iptables (rc.firewall)
sh
Categoria: Segurança
Software: iptables
[ Hits: 12.704 ]
Por: Jorge Luiz Taioque
Firewall Bem Completo e poderosooo..
#!/bin/bash ######################################## # Ativa módulos ######################################## #/sbin/modprobe ip_tables #/sbin/modprobe iptable_nat #/sbin/modprobe iptable_filter #/sbin/modprobe iptable_mangle #/sbin/modprobe ipt_REDIRECT #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ipt_state #/sbin/modprobe ipt_TOS #/sbin/modprobe ipt_LOG #/sbin/modprobe ipt_limit #/sbin/modprobe ip_conntrack #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc #/sbin/modprobe ipt_MARK #/sbin/modprobe ipt_mark #/sbin/insmod /etc/rc.d/ipt_ipp2p.o ######################################## # Ativa roteamento no kernel ######################################## #echo "1" > /proc/sys/net/ipv4/ip_forward ######################################## # Proteção contra IP spoofing ######################################## #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter ######################################## #Honeypot ######################################## #inicializara o fake squid #perl pakesquid.pl G #--- #inicializara o fake httpd #perl httpd-fake.pl G #--- #inicializara o fake telnet #perl faketelnet.pl G ######################################## # Zera regras ######################################## #iptables -F #iptables -X #iptables -t nat -F #iptables -t filter -F #iptables -t mangle -F #iptables -P INPUT ACCEPT #iptables -P OUTPUT ACCEPT #iptables -P FORWARD ACCEPT ######################################## #Determina Politica Padrao ######################################## #iptables -P INPUT DROP #iptables -P OUTPUT DROP #iptables -P FORWARD DROP ######################################## # Tabela - Forward - Compartilhamento de Internet ######################################## #iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to 200.200.200.200 #Net Para Apenas Alguns Usuarios #iptables -t nat -A POSTROUTING -s 10.0.0.10 -o eth0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 10.0.0.20 -o eth0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 10.5.2.41 -o eth0 -j MASQUERADE ######################################## #Abilitando Serviços ######################################## #Habilitando LocalHost: #iptables -A INPUT -p tcp --syn -s 127.0.0.1 -j ACCEPT #Habilitando conexões vindas da rede local (usando a seguinte faixa de IP e máscara de rede). #iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT #Habilitando outras conexões nas seguinte porta: #iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT #iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT #Portas UDP #iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7777:7779 -j DNAT --to-dest 192.168.0.2 #iptables -A FORWARD -p udp -i eth0 --dport 7777:7779 -d 192.168.0.2 -j ACCEPT ######################################## # Tabela FILTER ######################################## #Contra DoS #iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j accept #iptables -A FORWARD -m unclean -j DROP #Contra Port Scanners # iptables -A FORWARD -o tcp -tcp-flags SYN,ACK,FIN,RST RST -m zlimit -limit 1/s -j accept #Contra Pings #iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j accept # Block Back Orifice #/sbin/iptables -A INPUT -p tcp --dport 31337 -j DROP #/sbin/iptables -A INPUT -p udp --dport 31337 -j DROP # Block NetBus #/sbin/iptables -A INPUT -p tcp --dport 12345:12346 -j DROP #/sbin/iptables -A INPUT -p udp --dport 12345:12346 -j DROP # Dropa pacotes TCP indesejáveis #iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: " #iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # Dropa pacotes mal formados #iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pacote mal formado: " #iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP # Aceita os pacotes que realmente devem entrar #iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT #iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT # Proteção contra trinoo #iptables -N TRINOO #iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: " #iptables -A TRINOO -j DROP #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO # Proteção contra tronjans #iptables -N TROJAN #iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: " #iptables -A TROJAN -j DROP #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN #iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN # Proteção contra worms #iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT # Proteção contra syn-flood #iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT # Proteção contra ping da morte #iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Proteção contra port scanners #iptables -N SCANNER #iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: " #iptables -A SCANNER -j DROP #iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER #iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER #Bloqueio de NetBios #iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP #iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP #iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP #iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP #iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP #iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP #iptables -t nat -A PREROUTING -p udp --dport 135 -j DROP #iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP #iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP #iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP # Loga tentativa de acesso a determinadas portas #iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: " #iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: " #iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: " #iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: " #iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: " #iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: " #iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: " #iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " #iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " #iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: " #iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: " #iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: " # Libera acesso externo a determinadas portas #iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT # Libera acesso de smtp para fora apenas para o IP 192.0.0.0 #iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j LOG --log-level 6 --log-prefix "FIREWALL: SMTP proibido: " #iptables -A FORWARD -p tcp -d ! 192.0.0.0 --dport 25 -j REJECT ######################################## #Bloquear Longas temtativas em determinadas portas ######################################## #iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: " #iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: " #iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: " #iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: " #iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: " #iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: " #iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: " #iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " #iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " #iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: " #iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: " #iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: " # Proxy transparente # ------------------------------------------------------- #iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128 #iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128 # Redireciona portas para outros servidores # ------------------------------------------------------- #iptables -t nat -A PREROUTING -d 200.212.247.194 -p tcp --dport 1200:1400 -j DNAT --to 192.168.0.4:1200:1400 #iptables -t nat -A PREROUTING -d 192.168.200.1 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.1 #iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80 #iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80 #iptables ... -d 200.200.200.200 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80 # Redireciona portas na própria máquina # ------------------------------------------------------- #iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22 ######################################## #Bloqueando Serviços ######################################## #Bloqueando conexões vindas em qualquer porta tcp do seu micro: #iptables -A INPUT -p tcp --syn -j DROP #Não Responder a Pings #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all #Bloqueando parte das portas udp: #iptables -A INPUT -i ppp0 -p udp --dport 0:30000 -j DROP #Não Receber Pacotes de determinadas Paginas #iptables -A FORWARD -s www.chat.com.br -j DROP #Não receber Pacotes de um determinado IP #iptables -A FORWARD -s 200.221.20.0/24 -j DROP #Bloqueando conexão via SSh: #iptables -A INPUT -p tcp --destination-port 22 -j DROP #Evitando scans do tipo "porta origem=porta destino": #$IPT -A INPUT -p tcp --sport $i --dport $i -j DROP #Bloqueando AIM: #$IPT -A FORWARD -d login.oscar.aol.com -j REJECT #Bloqueando ICQ: #$IPT -A FORWARD -p TCP --dport 5190 -j REJECT #$IPT -A FORWARD -d login.icq.com -j REJECT #Bloqueando MSN: #$IPT -A FORWARD -p TCP --dport 1863 -j REJECT #$IPT -A FORWARD -d 64.4.13.0/24 -j REJECT #Bloqueando Yahoo Messenger: #$IPT -A FORWARD -d cs.yahoo.com -j REJECT #$IPT -A FORWARD -d scsa.yahoo.com -j REJECT ######################################## #Bloqueando os -:P2P ######################################## #Fecha P2P #iptables -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP #Bittorrent: #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.0.2 #iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT #iMesh: #iptables -A FORWARD -d 216.35.208.0/24 -j REJECT #BearShare: #iptables -A FORWARD -p TCP --dport 6346 -j REJECT #ToadNode: #iptables -A FORWARD -p TCP --dport 6346 -j REJECT #WinMX: #iptables -A FORWARD -d 209.61.186.0/24 -j REJECT #iptables -A FORWARD -d 64.49.201.0/24 -j REJECT #Napigator: #iptables -A FORWARD -d 209.25.178.0/24 -j REJECT #Morpheus: #iptables -A FORWARD -d 206.142.53.0/24 -j REJECT #iptables -A FORWARD -p TCP --dport 1214 -j REJECT #KaZaA: #iptables -A FORWARD -d 213.248.112.0/24 -j REJECT #iptables -A FORWARD -p TCP --dport 1214 -j REJECT #KaZaA Lite # iptables -m string --string "X-Kazaa-Username:"-j DROP # iptables -m string --string "X-Kazaa-Network:" -j DROP # iptables -m string --string "X-Kazaa-IP:" -j DROP # iptables -m string --string "X-Kazaa-SupernodeIP:" -j DROP #Limewire: #iptables -A FORWARD -p TCP --dport 6346 -j REJECT #Audiogalaxy: #iptables -A FORWARD -d 64.245.58.0/23 -j REJECT ######################################## # Regras para VPN ######################################## #iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT #iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT #iptables -A INPUT -p 50 -j ACCEPT #iptables -A OUTPUT -p 50 -j ACCEPT #iptables -A INPUT -p 51 -j ACCEPT #iptables -A OUTPUT -p 51 -j ACC
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (15)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)
Pendrive não formata de jeito nenhum (4)