dragon002
(usa Outra)
Enviado em 12/08/2009 - 11:15h
#!/bin/sh
# Variáveis
# -------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=eth1
IF_INTERNA=eth0
# Ativa módulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
# Proteção contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo"1"> /proc/sys/net/ipv4/icmp_echo_ignore_all
# Ignora pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Proteção contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Bloqueia traceroute
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle
# Determina a política padrão
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
#############################################################
# Fecha as portas udp de 1 a 1024, abre para o localhost
#############################################################
$iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT
$iptables -A INPUT -p udp --dport 1:1024 -j DROP
$iptables -A INPUT -p udp --dport 59229 -j DROP
$iptables -A FORWARD -p tcp --dport 2048 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -j DROP
$iptables -A OUTPUT -p tcp --dport 22 -j DROP
$iptables -A FORWARD -p tcp --dport 22 -j DROP
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp -i eth0 --dport ssh -j DROP
$iptables -A OUTPUT -p tcp -i eth0 --dport ssh -j DROP
$iptables -A FORWARD -p tcp -i eth0 --dport ssh -j DROP
#############################################################
# Bloqueia programas P2P
#############################################################
# iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j DROP
# BearShare
iptables -A FORWARD -p TCP --dport 6346 -j DROP
# ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j DROP
# WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j DROP
iptables -A FORWARD -d 64.49.201.0/24 -j DROP
# Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j DROP
# Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j DROP
iptables -A FORWARD -p TCP --dport 1214 -j DROP
# KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j DROP
iptables -A FORWARD -p TCP --dport 1214 -j DROP
#iptables -A INPUT -m string --string "X-Kazaa" -j DROP
# Limewire
iptables -A FORWARD -p TCP --dport 6346 -j DROP
# Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j DROP
# Napster
iptables -A OUTPUT -p TCP --dport 6699 -j DROP
iptables -A FORWARD -p TCP --dport 6699 -j DROP
iptables -A OUTPUT -p UDP --dport 6699 -j DROP
iptables -A FORWARD -p UDP --dport 6699 -j DROP
# # GNUtella
# iptables -A OUTPUT -p TCP --dport 6346 -j DROP
# iptables -A FORWARD -p TCP --dport 6346 -j DROP
# iptables -A OUTPUT -p UDP --dport 6346 -j DROP
# iptables -A FORWARD -p UDP --dport 6346 -j DROP
# AIM
iptables -A OUTPUT -p TCP --dport 4009 -j DROP
iptables -A FORWARD -p TCP --dport 4009 -j DROP
iptables -A OUTPUT -p UDP --dport 4009 -j DROP
iptables -A FORWARD -p UDP --dport 4009 -j DROP
# # MSN
# iptables -A OUTPUT -p TCP --dport 1863 -j DROP
# iptables -A FORWARD -p TCP --dport 1863 -j DROP
# iptables -A OUTPUT -p UDP --dport 1863 -j DROP
# iptables -A FORWARD -p UDP --dport 1863 -j DROP
# # ICQ
# iptables -A OUTPUT -p TCP --dport 4000 -j DROP
# iptables -A FORWARD -p TCP --dport 4000 -j DROP
# iptables -A OUTPUT -p UDP --dport 4000 -j DROP
# iptables -A FORWARD -p UDP --dport 4000 -j DROP
# iptables -A OUTPUT -p TCP --dport 5190 -j DROP
# iptables -A FORWARD -p TCP --dport 5190 -j DROP
# iptables -A OUTPUT -p UDP --dport 5190 -j DROP
# iptables -A FORWARD -p UDP --dport 5190 -j DROP
#################################################
# Tabela FILTER
#################################################
$iptables -t filter -P FORWARD DROP
$iptables -t filter -P OUTPUT ACCEPT
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
# Dropa pacotes TCP indesejáveis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $IF_INTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pacote mal formado: "
$iptables -A INPUT -i $IF_INTERNA -m unclean -j DROP
$iptables -A FORWARD -m unclean - j DROP
# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT -i ! $IF_INTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Proteção contra trinoo
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 35555 -j TRINOO
# Proteção contra tronjans
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_INTERNA --dport 16660 -j TROJAN
# Proteção contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
# Proteção contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Proteção contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Proteção contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_INTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_INTERNA-j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_INTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_INTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_INTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_INTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_INTERNA -j SCANNER
# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 23 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
$iptables -A INPUT -p tcp --dport 3128 -i $IF_INTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
# Cria chain com regras de segurança
$iptables -N BLOCK
$iptables -A BLOCK -p icmp --icmp-type echo-request -j DROP
$iptables -A BLOCK -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$iptables -A BLOCK -p tcp -m limit --limit 1/s -j ACCEPT
$iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
$iptables -A BLOCK -m unclean -j DROP
$IPT -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A BLOCK -j LOG --log-prefix "FW_ALERT: "
$iptables -A BLOCK -j DROP # Regras para evitar packet flood
$iptables -A INPUT -j BLOCK
$iptables -A FORWARD -j BLOCK
$iptables -t filter -P INPUT ACCEPT
$iptables -t filter -P FORWARD ACCEPT
$iptables -t filter -P OUTPUT ACCEPT
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
