Configuração do Iptables em modo texto.
Publicado por Marcos Vettorazzo 08/06/2005
[ Hits: 7.064 ]
Esse é o meu pimeiro script. Nasceu a parti de uma necessidade.
Ele foi quase q 100% baseado no do Morimoto que acompanha o kurumin, inclusive várias partes do código foram apenas copiadas.
Dicas e sugestões seram SEMPRE muito bem recebidas. Se em alguma parte dele deixei de mencionar algo, por favor me avisem.
Ele cria um arquivo chamado firewaal.conf no diretório onde foi executado contendo as regras e depois copia para a pasta /usr/local/bin renomeando como firewall.
Aguardo sua avaliação.
#!/bin/bash # Testa se o usuário corrente é o ROOT echo -e "{FONTE}33[01;34m##########################################################" echo -e "{FONTE}33[01;34m## {FONTE}33[01;37mScript de configuração do firewall do linux {FONTE}33[01;34m##" echo -e "{FONTE}33[01;34m## {FONTE}33[01;37mEscrito por: {FONTE}33[01;34m##" echo -e "{FONTE}33[01;34m## {FONTE}33[01;32mMarcos Vettorazzo - {FONTE}33[01;31mkarioka_pr@brasnet.org {FONTE}33[01;34m##" echo -e "{FONTE}33[01;34m##########################################################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa clear if [ $USER != root ] then echo -e "{FONTE}33[01;31m#######################################################################{FONTE}33[01;31m" echo -e "{FONTE}33[01;31m## Voce precisa estar logado como root para executar este script ##\n## Se você não tem a senha entre em contato com o administrador. ##{FONTE}33[01;37m" echo -e "{FONTE}33[01;31m#######################################################################{FONTE}33[01;37m" else if [ $USER = root ] then echo -e "{FONTE}33[01;34m#######################{FONTE}33[01;34m" echo -e "{FONTE}33[01;34m## Ok, você é o root ##{FONTE}33[01;34m" echo -e "{FONTE}33[01;34m#######################{FONTE}33[01;37m" echo -e " " echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa clear rm -f /usr/local/bin/firewall rm -f firewall.conf echo -e '#!/bin/bash' >> firewall.conf echo ' ' >> firewall.conf echo -e '# Script de configuração do iptables' >> firewall.conf echo -e '# Este script pode ser usado em qualquer distribuiçõa Linux que utilize o Kernel 2.4 em diante' >> firewall.conf echo -e '# Por Marcos Vettorazzo - karioka_pr@brasnet.org' >> firewall.conf echo -e '# Este script foi feito com base no script do Carlos Morimoto, criador do Kurumin Linux' >> firewall.conf echo -e ' ' >> firewall.conf echo ' ' >> firewall.conf # Limpa as regras do iptables e desativa o firewall antes de começar a configuração: iptables -F echo -e "{FONTE}33[01;32m#####################################################################{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Você quer que o firewall permita conexões vindas da rede local? ##{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Isso permite a utilização de serviços como compartilhamento ##{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## de arquivos/impressoras e também de internet. ##{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Responda com sim ou nao(sem acento mesmo) ##{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m#####################################################################{FONTE}33[01;37m" echo -e " " read resp case "$resp" in 'sim' ) echo -e "" echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Qual a faixa de IP utilizada em sua rede?? ##\n## Ex.: 192.168.1.0 ##{FONTE}33[01;32m"; echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;37m" echo -e " " read faixaip echo -e '# Abre para uma faixa de endereços da rede local' >> firewall.conf echo -e "iptables -A INPUT -p tcp --syn -s $faixaip/255.255.255.0 -j ACCEPT" >> firewall.conf echo -e ' ' >> firewall.conf ;; 'nao' ) echo " " echo -e "{FONTE}33[01;34mOk...{FONTE}33[01;37m" ;; * ) echo -e "{FONTE}33[01;31m######################{FONTE}33[01;31m" echo -e "{FONTE}33[01;31m## Opção inválida ##{FONTE}33[01;31m" echo -e "{FONTE}33[01;31m######################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Responda com sim ou nao(sem acento mesmo) ##{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;37m" echo " " read resp if [ $resp = sim ] then echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;32m" echo -e "{FONTE}33[01;32m## Qual a faixa de IP utilizada em sua rede?? ##\n## Ex.: 192.168.1.0 ##{FONTE}33[01;32m"; echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;37m" echo -e " " read faixaip echo -e '# Abre para uma faixa de endereços da rede local' >> firewall.conf echo -e "iptables -A INPUT -p tcp --syn -s $faixaip/255.255.255.0 -j ACCEPT" >> firewall.conf echo -e ' ' >> firewall.conf else if [ $resp = nao ] then echo " " echo -e "{FONTE}33[01;34mOk...{FONTE}33[01;37m" fi fi ;; esac echo -e " " echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;32m" echo -e "## Você quer abrir alguma porta específica? ##\n## No caso de algum servidor como FTP, SSh ou WEB. ##" echo -e "## Não esqueça que as respostas são sim ou nao(sem acento) ##" echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;37m" echo -e " " read resp porta="1" case "$resp" in 'sim' ) echo -e " " echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;32m" echo -e "## Qual porta você deseja deixar aberta? ##\n## Elas serão adicionadas uma a uma, para parar indique 0(zero) ##" echo -e "{FONTE}33[01;32m###################################################################{FONTE}33[01;37m" echo -e " " while [ $porta -ne 0 ] do echo -e "{FONTE}33[01;32m#######################################{FONTE}33[01;32m" echo -e "## Qual a porta? Varia de 1 à 65550 ##" echo -e "{FONTE}33[01;32m#######################################{FONTE}33[01;37m" echo -e " " read porta if [ $porta -gt 0 ] then echo '# Abre a porta' $porta '(inclusive para a Internet)' >> firewall.conf echo "iptables -A INPUT -p tcp --destination-port $porta -j ACCEPT" >> firewall.conf echo -e ' ' >> firewall.conf else break fi done; ;; 'nao' ) echo " " echo -e "{FONTE}33[01;34mOk...{FONTE}33[01;37m" ;; * ) echo -e "Opção inválida. Responda sim ou nao(sem acento)" ;; esac #Proteções diversas echo " " >> firewall.conf echo '# Ignora pings' >> firewall.conf echo 'echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all' >> firewall.conf echo " " >> firewall.conf echo '# Protege contra synflood' >> firewall.conf echo 'echo "1" > /proc/sys/net/ipv4/tcp_syncookies' >> firewall.conf echo " " >> firewall.conf echo "# Proteção contra ICMP Broadcasting " >> firewall.conf echo 'echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts' >> firewall.conf echo " " >> firewall.conf echo '# Bloqueia traceroute' >> firewall.conf echo 'iptables -A INPUT -p udp --dport 33435:33525 -j DROP' >> firewall.conf echo " " >> firewall.conf echo " " >> firewall.conf echo '# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.' >> firewall.conf echo 'iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT' >> firewall.conf echo 'iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT' >> firewall.conf echo 'iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT' >> firewall.conf echo 'iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT' >> firewall.conf echo 'iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP' >> firewall.conf echo 'iptables -A FORWARD -m unclean -j DROP' >> firewall.conf echo 'iptables -A INPUT -m state --state INVALID -j DROP' >> firewall.conf echo 'iptables -N VALID_CHECK' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP' >> firewall.conf echo 'iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP' >> firewall.conf echo " " >> firewall.conf # Abre para a interface de loopback echo " " >> firewall.conf echo '# Abre para a interface de loopback.' >> firewall.conf echo '# Esta regra é essencial para o KDE e outros programas gráficos funcionarem