iptables (rc.firewall)

Regras de firewall (iptables) para estações.

Categoria: Networking

Software: iptables

[ Hits: 10.134 ]

Por: Perfil removido


Regras de firewall simples para workstations.  Simples configuração, para liberar as portas basta mudar as variáveis TCP_IN,  TCP_OUT, UDP_IN, UDP_OUT.


#! /bin/bash
#
## make vars
#
ETH0="eth0"
IP="192.68.0.69"

TCP_IN="ssh http ftp"
TCP_OUT="domain ssh http https imap smtp 1024:65535"

UDP_IN=""
UDP_OUT="domain ntp"

ICMP_IN="destination-unreachable source-quench echo-request time-exceeded parameter-problem"
ICMP_OUT="destination-unreachable source-quench echo-request time-exceeded parameter-problem"

FW="`type -p iptables`"
NEW="$FW --append"

#
## reset the rules
#
$FW -F 
$FW -F -t nat
$FW -X discard
#
## set policies 
#
for ch in INPUT OUTPUT FORWARD; do
    $FW -P $ch DROP
done



#
## Establish Logging Rules
#

# (create new rule)
$FW -N discard 
$NEW discard -p udp -d 100.100.100.255 -j DROP
$NEW discard -p udp -d 255.255.255.255 -j DROP
$NEW discard -m limit --limit 10/minute --limit-burst 20 -j LOG
$NEW discard -p  tcp --syn -d $IP --dport ident -j REJECT --reject-with tcp-reset
$NEW discard -j DROP


#
## anti-spoofing 
#
$NEW INPUT -i ! $ETH0 -j ACCEPT
$NEW OUTPUT -o ! $ETH0 -j ACCEPT
$NEW INPUT -s $IP -j discard
$NEW INPUT -d ! $IP -j discard
$NEW INPUT -s 127.0.0.0/8 -j discard

#
## anti-traceroute (disable)
#
#$NEW INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP

#
## anti-port scanners (disable)
#
#$NEW INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#
## dinamic rules
#
$NEW INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$NEW OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
## inbound sessions
#
for port in ${TCP_IN}; do
 case "${port}" in
 ftp) $NEW INPUT -p tcp --dport ${port} --syn -m state --state NEW -j ACCEPT
    ;;
 *)  $NEW INPUT -p tcp --dport ${port} -j ACCEPT
    $NEW OUTPUT -p tcp '!' --syn --sport ${port} -j ACCEPT
    ;;
 esac
done


for port in ${UDP_IN}; do
 $NEW INPUT -p udp --dport ${port} -j ACCEPT
 $NEW OUTPUT -p udp --sport ${port} -j ACCEPT
done


#
## outbound sessions
#
for port in ${TCP_OUT}; do
 $NEW OUTPUT -p tcp --dport ${port} --syn -m state --state NEW -j ACCEPT
done

for port in ${UDP_OUT}; do
 $NEW OUTPUT -p udp --dport ${port} -m state --state NEW -j ACCEPT
done

#
## manage ICMP
#

for t in ${ICMP_IN}; do
 case "${t}" in
 echo-request)
  $NEW INPUT -p icmp --icmp-type echo-request -j ACCEPT
  $NEW OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  ;;
 *)
  $NEW INPUT -p icmp --icmp-type ${t} -j ACCEPT
  ;;
 esac
done


for t in ${ICMP_OUT}; do
 case "${t}" in
 echo-request)
  $NEW OUTPUT -p icmp --icmp-type ${t} -m state --state NEW -j ACCEPT
  ;;
 *)
  $NEW OUTPUT -p icmp --icmp-type ${t} -j ACCEPT
  ;;
 esac
done

#
## discard other traffic
#

$NEW INPUT -j discard

$NEW OUTPUT -m limit --limit 10/minute --limit-burst 20 -j LOG
$NEW OUTPUT -p tcp -j REJECT --reject-with tcp-reset
$NEW OUTPUT -j REJECT
  


Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts