Duvida Firewall

1. Duvida Firewall

Julio Jose Jordão
Julio_Jose

(usa Debian)

Enviado em 26/08/2007 - 20:50h

minha internet e speedy home, ip dinâmico

Pessoal estou com uma dúvida, estou compartilhando minha internet com a rede interna através desse comando:

iptables -A POSTROUTING -t nat -s 192.168.0.0/16 -o eth1 -j MASQUERADE

meu firewall eh do tipo que bloqueia tudo e libera só http, https, 53..

porém através desse comando, a internet esta liberando todas as portas.


o que tenho que fazer para concertar isso?


  


2. FORWARD

Elgio Schlemer
elgio

(usa OpenSuSE)

Enviado em 26/08/2007 - 21:55h

Se tu colocar regras do que pode (portas permitidas) na tabela FORWARD, bloqueando (na FORWARD) tudo, deve funcionar!

Algo assim:

iptables -P DROP FORWARD
iptables -A FORWAWD ... (regras do que pode com ACCEPT)




3. Configure seu Firewall

Fernando Ribeiro
fernandofat

(usa Ubuntu)

Enviado em 26/08/2007 - 22:13h

Amigo Julio,

Com a regra que você está usando, sem nenhuma outra configuração no Iptables realmente todo acesso será permitido.

Para configurar seu Iptables para que todo acesso seja bloqueado e apenas alguns acessos sejam permitidos é preciso adicionar regras na tabela "filter".

Por exemplo:

# Libera portas 80 (HTTP),443 (HTTPS) e 53 (DNS)
iptables -t filter -A FORWARD -s 192.168.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.0/16 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
# Bloqueia qualquer acesso
iptables -t filter -A FORWARD -s 192.168.0.0/16 -o eth0 -j DROP

A regra que bloqueia o acesso pode e deve ser dispensada caso você utilize o DROP como ação padrão para o "FORWARD" da tabela filter, por exemplo:

iptables -t filter -P FORWARD DROP

É Importante que as regras fiquem nesta ordem caso contrário não irá funcionar.

De uma olhada nesta documentação talvez te ajude a resolver futuros problemas.
http://focalinux.cipsga.org.br/guia/avancado/ch-fw-iptables.htm

[]'s

Fernando


4. Re: Duvida Firewall

Julio Jose Jordão
Julio_Jose

(usa Debian)

Enviado em 27/08/2007 - 12:15h

humm entendi kara...olha soh meu firewall aqui na empresa que eu uso ele bloqueia tudo...

mais ai eu peguei esse mesmo firewall e implantei em casa, porém em casa eh speedy ip dinâmico...aqui no serviço e ip fixo...aqui no serviço ele funciona certinho, bloqueia tudo.


mais o engraçado é que em casa usandando o mesmo firewall ele esta liberando tudo...

a unica coisa que mudei no firewall foi para compartilhar internet, que em casa como eh ip fixo eu tive que compartilhar usando o comando
DESSA FORMA NÃO BLOQUEIA NADA LIBERA TUDO
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE

NO TRAMPO O COMPARTILHAMENTO PARA REDE INTERAN TA

ASSIM:



$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.0.0/24 -o eth0

AI DESSA FORMA BLOQUEIA TUDO CERTIN..



5. Re: Duvida Firewall

Julio Jose Jordão
Julio_Jose

(usa Debian)

Enviado em 27/08/2007 - 12:16h

veja como é meu firewall

#!/bin/bash
#
# cftk Bring up/down the packet filtering rules
#
# chkconfig: 345 15 92
# description: Bring up/down the packet filtering rules
# description(pt_BR): Bring up/down the packet filtering rules
# probe: true
#
# This script is part of Conectiva Firewall Tool Kit package.
#
# It was originally created by
# Jefferson Luiz Brindarolli <[email protected]> and
# Fabio R. Schmidlin <[email protected]> for kernels 2.2 (ipchains)
# Modified to kernel 2.4 by André Ruiz <[email protected]> based
# on previous work from Harald Welte <[email protected]>,
# Leonardo Marques de Souza <[email protected]> and
# Andreas Hasenack <[email protected]>
#
# This piece of software is distributed under GPL. See
# http://www.gpl.org for further information on this license.
#

. /etc/rc.d/init.d/functions

#
# Observações:
#
# O conntrack aplica o conceito de "ESTABLISHED" e "NEW" inclusive
# para conexões UDP e ICMP, além de TCP.
#

#
# FIXME: retirar as regras daqui, colocar em /etc/sysconfig/iptables
#


#################################################################
# DEFINIÇÃO DE VARIÁVEIS
#################################################################

IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"

# Alterar os dados abaixo de acordo com a rede do cliente
IF_LOC="lo" # Interface Loopback
IF_INT="eth1" # Interface da intranet (interna)
IP_INT="192.168.0.18" # IP da interface IF_INT
NET_LOC="127.0.0.0/24" # Rede da interface IF_LOC
NET_INT="192.168.0.0/16" # Rede da interface IF_INT
BRO_INT="192.168.255.255" # Broadcast da IF_INT

# Servidores
IP_WWW1="192.168.0.18" # Máquina da DMZ que serve WWW para o mundo
IP_SMTP="192.168.0.18" # Máquina da DMZ que serve SMTP para o mundo
IP_POP="192.168.0.18" # Máquina da DMZ que serve POP para o mundo
IP_FTP="192.168.0.18" # Máquina da DMZ que serve ftp para o mundo
IP_DNS="192.168.0.18" # Máquina da DMZ que serve auth domain para o mundo
IP_DNS1="192.168.0.18" # Máquina da INT que serve dns na a rede interna
IP_DB="192.168.0.18" # Máquina da DMZ que serve ftp para o mundo
IP_SSH="192.168.0.18" # Máquina da DMZ que serve ftp para o mundo


#################################################################
# CARGA DE MÓDULOS
#################################################################

carrega_modulos() {

$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ipt_REJECT

}

#################################################################
# CARGA DE REGRAS
#################################################################

cria_regras() {

cria_regras_auxiliares
cria_regras_PREROUTING
cria_regras_INPUTOUTPUT
cria_regras_INT2EXT
cria_regras_EXT2INT
cria_regras_FORWARD
cria_regras_POSTROUTING
cria_regras_LOADBALANCING
cria_regras_PROXY
# cria_regras_orkut
}


#################################################################
# FLUSH E POLÍTICAS DEFAULT
#################################################################

destroi_regras() {

# Define política default para chains defaults
$IPTABLES -P INPUT DROP # política default para filter
$IPTABLES -P FORWARD DROP # política default para filter
$IPTABLES -P OUTPUT DROP # política default para filter
$IPTABLES -F -t filter # flush nas regras de filter
$IPTABLES -F -t nat # flush nas regras de nat
$IPTABLES -F -t mangle # flush nas regras de mangle
$IPTABLES -X -t filter # deleta chains de filter
$IPTABLES -X -t nat # deleta chains de nat
$IPTABLES -X -t mangle # deleta chains de mangle
$IPTABLES -Z -t filter # zera contadores de filter
$IPTABLES -Z -t nat # zera contadores de nat
$IPTABLES -Z -t mangle # zera contadores de mangle

}

abre_regras() {

# Define política default para chains defaults
$IPTABLES -P INPUT ACCEPT # política default para filter
$IPTABLES -P FORWARD ACCEPT # política default para filter
$IPTABLES -P OUTPUT ACCEPT # política default para filter
$IPTABLES -F -t filter # flush nas regras de filter
$IPTABLES -F -t nat # flush nas regras de nat
$IPTABLES -F -t mangle # flush nas regras de mangle
$IPTABLES -X -t filter # deleta chains de filter
$IPTABLES -X -t nat # deleta chains de nat
$IPTABLES -X -t mangle # deleta chains de mangle
$IPTABLES -Z -t filter # zera contadores de filter
$IPTABLES -Z -t nat # zera contadores de nat
$IPTABLES -Z -t mangle # zera contadores de mangle

#cria_regras_POSTROUTING
cria_regras_LOADBALANCING
cria_regras_PROXY
}


#################################################################
# CHAIN DE PREROUTING
#################################################################

cria_regras_PREROUTING() {

# Melhora latência de ssh pra fora
$IPTABLES -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay

# Não deixa smtp sair com prioridade pra não matar o link
$IPTABLES -A PREROUTING -t mangle -p tcp --dport smtp -j TOS --set-tos Normal-Service

# Melhora Thoughput de http que sai
# $IPTABLES -A PREROUTING -t mangle -p tcp -s $NET_DMZ --sport http -j TOS --set-tos Maximize-Throughput

# Piora Thoughput de http que entra
# FIXME: Normal-Service?
# $IPTABLES -A PREROUTING -t mangle -p tcp --dport http -j TOS --set-tos Normal-Service

}

#################################################################
# CHAINS DE INPUT, OUTPUT
#################################################################

cria_regras_INPUTOUTPUT() {

# Recusa pacotes inválidos em primeiro lugar
$IPTABLES -A INPUT -j END_INVALID -m state --state INVALID

# Deixa loopback livre
$IPTABLES -A INPUT -j ACCEPT -i $IF_LOC
$IPTABLES -A OUTPUT -j ACCEPT -o $IF_LOC

# Deixa interna livre
$IPTABLES -A INPUT -j ACCEPT -i $IF_INT
$IPTABLES -A OUTPUT -j ACCEPT -o $IF_INT

# Deixa interna livre
$IPTABLES -A INPUT -j ACCEPT -i eth0
$IPTABLES -A OUTPUT -j ACCEPT -o eth0

# Verifica se o pacote sofreu spoof de IP
$IPTABLES -A INPUT -j SPOOF_CHECK

## Serviços que rodam na máquina

# Aceita ssh da rede interna (manutenção)
$IPTABLES -A INPUT -j ACCEPT -p tcp -s $NET_INT --dport ssh
$IPTABLES -A OUTPUT -j ACCEPT -p tcp -d $NET_INT --sport ssh

# Aceita forward obrigatório de servidores DNS internos
# O DNS da DMZ deve ser recursivo apenas para a própria DMZ (controle por ACLs)
$IPTABLES -A INPUT -j ACCEPT -p udp -s $IP_DNS --dport domain
$IPTABLES -A OUTPUT -j ACCEPT -p udp -d $IP_DNS --sport domain
$IPTABLES -A INPUT -j ACCEPT -p udp -s $IP_DNS1 --dport domain
$IPTABLES -A OUTPUT -j ACCEPT -p udp -d $IP_DNS1 --sport domain

# Aceita consultas a DNSs externos (existe maneira mais restritiva?)
$IPTABLES -A INPUT -j ACCEPT -p udp --sport domain --dport 1024:
$IPTABLES -A OUTPUT -j ACCEPT -p udp --sport 1024: --dport domain

# Aceita ICMP (todos) da rede interna apenas
$IPTABLES -A INPUT -j ACCEPT -p icmp -s $NET_INT
$IPTABLES -A OUTPUT -j ACCEPT -p icmp -d $NET_INT

# Aceita ICMP (todos) da rede interna apenas
$IPTABLES -A INPUT -j ACCEPT -p icmp -i $IF_INT
$IPTABLES -A OUTPUT -j ACCEPT -p icmp -o $IF_INT

# Dropa o resto dos ICMP sem logar (muita coisa)
#$IPTABLES -A INPUT -j DROP -p icmp
#$IPTABLES -A OUTPUT -j DROP -p icmp

# VPN entre este firewall e outro
#$IPTABLES -A INPUT -j ACCEPT -p 50 -s $IP_VPN
#$IPTABLES -A INPUT -j ACCEPT -p udp -s $IP_VPN --sport 500 --dport 500
#$IPTABLES -A OUTPUT -j ACCEPT -p 50 -d $IP_VPN
#$IPTABLES -A OUTPUT -j ACCEPT -p udp -d $IP_VPN --sport 500 --dport 500

# Checa por trojans, para logar diferenciado
$IPTABLES -A INPUT -j TROJAN_CHECK -m state --state NEW

# Testa por broadcasts e descarta (sem logar)
$IPTABLES -A INPUT -j DROP -d $BRO_INT
$IPTABLES -A INPUT -j DROP -d 255.255.255.255
$IPTABLES -A OUTPUT -j DROP -d $BRO_INT
$IPTABLES -A OUTPUT -j DROP -d 255.255.255.255

# Recusa e loga todo o resto
$IPTABLES -A INPUT -j END_INPUT
$IPTABLES -A OUTPUT -j END_OUTPUT

}


#################################################################
# CHAINS DE FORWARD
#################################################################

cria_regras_FORWARD() {

# Se for inválido, jogamos fora
$IPTABLES -A FORWARD -j END_INVALID -m state --state INVALID

# Verifica se o pacote é spoof de IP
$IPTABLES -A FORWARD -j SPOOF_CHECK

# Se já está estabelecida, pode passar
$IPTABLES -A FORWARD -j ACCEPT -m state --state ESTABLISHED

# Se relacionada, pode passar (inclusive ftp & cia caem aqui)
$IPTABLES -A FORWARD -j ACCEPT -m state --state RELATED

## Apenas conexões NEW daqui pra frente

# Checa por trojans (para registrar no log se encontrar)
$IPTABLES -A FORWARD -j TROJAN_CHECK

# Pula para chain específica
$IPTABLES -A FORWARD -j INT2EXT -s $NET_INT
$IPTABLES -A FORWARD -j EXT2INT -d $NET_INT

# Se sobreviver, dropa e loga
$IPTABLES -A FORWARD -j END_FORWARD

}


#################################################################
# CHAINS DIRECIONAIS
#################################################################

### INT2EXT

cria_regras_INT2EXT() {

$IPTABLES -N INT2EXT

# Restringe o que a rede interna pode acessar fora
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport smtp -d 200.234.205.142
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport pop3 -d 200.234.205.142
# $IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport smtp
# $IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport pop3
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 465
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport pop3s
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport telnet
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport ssh
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport ftp
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport ftp
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport http
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport https
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 53
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport 53
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 5432 # PostgreSQL
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 194 # IRC (ñ sei se é necess.)
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 4662 # P2P Donkey
$IPTABLES -A INT2EXT -j REJECT -p udp --dport 4672 # P2P Donkey
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 4661 # P2P Donkey
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 4242 # P2P Donkey
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 500 # teste
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 1214 # KaZaA
$IPTABLES -A INT2EXT -j REJECT -p udp --dport 1215 # KaZaA
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 5800 #VNC
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 2628 #KDICT
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 9898 #AIM
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 1863 #MSN
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 6891 #MSN voz
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 6900 #MSN dados
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 5000:5010 #YAHOO
$IPTABLES -A INT2EXT -j REJECT -p tcp --dport 5190 #ICQ
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 3389 #Terminal Server
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 1755 # MMS streaming
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport 1755 # MMS streaming
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 554 # radiouol
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport 554 # radiouol
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport 5005 # RTSP streaming
$IPTABLES -A INT2EXT -j ACCEPT -p tcp --dport 8000 # Radio Stream
$IPTABLES -A INT2EXT -j ACCEPT -p udp --dport 8000 # Radio Stream
# fixme: escolher os tipos realmente queremos e limitar flood
$IPTABLES -A INT2EXT -j ACCEPT -p icmp

# Bloqueia o que sobrou
$IPTABLES -A INT2EXT -j END_INT2EXT

}


### EXT2INT

cria_regras_EXT2INT() {

$IPTABLES -N EXT2INT

# Restringe o que a rede externa pode acessar na interna
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport smtp -d 200.234.205.142
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport pop3 -d 200.234.205.142
# $IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport smtp
# $IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport pop3
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport pop3s
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport telnet
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport ssh
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport ftp
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport ftp
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport http
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport https
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 53
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport 53
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 5432 # PostgreSQL
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 194 # IRC (ñ sei se é necess.)
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 4662 # P2P Donkey
$IPTABLES -A EXT2INT -j REJECT -p udp --dport 4672 # P2P Donkey
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 4661 # P2P Donkey
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 4242 # P2P Donkey
$IPTABLES -A EXT2INT -j REJECT -p udp --dport 4665 # ñ sei
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 500 # teste
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 1214 # KaZaA
$IPTABLES -A EXT2INT -j REJECT -p udp --dport 1215 # KaZaA
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 5800 #VNC
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 2628 #KDICT
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 9898 #AIM
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 1863 #MSN
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 6891 #MSN voz
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 6900 #MSN dados
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 5000:5010 #YAHOO
$IPTABLES -A EXT2INT -j REJECT -p tcp --dport 5190 #ICQ
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 3390 #ICQ
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 1755 # MMS streaming
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport 1755 # MMS streaming
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 554 # RTSP streaming
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport 554 # radiouol
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport 5005 # RTSP streaming
$IPTABLES -A EXT2INT -j ACCEPT -p tcp --dport 8000 # Radio Stream
$IPTABLES -A EXT2INT -j ACCEPT -p udp --dport 8000 # Radio Stream
# Nenhum accept, simplesmente nega tudo
$IPTABLES -A EXT2INT -j END_EXT2INT

}


#################################################################
# CHAINS AUXILIARES
#################################################################

cria_regras_auxiliares() {

### END_INPUT
$IPTABLES -N END_INPUT
#$IPTABLES -A END_INPUT -j LOG --log-prefix "FIREWALL: End_Input! "
$IPTABLES -A END_INPUT -j DROP

### END_OUTPUT
$IPTABLES -N END_OUTPUT
#$IPTABLES -A END_OUTPUT -j LOG --log-prefix "FIREWALL: End_Output! "
$IPTABLES -A END_OUTPUT -j DROP

### END_FORWARD
$IPTABLES -N END_FORWARD
#$IPTABLES -A END_FORWARD -j LOG --log-prefix "FIREWALL: End_Forward! "
$IPTABLES -A END_FORWARD -j DROP

### END_SPOOF
$IPTABLES -N END_SPOOF
#$IPTABLES -A END_SPOOF -j LOG --log-prefix "FIREWALL: Spoof! "
$IPTABLES -A END_SPOOF -j DROP

### END_INVALID
$IPTABLES -N END_INVALID
#$IPTABLES -A END_INVALID -j LOG --log-prefix "FIREWALL: Invalid! "
$IPTABLES -A END_INVALID -j DROP

### END_TROJAN
$IPTABLES -N END_TROJAN
#$IPTABLES -A END_TROJAN -j LOG --log-prefix "FIREWALL: Trojan! "
$IPTABLES -A END_TROJAN -j DROP

### END_INT2EXT
$IPTABLES -N END_INT2EXT
#$IPTABLES -A END_INT2EXT -j LOG --log-prefix "FIREWALL: End_Int2Ext! "
$IPTABLES -A END_INT2EXT -j DROP

### END_EXT2INT
$IPTABLES -N END_EXT2INT
#$IPTABLES -A END_EXT2INT -j LOG --log-prefix "FIREWALL: End_Ext2Int! "
$IPTABLES -A END_EXT2INT -j DROP

### SPOOFCHECK
# As redes internas são consideradas confiáveis, só é checado o
# path de roteamento. Para se proteger de spoof interno também
# seria necessário monitorar os MAC:IP na rede interna.
$IPTABLES -N SPOOF_CHECK
$IPTABLES -A SPOOF_CHECK -j END_SPOOF -s $NET_INT -i ! $IF_INT
$IPTABLES -A SPOOF_CHECK -j END_SPOOF -s ! $NET_INT -i $IF_INT

### TROJANS
# Alguns trojans, os mais comuns
# Nào é necessário checar por trojans se você adota a política de
# tudo fechado, abrem-se as excessões. Mas, você pode querer verificar
# mesmo assim, para poder registrar um log mais específico (nosso caso).
$IPTABLES -N TROJAN_CHECK
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 555 # phAse zero
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 555 # phAse zero
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 1243 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 1243 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 3129 # Masters Paradise
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 3129 # Masters Paradise
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6670 # DeepThroat
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6670 # DeepThroat
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6711 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6711 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6969 # GateCrasher
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6969 # GateCrasher
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 12345 # NetBus
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 12345 # NetBus
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 21544 # GirlFriend
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 21544 # GirlFriend
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 23456 # EvilFtp
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 23456 # EvilFtp
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 27374 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 27374 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 30100 # NetSphere
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 30100 # NetSphere
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31789 # Hack'a'Tack
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31789 # Hack'a'Tack
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31337 # BackOrifice, and many others
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31337 # BackOrifice, and many others
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 50505 # Sockets de Troie
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 50505 # Sockets de Troie

}

#################################################################
# CHAIN DE POSTROUTING
#################################################################

cria_regras_POSTROUTING() {

# Faz o mascaramento da rede interna.
$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.0.0/24 -o eth0
$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.1.0/24 -o eth0
$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.2.0/24 -o eth0
$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.3.0/24 -o eth0
$IPTABLES -A POSTROUTING -t nat -j SNAT --to-source 201.46.241.26 -s 192.168.4.0/24 -o eth0
}

#################################################################
# CHAIN DE LOAD BALANCING
#################################################################

cria_regras_LOADBALANCING() {
NET_INT="192.168.0.0/16";

NET_0="192.168.0.0/24";
NET_1="192.168.1.0/24";
NET_2="192.168.2.0/24";
NET_3="192.168.3.0/24";
NET_4="192.168.4.0/24";

# NET_SPDY1="200.204.180.0/24";

IF0="eth1"
IF1="eth0"
# IF1="eth0"

GW1="200.228.149.65"
# GW1="192.168.0.40"

IP1="201.46.241.26"

# LIP1="200.204.180.1"

#apagar os route padrao das placas
#route del -net $NET_INT dev $IF0
#route del -net $NET_INT dev $IF1
#route del -net $NET_INT dev $IF2
#route del -net $NET_INT dev $IF3
#route del -net $NET_INT dev $IF4

#inserir os routes para as redes internas
#route add -net $NET_0 dev $IF0
#route add -net $NET_1 dev $IF0
#route add -net $NET_2 dev $IF0
#route add -net $NET_3 dev $IF0

#inserir os routes para as redes gateway dos roteadores speedy
#route add -net $NET_SPDY1 dev $IF1
#route add -net $NET_SPDY2 dev $IF2
#route add -net $NET_SPDY3 dev $IF3
#route add -net $NET_SPDY4 dev $IF4

#inserir os routes para a internet, equalizando por speedy
#ip route add default equalize \
# nexthop via $GW2 dev $IF2 \
# nexthop via $GW3 dev $IF3 \
# nexthop via $GW4 dev $IF4

#ip route add default scope global equalize \
# nexthop via $GW1 dev $IF1 \
# nexthop via $GW2 dev $IF2 \
# nexthop via $GW3 dev $IF3 \
# nexthop via $GW4 dev $IF4