adequadamente.' >> firewall.conf echo 'iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT' >> firewall.conf echo 'iptables -A INPUT -i lo -j ACCEPT' >> firewall.conf echo " " >> firewall.conf # Fecha as portas udp de 1 a 1024, abre para o localhost echo " " >> firewall.conf echo '# Fecha as portas udp de 1 a 1024, abre para o localhost' >> firewall.conf echo 'iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT' >> firewall.conf echo 'iptables -A INPUT -p udp --dport 1:1024 -j DROP' >> firewall.conf echo 'iptables -A INPUT -p udp --dport 59229 -j DROP' >> firewall.conf echo " " >> firewall.conf echo -e " " echo -e "{FONTE}33[01;32m#####################################################{FONTE}33[01;32m" echo -e "## Gostaria de acessar as configurações avançadas? ##" echo -e "{FONTE}33[01;32m#####################################################{FONTE}33[01;37m" echo -e " " read resp if [ $resp = sim ] ; then # Sim, Comandos clear echo -e "{FONTE}33[01;32m######################################################################{FONTE}33[01;32m" echo "## Qual é a sua interface de rede que está conectada na rede local? ##" echo -e "{FONTE}33[01;32m######################################################################{FONTE}33[01;37m" echo -e " " echo -e "{FONTE}33[01;32m##############" echo "## ex: eth1 ##" echo -e "{FONTE}33[01;32m##############{FONTE}33[01;37m" echo -e " " read iflocal echo -e " " echo -e "{FONTE}33[01;32m######################################################################{FONTE}33[01;32m" echo "## Qual é a interface conectada na internet? Se você acessa via ##" echo "## ADSL PPPOE ou modem ela é a ppp0. Em caso de dúvida rode o ##" echo "## comando ifconfig ##" echo -e "{FONTE}33[01;32m######################################################################{FONTE}33[01;37m" echo -e " " echo -e "{FONTE}33[01;32m##############{FONTE}33[01;32m" echo "## ex: ppp0 ##" echo -e "{FONTE}33[01;32m##############{FONTE}33[01;37m" echo -e " " read ifinternet continuar=0 parar=1 while [ "$continuar" -lt "$parar" ] do clear echo -e echo -e "{FONTE}33[01;32m##############################{FONTE}33[01;32m" echo -e "## O que você deseja fazer? ##" echo -e "{FONTE}33[01;32###############################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;32ma) {FONTE}33[01;34mAdicionar uma faixa de endereços para a rede local" echo -e "{FONTE}33[01;32mb) {FONTE}33[01;34mAbrir uma porta do firewall" echo -e "{FONTE}33[01;32mc) {FONTE}33[01;34mRedirecionar uma faixa de portas para um micro da rede local?" echo -e " {FONTE}33[01;34m(port forward)" echo -e "{FONTE}33[01;32md) {FONTE}33[01;34mBloquear uma determinada porta de saída (permite bloquear o " echo -e " {FONTE}33[01;34muso de programas como o ICQ, MSN, etc.)" echo -e "{FONTE}33[01;32me) {FONTE}33[01;34mBloquear o uso de programas P2P, (iMesh, BearShare, ToadNotde," echo -e " {FONTE}33[01;34mWinMX, Napigatorm Morpheus, Limewire e Audiogalaxy)" echo -e "{FONTE}33[01;32mf) {FONTE}33[01;34mTerminei! Continuar com a configuração" echo " " echo -e "{FONTE}33[01;32mEscolha sua opção: ({FONTE}33[01;34ma, b, c, d, e ou f{FONTE}33[01;32m){FONTE}33[01;37m" echo " " read voufazer if [ "$voufazer" = "a" ]; then clear echo " " echo -e "{FONTE}33[01;32m##############################################################################" echo "## Digite a faixa de endereços da rede local seguida da máscara de sub-rede ##" echo -e "{FONTE}33[01;32m##############################################################################" echo -e "{FONTE}33[01;32m###################################" echo -e "## ex: 192.168.2.0/255.255.255.0 ##" echo -e "{FONTE}33[01;32m###################################{FONTE}33[01;37m" echo " " read faixalocal echo " " echo '# Abre para uma faixa de endereços da rede local' >> firewall.conf echo "iptables -A INPUT -p tcp --syn -s $faixalocal -j ACCEPT" >> firewall.conf echo " " >> firewall.conf echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa fi if [ "$voufazer" = "b" ]; then clear echo -e "{FONTE}33[01;32m####################################" echo -e "## Digite a porta que será aberta ##" echo -e "{FONTE}33[01;32m####################################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;32m#############{FONTE}33[01;37" echo -e "## ex: 1080 ##" echo -e "{FONTE}33[01;32m#############{FONTE}33[01;37" echo " " read portaip echo '# Abre uma porta (inclusive para a Internet)' >> firewall.conf echo "iptables -A INPUT -p tcp --destination-port $portaip -j ACCEPT" >> firewall.conf echo " " >> firewall.conf echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa fi if [ "$voufazer" = "c" ]; then clear echo -e "{FONTE}33[01;32m#################################################{FONTE}33[01;32m" echo -e "## Digite a faixa de portas que será fowardada ##" echo -e "{FONTE}33[01;32m#################################################{FONTE}33[01;37m" echo -e "{FONTE}33[01;32m###################" echo -e "## ex: 7000:7110 ##" echo -e "{FONTE}33[01;32m###################{FONTE}33[01;37m" echo -e " " echo -e "{FONTE}33[01;32m#######################################################" echo -e "## Para direcionar apenas uma porta apenas repita-a: ##" echo -e "#######################################################{FONTE}33[01;37m" echo -e "{FONTE}33[01;32m###################" echo -e "## ex: 7000:7000 ##" echo -e "###################{FONTE}33[01;37m" echo -e " " read rangeportas echo -e "{FONTE}33[01;32m#####################################################################" echo -e "## Digite o endereço do micro da rede local que receberá as portas ##" echo -e "{FONTE}33[01;32m#####################################################################{FONTE}33[01;37m" echo -e "{FONTE}33[01;32m#####################" echo -e "## ex: 192.168.0.2 ##" echo -e "{FONTE}33[01;32m#####################{FONTE}33[01;37m" echo " " read destinatario echo '# Redireciona uma faixa de portas para um micro da rede local' >> firewall.conf echo "iptables -t nat -A PREROUTING -i $ifinternet -p tcp --dport $rangeportas -j DNAT --to-dest $destinatario" >> firewall.conf echo "iptables -A FORWARD -p tcp -i $ifinternet --dport $rangeportas -d $destinatario -j ACCEPT" >> firewall.conf echo "iptables -t nat -A PREROUTING -i $ifinternet -p udp --dport $rangeportas -j DNAT --to-dest $destinatario" >> firewall.conf echo "iptables -A FORWARD -p udp -i $ifinternet --dport $rangeportas -d $destinatario -j ACCEPT" >> firewall.conf echo " " >> firewall.conf echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa fi if [ "$voufazer" = "d" ]; then clear echo -e "{FONTE}33[01;32m########################################################################" echo -e "## Esta opção permite bloquear o uso de uma determinada porta TCP ou, ##" echo -e "## UDP, tanto a partir deste micro, quanto a partir de micros da rede ##" echo -e "## local, caso você esteja compartilhando a conexão. ##" echo -e "## Usando esta opção você pode bloquear o uso de programas como o ##" echo -e "## ICQ (portas 4000 e 5190), Napster (6699), GNUtella (6346), ##" echo -e "## AIM (4099), MSN (1863) e assim por diante. Basta saber a ##" echo -e "## porta de saída usada pelo programa ##" echo -e "########################################################################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;32m########################################################################" echo -e "## Você pode também fechar uma faixa de portas, basta digitar a faixa ##" echo -e "## desejada, como em: 6000:6100 ##" echo -e "########################################################################{FONTE}33[01;37m" echo " " echo -e "{FONTE}33[01;32m###################################################################" echo -e "## Digite a porta de saída ou a faixa de portas que será fechada ##" echo -e "## ex: 1214 (uma porta) ou 6000:6100 (a faixa inteira) ##" echo -e "###################################################################{FONTE}33[01;37m" echo " " read portaout echo '# Bloqueia uma porta de saída, tanto local quanto forward' >> firewall.conf echo "iptables -A OUTPUT -p TCP --dport $portaout -j DROP" >> firewall.conf echo "iptables -A FORWARD -p TCP --dport $portaout -j DROP" >> firewall.conf echo "iptables -A OUTPUT -p UDP --dport $portaout -j DROP" >> firewall.conf echo "iptables -A FORWARD -p UDP --dport $portaout -j DROP" >> firewall.conf echo " " >> firewall.conf echo -e "{FONTE}33[01;34mAcesse esta opção várias vezes para fechar mais portas." echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa fi if [ "$voufazer" = "e" ]; then echo " " echo -e "{FONTE}33[01;32m############################################################################" echo -e "## Esta opção bloqueia as portas usadas pelos programas iMesh, BearShare, ##" echo -e "## Esta opção bloqueia as portas usadas pelos programas iMesh, BearShare, ##" echo -e "## ToadNotde, WinMX, Napigatorm Morpheus, Kazaa, Limewire e Audiogalaxy, ##" echo -e "## impedindo que eles sejam usados a partir deste micro ou de outros ##" echo -e "## micros da rede local, que acessem através deste. (pressione Enter) ##" echo -e "############################################################################{FONTE}33[01;37m" echo " " >> firewall.conf echo '# Bloqueia programas P2P' >> firewall.conf echo '#iMesh' >> firewall.conf echo 'iptables -A FORWARD -d 216.35.208.0/24 -j REJECT' >> firewall.conf echo '#BearShare' >> firewall.conf echo 'iptables -A FORWARD -p TCP --dport 6346 -j REJECT' >> firewall.conf echo '#ToadNode' >> firewall.conf echo 'iptables -A FORWARD -p TCP --dport 6346 -j REJECT' >> firewall.conf echo '#WinMX' >> firewall.conf echo 'iptables -A FORWARD -d 209.61.186.0/24 -j REJECT' >> firewall.conf echo 'iptables -A FORWARD -d 64.49.201.0/24 -j REJECT' >> firewall.conf echo '#Napigator' >> firewall.conf echo 'iptables -A FORWARD -d 209.25.178.0/24 -j REJECT' >> firewall.conf echo '#Morpheus' >> firewall.conf echo 'iptables -A FORWARD -d 206.142.53.0/24 -j REJECT' >> firewall.conf echo 'iptables -A FORWARD -p TCP --dport 1214 -j REJECT' >> firewall.conf echo '#KaZaA' >> firewall.conf echo 'iptables -A FORWARD -d 213.248.112.0/24 -j REJECT' >> firewall.conf echo 'iptables -A FORWARD -p TCP --dport 1214 -j REJECT' >> firewall.conf echo '#Limewire' >> firewall.conf echo 'iptables -A FORWARD -p TCP --dport 6346 -j REJECT' >> firewall.conf echo '#Audiogalaxy' >> firewall.conf echo 'iptables -A FORWARD -d 64.245.58.0/23 -j REJECT' >> firewall.conf echo " " >> firewall.conf echo -e "{FONTE}33[01;34m(Enter para continuar){FONTE}33[01;37m" read pausa fi if [ "$voufazer" = "f" ]; then clear # Ignora qualquer pacote de entrada, vindo de qualquer endereço, a menos que especificado o contrário acima. Bloqueia tudo. echo ' ' >> firewall.conf echo '# Esta regra é o coração do firewall,' >> firewall.conf echo '# ela bloqueia qualquer conexão que não tenha sido permitida acima, justamente por isso ela é a última da cadeia.' >> firewall.conf echo 'iptables -A INPUT -p tcp --syn -j DROP' >> firewall.conf echo ' ' >> firewall.conf echo ' ' >> firewall.conf echo ' ' >> firewall.conf chmod +x firewall.conf cp firewall.conf /usr/local/bin/firewall iptables -F echo -e "{FONTE}33[01;34mOk... Configuração terminada.{FONTE}33[01;37m" echo " " break fi done fi fi fi
Migrar de MySQL 3.x e 4.x para 5.0 no Debian
Ping para servidores tendo um arquivo TXT com a lista dos IPs/Hostnames
Dependências de Emuladores e DosBox
Nenhum comentário foi encontrado.
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Não to conseguindo resolver este problemas ao instalar o playonelinux (1)
Excluir banco de dados no xampp (1)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta