FIREWALL COM IPTABLES - PARA EMPRESAS E INTRANETS
Publicado por Joabes Carlos de Carvalho 16/09/2003
[ Hits: 33.614 ]
Homepage: http://www.fwsnet.com.br / http://www.bookmail.com.br
ESSE FIREWALL É MUITO BOM, EU UTILIZAVA NA ANTIGA EMPRESA QUAL TRABALHAVA, ESPERO QUE POSSA SER UTIL A TODOS, OS COMENTÁRIOS DO FIREWALL ESTÃO EM INGLÊS, MAIS É BEM DECSRITIVO E FÁCIL DE USAR.
ATÉ A PRÓXIMA PESSOAL.
ABRAÇOS.
#!/bin/sh ############################################################################ ############################################################################ ##################### FIREWALL PARA INTRANETS ############################ ############################################################################ ############################################################################ ############################################################################ #Script de firewall muito facil para ser aplicado, apenas esta em ingles#### IPTABLES="/sbin/iptables" # set to your iptables location, must be set DNS="192.168.0.1" #set to your DNS server(s), that you get zone transfers from TCP_ALLOW="21 22 25 80 8000 8001" #TCP ports to ALLOW UDP_ALLOW="500" # UDP ports to ALLOW (53 not needed, covered by DNS above) INET_IFACE="ppp0" # the interface your internet's on (one only), must be set LAN_IFACE="eth0" # the interface(s) your LAN's on (currently used only as a sanity check) USE_SSH1="TRUE" # set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE) USE_OPENSSH="TRUE" # set to TRUE if you use OpenSSH (anything else is interpreted as FALSE) INTERNAL_LAN="192.168.0.0/24" #the internal network(s), must be set AUTH_ALLOW="" #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all) DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all DROP="REJECT" # What to do with packets we don't want: DROP, REJECT, LDROP (log and drop), or LREJECT (log and reject) # Below here is experimental MAC_LAN="" # MAC addresses permitted to use masquerading, leave blank to not use USE_MASQ="TRUE" # Set to TRUE to use masquerading (anything else is interpreted as FALSE) USE_SNAT="" # If you have a static internet IP, put it here and set "USE_MASQ" above to FALSE TCP_FW="" # TCP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP" UDP_FW="" # Same as above but on UDP # ----------------------------------------------------------------------| # Do not modify configuration below here | # ----------------------------------------------------------------------| DROP="REJECT" #Apparently some ISPs (@home comes to mind) have problems with denying them, so send back ICMP messages to fool them FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT" # ----------------------------------------------------------------------| # You shouldn't need to modify anything below here | # ----------------------------------------------------------------------| # Let's load it! echo "Loading iptables firewall:" # Configuration Sanity Checks echo -n "Checking configuration..." if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then echo echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!" exit 1 fi if [ "$INET_IFACE" = "$LAN_IFACE" ] ; then if [ "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then # This can't happen because the whole point of my masquerading code is that we don't need to know the IP. # While we know the IP with SNAT, I'm too lazy do change my code other than to use SNAT :) echo echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!" exit 1 fi fi if ! [ -x $IPTABLES ] ; then echo echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!" exit 1 fi echo "passed" # Turn on IP forwarding (your kernel still needs it) echo 1 > /proc/sys/net/ipv4/ip_forward echo "IP Forwarding enabled..." # Enable TCP Syncookies (always a 'good thing') (thanks steff) echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "IP SynCookies enabled..." # Loading kernel modules... echo "Loading kernel modules..." insmod ip_tables insmod ip_conntrack insmod ip_conntrack_ftp insmod ip_conntrack_irc insmod iptable_nat insmod ip_nat_ftp echo "Kernel modules loaded." # Flush everything # If you need compatability, you can comment some or all of these out, # but remember, if you re-run it, it'll just add the new rules in, it # won't remove the old ones for you then, this is how it removes them. # # You'll notice I give status now :) echo -n "Flush: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo # Create new chains # Output to /dev/null in case they don't exist from a previous invocation echo -n "Creating chains: " for chain in ${FILTER_CHAINS} ; do ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -N ${chain} echo -n "${chain} " done echo # Default Policies # INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later) # is given a policy of DROP at the end # Policy can't be reject becuase of kernel limitations echo -n "Default Policies: " ${IPTABLES} -t filter -P INPUT ACCEPT echo -n "INPUT:ACCEPT " ${IPTABLES} -t filter -P OUTPUT ACCEPT echo -n "OUTPUT:ACCEPT " ${IPTABLES} -t filter -P FORWARD DROP echo -n "FORWARD:DROP " echo # Local traffic to internet or crossing subnets # This should cover what we need if we don't use masquerading # Unfortunately, MAC address matching isn't bidirectional (for # obvious reasons), so IP based matching is done here echo -n "Local Traffic Rules: " for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT echo -n "${subnet}:ACCEPT " done echo # Set up basic NAT if the user wants it if [ $USE_MASQ = TRUE ] ; then echo -n "Setting up NAT: " if [ "$MAC_LAN" = "" ] ; then for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE echo -n "${subnet}:MASQUERADE " done else for address in ${MAC_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE echo -n "${address}:MASQUERADE " done fi echo elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined #(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup) echo -n "Setting up NAT: " if [ "$MAC_LAN" = "" ] ; then for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT} echo -n "${subnet}:SNAT " done else for address in ${MAC_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT} echo -n "${address}:SNAT " done fi echo fi #TCP Port-Forwards if [ "$TCP_FW" != "" ] ; then echo -n "TCP Port Forwards: " if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then for rule in ${TCP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport} echo -n "${rule} " done else for rule in ${TCP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport} echo -n "${rule} " done fi echo fi #UDP Port Forwards if [ "$UDP_FW" != "" ] ; then echo -n "UDP Port Forwards: " if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then for rule in ${UDP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport} echo -n "${rule} " done else for rule in ${UDP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport} echo -n "${rule} " done fi echo fi # =============================================== # -------Chain setup before jumping to them------ # =============================================== # Set up INET chains echo -n "Setting up INET chains: " ${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN echo -n "INETIN " ${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT echo -n "INETOUT " echo #These logging chains are valid to specify in DROP= above #Set up LDROP echo -n "Setting up logging chains: " ${IPTABLES} -t filter -A LDROP -p tcp -j LOG --log-level info --log-prefix "TCP Dropped " ${IPTABLES} -t filter -A LDROP -p udp -j LOG --log-level info --log-prefix "UDP Dropped " ${IPTABLES} -t filter -A LDROP -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LDROP -f -j LOG --log-level warning --log-prefix "FRAGMENT Dropped " ${IPTABLES} -t filter -A LDROP -j DROP echo -n "LDROP " #And LREJECT too ${IPTABLES} -t filter -A LREJECT -p tcp -j LOG --log-level info --log-prefix "TCP Rejected " ${IPTABLES} -t filter -A LREJECT -p udp -j LOG --log-level info --log-prefix "UDP Rejected " ${IPTABLES} -t filter -A LREJECT -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LREJECT -f -j LOG --log-level warning --log-prefix "FRAGMENT Rejected " ${IPTABLES} -t filter -A LREJECT -j REJECT echo -n "LREJECT " #newline echo # Set up the per-proto ACCEPT chains echo -n "Setting up per-proto ACCEPT: " # TCPACCEPT # SYN Flood Protection ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT ${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT # Log anything that hasn't matched yet and ${DROP} it since we don't know what it is ${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT " ${IPTABLES} -t filter -A TCPACCEPT -j ${DROP} echo -n "TCPACCEPT " #UDPACCEPT ${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT # Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here ${IPTABLES} -t filter -A UDPACCEPT -j LOG --log-prefix "Mismatch on UDPACCEPT " ${IPTABLES} -t filter -A UDPACCEPT -j ${DROP} echo -n "UDPACCEPT " #Done echo # ------------------------------------------------- # ================================================= # ------------------------------------------------- #Explicit denies if [ "$DENY_ALL" != "" ] ; then echo -n "Denying hosts: " for host in ${DENY_ALL} ; do ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP} echo -n "${host}:${DROP}" done echo fi #Invalid packets are always annoying echo -n "${DROP}ing invalid packets..." ${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP} echo "done" # ================================================================ # ------------Allow stuff we have chosen to allow in-------------- # ================================================================ #Start allowing stuff # Flood "security" # You'll still respond to these if they comply with the limits # Default limits are 1/sec for ICMP pings # SYN Flood is on a per-port basis because it's a security hole to put it here! # This is just a packet limit, you still get the packets on the interface and # still may experience lag if the flood is heavy enough echo -n "Flood limiting: " # Ping Floods (ICMP echo-request) ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT echo -n "ICMP-PING " echo echo -n "Allowing the rest of the ICMP messages in..." ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT echo "done" if [ "$TCP_ALLOW" != "" ] ; then echo -n "TCP Input Allow: " for port in ${TCP_ALLOW} ; do if [ "0$port" == "021" ]; then #Active FTP (thanks steff) ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT fi ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT echo -n "${port} " done echo fi if [ "$UDP_ALLOW" != "" ] ; then echo -n "UDP Input Allow: " for port in ${UDP_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT echo -n "${port} " done echo fi if [ "$DNS" != "" ] ; then echo -n "DNS Zone Transfers: " for server in ${DNS} ; do ${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j UDPACCEPT echo -n "${server} " done echo fi #SSH Rulesets if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then echo -n "Accounting for SSH..." if [ $USE_SSH1 = TRUE ]; then #SSH1 ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j TCPACCEPT echo -n "SSH1 " fi if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j TCPACCEPT echo -n "OpenSSH " fi echo fi #AUTH(identd) host-based allows if [ "$AUTH_ALLOW" != "" ] ; then echo -n "AUTH accepts: " for host in ${AUTH_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j TCPACCEPT echo -n "${host} " done echo fi echo -n "Allowing established outbound connections back in..." ${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT echo "done" #What to do on those INET chains when we hit the end echo -n "Setting up INET policies: " #Drop if we cant find a valid inbound rule. ${IPTABLES} -t filter -A INETIN -j ${DROP} echo -n "INETIN:${DROP} " #We can send what we want to the internet ${IPTABLES} -t filter -A INETOUT -j ACCEPT echo -n "INETOUT:ACCEPT " echo #All done! echo "Done loading the firewall!" iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.2:8000
transformar maiúsculas em minuscula e vice-versa
PKG Sync v3.0 - Utilitário para backup de pacotes deb baixados - Versão final
Inserção de máquinas no banco de dados para controle interno
Baixar pdf do "slide share" sem login usando shell script
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (15)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)
Pendrive não formata de jeito nenhum (4)