT -p tcp --dport 12345 -j DROP

iptables -A INPUT -p tcp --dport 12346 -j DROP

iptables -A INPUT -p tcp --dport 20034 -j DROP

iptables -A INPUT -p tcp --dport 31337 -j DROP

iptables -A INPUT -p tcp --dport 6000  -j DROP

echo "Negando portas invalidas ............................[ OK ]"

 

#Traceroutes caindo

 

iptables -A INPUT -p udp --dport 33434:33523 -j DROP

iptables -A INPUT -p tcp --dport 113 -j REJECT

iptables -A INPUT -p igmp -j REJECT

iptables -A INPUT -p tcp --dport 80 -j DROP

iptables -A INPUT -p tcp --dport 443 -j REJECT

echo "Rejeitando lixo :....................................[ OK ]"



 

#bloqueia  qualquer tentativa de nova conexao de fora para esta maquina

#iptables -A INPUT -i  $internet -m state --state ! ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "FIREWALL entrada "

iptables -A INPUT -i  $internet -m state --state ! ESTABLISHED,RELATED -j DROP

 

#no iptables, temos de dizer quais sockets sao validos em uma conexao

   iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

   echo "Cadeia de Entrada ...................................[ OK ]"

 

################################

# Cadeia de Reenvio (FORWARD).

# Primeiro, ativar o mascaramento (nat).

iptables -t nat -F POSTROUTING

iptables -t nat -A POSTROUTING -o  $internet -j MASQUERADE

echo "Ativando o mascaramento .............................[ OK ]"

 

# Agora dizemos quem e o que podem acessar externamente

# O controle do acesso a rede externa e feito na cadeia "FORWARD"

iptables -A FORWARD -i  $internet -j ACCEPT

iptables -A FORWARD -o  $internet -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Ativando o acesso ftp.. .............................[ OK ]"

 

###################

###BLOQUEANDO TODAS AS SAIDAS E PORTAS

 

iptables -A INPUT -p all -j DROP

iptables -A FORWARD -p all -j DROP  

 

echo "Rejeitando saida e entrada ..........................[ OK ]"

########################

 

# No iptables, temos de dizer quais sockets sao validos em uma conexao

 

iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

echo "Quais sockets sao validos ...........................[ OK ]"

 

#################################################

# Tabela FILTER

#################################################

 

# Proteção contra tronjans

# -------------------------------------------------------

iptables -A INPUT -p TCP -i  $internet --dport 666 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 4000 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 6000 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 6006 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 16660 -j DROP

 

# Proteção contra trinoo

# -------------------------------------------------------

iptables -A INPUT -p TCP -i  $internet --dport 27444 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 27665 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 31335 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 34555 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 35555 -j DROP

echo "Proteção contra trinoo ............................. [ OK ]"

 

# Protecao contra acesso externo squid

iptables -A INPUT -p TCP -i  $internet --dport 3128 -j DROP

iptables -A INPUT -p TCP -i  $internet --dport 8080 -j DROP

echo "Proteção contra squid externo....................... [ OK ]"

 

# Protecao contra telnet

iptables -A INPUT -p TCP -i  $internet --dport telnet -j DROP

echo "Proteção contra telnet       ....................... [ OK ]"

 

# Dropa pacotes TCP indesejaveis

iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

 

# Dropa pacotes mal formados

iptables -A INPUT -i  $internet -m unclean -j DROP

 

# Protecao contra worms

iptables -A FORWARD -p tcp --dport 135 -i  $internet -j REJECT

 

# Protecaocontra syn-flood

iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

 

# Protecao contra ping da morte

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT



#Allow ALL other forwarding going out

iptables -A FORWARD -o  -i $internet -j ACCEPT

echo "Carregado tabela filter ............................ [ OK ]"



 

echo "##################FIM DE REGRAS IPTABLES####################"

exit 0

Está dando erro ao executar o script,

[code]
$sudo ./firewall2.sh

./firewall2.sh: 6: ./firewall2.sh: eth0: not found
####################ATIVANDO IPTABLES#######################
Limpando as regras ..................................[ OK ]
Politica Default das Cadeias ........................[ OK ]
Protecao anti-spoofing ..............................[ OK ]
Impedimos alterar alguma rota .......................[ OK ]
Impossibilita que o atacante determine o caminho ....[ OK ]
Protecao contra responses bogus .....................[ OK ]
Protecao contra ataques de syn ......................[ OK ]
Carregando os modulos ...............................[ OK ]

iptables: Chain already exists.

Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SCANNER'
Try `iptables -h' or 'iptables --help' for more information.

Scaner de Portas ....................................[ OK ]
Negando portas invalidas ............................[ OK ]
Rejeitando lixo :....................................[ OK ]

Bad argument `state'
Try `iptables -h' or 'iptables --help' for more information.
Cadeia de Entrada ...................................[ OK ]
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
Ativando o mascaramento .............................[ OK ]
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `state'
Try `iptables -h' or 'iptables --help' for more information.

Ativando o acesso ftp.. .............................[ OK ]
Rejeitando saida e entrada ..........................[ OK ]
Quais sockets sao validos ...........................[ OK ]

Bad argument `666'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `4000'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `6000'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `6006'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `16660'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `27444'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `27665'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `31335'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `34555'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `35555'
Try `iptables -h' or 'iptables --help' for more information.

Proteção contra trinoo ............................. [ OK ]

Bad argument `3128'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `8080'
Try `iptables -h' or 'iptables --help' for more information.

Proteção contra squid externo....................... [ OK ]

Bad argument `telnet'
Try `iptables -h' or 'iptables --help' for more information.

Proteção contra telnet ....................... [ OK ]

Bad argument `unclean'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `REJECT'
Try `iptables -h' or 'iptables --help' for more information.

Carregado tabela filter ............................ [ OK ]
##################FIM DE REGRAS IPTABLES####################

0 0

Quote

3. Re: IPTABLES - A procura do Script Perfeito

saitam
(usa Slackware)

Enviado em 15/01/2013 - 16:37h

o primeiro script funciona, apenas esqueceu de colocar a opção (start/stop).

chmod +x fw-desktop.sh
#./fw-desktop.sh start

#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

.
http://mundodacomputacaointegral.blogspot.com.br/2012/05/entendendo-o-funcionamento-de-um.html

0 0

Quote