#ip route add default scope global via $GW2 dev $IF2
ip route add default via $GW1 dev $IF1

#ip rule add prio 201 from $IP1/24 table 201
#ip route add default via $GW1 dev $IF1 src $LIP1 proto static table 201
#ip route append prohibit default table 201 metric 1 proto static

#ip rule add prio 202 from $IP2/24 table 202
#ip route add default via $GW2 dev $IF2 src $LIP2 proto static table 202
#ip route append prohibit default table 202 metric 1 proto static

#ip rule add prio 203 from $IP3/24 table 203
#ip route add default via $GW3 dev $IF3 src $LIP3 proto static table 203
#ip route append prohibit default table 203 metric 1 proto static

#ip rule add prio 204 from $IP4/24 table 204
#ip route add default via $GW4 dev $IF4 src $LIP4 proto static table 204
#ip route append prohibit default table 204 metric 1 proto static

#ip rule add prio 222 table 222
#ip route add default table 222 proto static \
# nexthop via $GW2 dev $IF2 \
# nexthop via $GW3 dev $IF3 \
# nexthop via $GW4 dev $IF4
}


#################################################################
# CHAIN DE POSTROUTING
#################################################################

cria_regras_PROXY() {

# proxy transparente, via redirecionamento da rede
$IPTABLES -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to-port 3128

#for local squid/adsl
#iptables -A INPUT -i eth0 -p tcp -d 192.168.200.0/24 --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#for local adsl/ remote squid
#iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
#iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
#iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

}


#########
# ORKUT #
#########
#cria_regras_orkut() {
#
#$IPTABLES -A FORWARD -d www.orkut.com -p tcp --dport 443 -j DROP
#$IPTABLES -A INPUT -d www.orkut.com -p tcp --dport 443 -j DROP
#$IPTABLES -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP
#$IPTABLES -A INPUT -d orkut.com -p tcp --dport 443 -j DROP
#
#}


#################################################################
# SCRIPT INIT DO SYSV
#################################################################

#################################################################
# SCRIPT INIT DO SYSV
#################################################################

# checa se o pacote iptables foi instalado
if [ ! -x "$IPTABLES" ]; then
echo "O executável $IPTABLES não existe!"
exit 1
fi

# checa se o kernel é 2.3 ou 2.4
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ ! "$KERNELMAJ" -eq 2 -o ! "$KERNELMIN" -eq 4 ] ; then
echo "Você não está usando um kernel versão 2.4"
exit 1
fi

# Não insere regras se o modo ipchains estiver carregado
if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
echo "Descarregue o módulo ipchains para o netfilter!"
exit 1
fi

if ! carrega_modulos; then
echo "Não consegui carregar os módulos do iptables"
exit 1
fi

case "$1" in
start)
echo -n "Configurando regras do firewall: "
destroi_regras && cria_regras && \
echo_success || echo_failure
echo ""
touch /var/lock/subsys/iptables
;;

stop)
echo -n "Removendo regras do firewall: "
destroi_regras && \
echo_success || echo_failure
echo ""
rm -f /var/lock/subsys/iptables
;;

stopopen)
echo -n "Removendo regras e abrindo firewall: "
abre_regras && \
echo_success || echo_failure
echo ""
rm -f /var/lock/subsys/iptables
;;

restart)
# isso não é um daemon, então não é necessário dar "stop"
# foi deixado aqui para os que esperam que ele exista
$0 start
;;

status)
$IPTABLES --list -n
;;

*)
echo "Uso: $0 {start|stop|stopopen|restart|status}"
esac


6. Script Iptables

Leonardo Marques de Souza
leo_pr

(usa Ubuntu)

Enviado em 14/04/2011 - 23:59h

Caraca! onde acharam esse script! Massa!
O Leonardo Marques ,descrito pelo meu amigo André , sou eu!
bons tempos... :)
Obrigado por divulgar esse script!






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts