FIREWALL ESTA OK ?

1. FIREWALL ESTA OK ?

Fabio
fabio_vieira

(usa Debian)

Enviado em 21/02/2016 - 11:48h

GALERA SERA QUE TEM COMO MELHORAR ALGUMA COISA ?


#!/bin/bash
iniciar(){

###################################

# LIMPAR TABELAS
iptables -F
iptables -F -t nat
iptables -F -t filter
iptables -F -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#####################################

# ATIVA MODULOS BASICOS
modprobe iptable_nat
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE

######################################

# ATIVA O ROTEAMENTO
echo 1 > /proc/sys/net/ipv4/ip_forward

######################################################################

# COMPARTILHA A CONEXAO PARA AS REDES 10.0 - 20.0
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j MASQUERADE

########################################################################

# REGRAS DNAT PARA SERVIDOR WEB
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.10.254:80

######################################################################################

# BLOQUEIO DE SITES
iptables -A FORWARD -d 141.0.174.0/25 -j REJECT

#####################################################################################

# REGRAS FORWARD
# PERMITE PING PRA REDE EXTERNA
iptables -A FORWARD -s 192.168.10.0/24 -o eth0 -p icmp -j ACCEPT
iptables -A FORWARD -s 192.168.20.0/24 -o eth0 -p icmp -j ACCEPT

#######################################################################################################################################

# PERMITE CONEXOES DA REDE INTERNA PARA REDE EXTERNA
# 80HTTP 443SSL 3128PROXY 110POP 995POP3 20/21FTP 587SMTPS 143IMAP 22SSH 3389WTS 25SMTP 5900VNC
iptables -A FORWARD -s 192.168.10.0/24 -o eth0 -p tcp -m multiport --dports 80,443,3128,110,20,21,587,995,143,22,3389,25,5900 -j ACCEPT
iptables -A FORWARD -s 192.168.20.0/24 -o eth0 -p tcp -m multiport --dports 80,443,3128,110,20,21,587,995,143,22,3389,25,5900 -j ACCEPT

# LIBERA NOVAS CONEXOES RELATADAS E ESTABELECIDAS
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

########################################################################################################################################

# REGRAS CLIENTE
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# CHECA AS CONEXOES ESTABELECIDA OU RELACIONADA ELE PERMITE
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

################################################################

# REGRAS SERVIDOR
iptables -A INPUT -p tcp -s 192.168.20.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.20.0/24 -m multiport --dports 3128,443,80,587,25,110 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.20.0/24 -m multiport --dports 53,67,68 -j ACCEPT

# LIBERANDO O PING(ICMP)
iptables -A INPUT -p icmp -j ACCEPT

# PERMITE CONEXOES NA LOOPBACK
# iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.20.0/24 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.10.0/24 -i lo -j ACCEPT

# LIBERA NOVAS CONEXOES RELATADAS E ESTABELECIDAS
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

######################################################################
######################## SEGURANCA ####################################

# SEGURANCA CONTRA IP SPOOFING
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP

# PROTEGE CONTRA SYNFLOOD
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# PROTECAO CONTRA ICMP BROADCASTING
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# PROTECAO CONTRA SYN-FLOODS
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# PROTECAO CONTRA PORT SCANNERS OCULTOS
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# PROTECAO CONTRA PING DA MORTE
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# PROTECAO CONTRA IP SPOOFING
iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 192.168.1.0/16 -i eth0 -j DROP

# BLOQUEANDO PACOTES FRAGMENTADOS
iptables -A INPUT -i eth0 -f -j LOG --log-prefix "Pacote Fragmentado: "
iptables -A INPUT -i eth0 -f -j DROP
iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote Fragmentado: "
iptables -A INPUT -i eth1 -f -j DROP

#####################################################################

}
parar(){
iptables -F
iptables -F -t nat
iptables -F -t filter
iptables -F -t mangle
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar;;
*) echo "USE OS PARAMETROS START OU STOP"
esac




  


2. Re: FIREWALL ESTA OK ?

Reginaldo de Matias
saitam

(usa Slackware)

Enviado em 21/02/2016 - 18:40h

Algumas sugestões...

Na função de parar firewall, além de desabilitar as regras, precisa colocar o compartilhamento, assim desabilita as regras, mas o compartilhamento continua ativo com regras livres.

No caso, na função de parar.

# COMPARTILHA A CONEXAO PARA AS REDES 10.0 - 20.0
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j MASQUERADE


Outra, é jamais liberar o ICMP no INPUT e FORWARD nos servidores, principalmente no servidor web.
Servidor web NÃO deve está com ICMP ativo, deve bloquear, assim impede o DOS/DDOS.

http://mundodacomputacaointegral.blogspot.com.br/
Twitter: http://twitter.com/@blogcomputacao
Facebook: http://www.facebook.com/BlogComputacao
Grupo Linux no Telegram: https://goo.gl/KQYqhN


3. Re: FIREWALL ESTA OK ?

Perfil removido
removido

(usa Nenhuma)

Enviado em 21/02/2016 - 20:26h

Atualmente o iptables faz o load do módulo do firewall automaticamente sem precisar usar esses comandos modprobe todos, salvo algum engano.

----------------------------------------------------------------------------------------------------------------
http://24.media.tumblr.com/tumblr_m62bwpSi291qdlh1io1_250.gif

# apt-get purge systemd (não é prá digitar isso!)

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it. — Edward Snowden



4. Re: FIREWALL ESTA OK ?

Buckminster
Buckminster

(usa Debian)

Enviado em 22/02/2016 - 01:20h

Leia esta página deste artigo, depois leia o artigo inteiro:

https://www.vivaolinux.com.br/artigo/Iptables-protege-contra-SYN-FLOOD?pagina=6


5. Re: FIREWALL ESTA OK ?

Fabio
fabio_vieira

(usa Debian)

Enviado em 22/02/2016 - 15:46h

Brigado se alguém tiver mais sugestões me ajuda a e :)


6. Re: FIREWALL ESTA OK ?

Fabio
fabio_vieira

(usa Debian)

Enviado em 22/02/2016 - 15:49h

saitam ; mais no caso de ser um servidor web interno sem nenhuma regra de redirecionamento de porta para internet preciso bloquear mesmo assim, esse servidor web iria funcionar só localmente






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts