FIREWALL COM IPTABLES - PARA EMPRESAS E INTRANETS
Publicado por Joabes Carlos de Carvalho 16/09/2003
[ Hits: 33.578 ]
Homepage: http://www.fwsnet.com.br / http://www.bookmail.com.br
ESSE FIREWALL É MUITO BOM, EU UTILIZAVA NA ANTIGA EMPRESA QUAL TRABALHAVA, ESPERO QUE POSSA SER UTIL A TODOS, OS COMENTÁRIOS DO FIREWALL ESTÃO EM INGLÊS, MAIS É BEM DECSRITIVO E FÁCIL DE USAR.
ATÉ A PRÓXIMA PESSOAL.
ABRAÇOS.
#!/bin/sh ############################################################################ ############################################################################ ##################### FIREWALL PARA INTRANETS ############################ ############################################################################ ############################################################################ ############################################################################ #Script de firewall muito facil para ser aplicado, apenas esta em ingles#### IPTABLES="/sbin/iptables" # set to your iptables location, must be set DNS="192.168.0.1" #set to your DNS server(s), that you get zone transfers from TCP_ALLOW="21 22 25 80 8000 8001" #TCP ports to ALLOW UDP_ALLOW="500" # UDP ports to ALLOW (53 not needed, covered by DNS above) INET_IFACE="ppp0" # the interface your internet's on (one only), must be set LAN_IFACE="eth0" # the interface(s) your LAN's on (currently used only as a sanity check) USE_SSH1="TRUE" # set to TRUE if you use "real" SSH1 (anything else is interpreted as FALSE) USE_OPENSSH="TRUE" # set to TRUE if you use OpenSSH (anything else is interpreted as FALSE) INTERNAL_LAN="192.168.0.0/24" #the internal network(s), must be set AUTH_ALLOW="" #IPs allowed to use the AUTH service (leave blank and put 113 in TCP_ALLOW for all) DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all DROP="REJECT" # What to do with packets we don't want: DROP, REJECT, LDROP (log and drop), or LREJECT (log and reject) # Below here is experimental MAC_LAN="" # MAC addresses permitted to use masquerading, leave blank to not use USE_MASQ="TRUE" # Set to TRUE to use masquerading (anything else is interpreted as FALSE) USE_SNAT="" # If you have a static internet IP, put it here and set "USE_MASQ" above to FALSE TCP_FW="" # TCP port forwards (will pick reverse masquerading if you use masquerading or snat), form is "SPORT:DPORT>IP" UDP_FW="" # Same as above but on UDP # ----------------------------------------------------------------------| # Do not modify configuration below here | # ----------------------------------------------------------------------| DROP="REJECT" #Apparently some ISPs (@home comes to mind) have problems with denying them, so send back ICMP messages to fool them FILTER_CHAINS="INETIN INETOUT LDROP LREJECT TCPACCEPT UDPACCEPT" # ----------------------------------------------------------------------| # You shouldn't need to modify anything below here | # ----------------------------------------------------------------------| # Let's load it! echo "Loading iptables firewall:" # Configuration Sanity Checks echo -n "Checking configuration..." if [ "$USE_MASQ" = "TRUE" ] && ! [ "$USE_SNAT" = "" ] ; then echo echo "ERROR IN CONFIGURATION: Masquerading and Static NAT cannot both be used!" exit 1 fi if [ "$INET_IFACE" = "$LAN_IFACE" ] ; then if [ "$USE_MASQ" = "TRUE" ] || [ "$USE_SNAT" != "" ] ; then # This can't happen because the whole point of my masquerading code is that we don't need to know the IP. # While we know the IP with SNAT, I'm too lazy do change my code other than to use SNAT :) echo echo "ERROR IN CONFIGURATION: INET interface and LAN interface cannot be the same when using masquerading or SNAT!" exit 1 fi fi if ! [ -x $IPTABLES ] ; then echo echo "ERROR IN CONFIGURATION: IPTABLES doesn't exist or isn't executable!" exit 1 fi echo "passed" # Turn on IP forwarding (your kernel still needs it) echo 1 > /proc/sys/net/ipv4/ip_forward echo "IP Forwarding enabled..." # Enable TCP Syncookies (always a 'good thing') (thanks steff) echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo "IP SynCookies enabled..." # Loading kernel modules... echo "Loading kernel modules..." insmod ip_tables insmod ip_conntrack insmod ip_conntrack_ftp insmod ip_conntrack_irc insmod iptable_nat insmod ip_nat_ftp echo "Kernel modules loaded." # Flush everything # If you need compatability, you can comment some or all of these out, # but remember, if you re-run it, it'll just add the new rules in, it # won't remove the old ones for you then, this is how it removes them. # # You'll notice I give status now :) echo -n "Flush: " ${IPTABLES} -t filter -F INPUT echo -n "INPUT " ${IPTABLES} -t filter -F OUTPUT echo -n "OUTPUT1 " ${IPTABLES} -t filter -F FORWARD echo -n "FORWARD " ${IPTABLES} -t nat -F PREROUTING echo -n "PREROUTING1 " ${IPTABLES} -t nat -F OUTPUT echo -n "OUTPUT2 " ${IPTABLES} -t nat -F POSTROUTING echo -n "POSTROUTING " ${IPTABLES} -t mangle -F PREROUTING echo -n "PREROUTING2 " ${IPTABLES} -t mangle -F OUTPUT echo -n "OUTPUT3" echo # Create new chains # Output to /dev/null in case they don't exist from a previous invocation echo -n "Creating chains: " for chain in ${FILTER_CHAINS} ; do ${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1 ${IPTABLES} -t filter -N ${chain} echo -n "${chain} " done echo # Default Policies # INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later) # is given a policy of DROP at the end # Policy can't be reject becuase of kernel limitations echo -n "Default Policies: " ${IPTABLES} -t filter -P INPUT ACCEPT echo -n "INPUT:ACCEPT " ${IPTABLES} -t filter -P OUTPUT ACCEPT echo -n "OUTPUT:ACCEPT " ${IPTABLES} -t filter -P FORWARD DROP echo -n "FORWARD:DROP " echo # Local traffic to internet or crossing subnets # This should cover what we need if we don't use masquerading # Unfortunately, MAC address matching isn't bidirectional (for # obvious reasons), so IP based matching is done here echo -n "Local Traffic Rules: " for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT ${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT echo -n "${subnet}:ACCEPT " done echo # Set up basic NAT if the user wants it if [ $USE_MASQ = TRUE ] ; then echo -n "Setting up NAT: " if [ "$MAC_LAN" = "" ] ; then for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE echo -n "${subnet}:MASQUERADE " done else for address in ${MAC_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE echo -n "${address}:MASQUERADE " done fi echo elif [ "$USE_SNAT" != "" ] ; then #Static IP Defined #(I've heard this loop doesn't work, someone look at it since I can't test it on my dialup) echo -n "Setting up NAT: " if [ "$MAC_LAN" = "" ] ; then for subnet in ${INTERNAL_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT} echo -n "${subnet}:SNAT " done else for address in ${MAC_LAN} ; do ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${USE_SNAT} echo -n "${address}:SNAT " done fi echo fi #TCP Port-Forwards if [ "$TCP_FW" != "" ] ; then echo -n "TCP Port Forwards: " if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then for rule in ${TCP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -p tcp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport} echo -n "${rule} " done else for rule in ${TCP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j REDIRECT --to ${host}:${destport} echo -n "${rule} " done fi echo fi #UDP Port Forwards if [ "$UDP_FW" != "" ] ; then echo -n "UDP Port Forwards: " if [ "$USE_SNAT" != "" ] || [ $USE_MASQ = TRUE ] ; then for rule in ${UDP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -p udp -i ${INET_IFACE} --dport ${srcport} -j DNAT --to ${host}:${destport} echo -n "${rule} " done else for rule in ${UDP_FW} ; do ports=`echo $rule | sed 's/>.*//g'` srcport=`echo $ports | sed 's/:.*//g'` destport=`echo $ports | sed 's/.*://g'` host=`echo $rule | sed 's/.*>//g'` ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j REDIRECT --to ${host}:${destport} echo -n "${rule} " done fi echo fi # =============================================== # -------Chain setup before jumping to them------ # =============================================== # Set up INET chains echo -n "Setting up INET chains: " ${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN echo -n "INETIN " ${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT echo -n "INETOUT " echo #These logging chains are valid to specify in DROP= above #Set up LDROP echo -n "Setting up logging chains: " ${IPTABLES} -t filter -A LDROP -p tcp -j LOG --log-level info --log-prefix "TCP Dropped " ${IPTABLES} -t filter -A LDROP -p udp -j LOG --log-level info --log-prefix "UDP Dropped " ${IPTABLES} -t filter -A LDROP -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LDROP -f -j LOG --log-level warning --log-prefix "FRAGMENT Dropped " ${IPTABLES} -t filter -A LDROP -j DROP echo -n "LDROP " #And LREJECT too ${IPTABLES} -t filter -A LREJECT -p tcp -j LOG --log-level info --log-prefix "TCP Rejected " ${IPTABLES} -t filter -A LREJECT -p udp -j LOG --log-level info --log-prefix "UDP Rejected " ${IPTABLES} -t filter -A LREJECT -p icmp -j LOG --log-level info --log-prefix "ICMP Dropped " ${IPTABLES} -t filter -A LREJECT -f -j LOG --log-level warning --log-prefix "FRAGMENT Rejected " ${IPTABLES} -t filter -A LREJECT -j REJECT echo -n "LREJECT " #newline echo # Set up the per-proto ACCEPT chains echo -n "Setting up per-proto ACCEPT: " # TCPACCEPT # SYN Flood Protection ${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit 2/s -j ACCEPT ${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT # Log anything that hasn't matched yet and ${DROP} it since we don't know what it is ${IPTABLES} -t filter -A TCPACCEPT -j LOG --log-prefix "Mismatch in TCPACCEPT " ${IPTABLES} -t filter -A TCPACCEPT -j ${DROP} echo -n "TCPACCEPT " #UDPACCEPT ${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT # Log anything not on UDP (it shouldn't be here), and ${DROP} it since it's not supposed to be here ${IPTABLES} -t filter -A UDPACCEPT -j LOG --log-prefix "Mismatch on UDPACCEPT " ${IPTABLES} -t filter -A UDPACCEPT -j ${DROP} echo -n "UDPACCEPT " #Done echo # ------------------------------------------------- # ================================================= # ------------------------------------------------- #Explicit denies if [ "$DENY_ALL" != "" ] ; then echo -n "Denying hosts: " for host in ${DENY_ALL} ; do ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP} echo -n "${host}:${DROP}" done echo fi #Invalid packets are always annoying echo -n "${DROP}ing invalid packets..." ${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP} echo "done" # ================================================================ # ------------Allow stuff we have chosen to allow in-------------- # ================================================================ #Start allowing stuff # Flood "security" # You'll still respond to these if they comply with the limits # Default limits are 1/sec for ICMP pings # SYN Flood is on a per-port basis because it's a security hole to put it here! # This is just a packet limit, you still get the packets on the interface and # still may experience lag if the flood is heavy enough echo -n "Flood limiting: " # Ping Floods (ICMP echo-request) ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT echo -n "ICMP-PING " echo echo -n "Allowing the rest of the ICMP messages in..." ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT echo "done" if [ "$TCP_ALLOW" != "" ] ; then echo -n "TCP Input Allow: " for port in ${TCP_ALLOW} ; do if [ "0$port" == "021" ]; then #Active FTP (thanks steff) ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j TCPACCEPT fi ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j TCPACCEPT echo -n "${port} " done echo fi if [ "$UDP_ALLOW" != "" ] ; then echo -n "UDP Input Allow: " for port in ${UDP_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j UDPACCEPT echo -n "${port} " done echo fi if [ "$DNS" != "" ] ; then echo -n "DNS Zone Transfers: " for server in ${DNS} ; do ${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j UDPACCEPT echo -n "${server} " done echo fi #SSH Rulesets if [ $USE_SSH1 = TRUE ] || [ $USE_OPENSSH = TRUE ]; then echo -n "Accounting for SSH..." if [ $USE_SSH1 = TRUE ]; then #SSH1 ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j TCPACCEPT echo -n "SSH1 " fi if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j TCPACCEPT echo -n "OpenSSH " fi echo fi #AUTH(identd) host-based allows if [ "$AUTH_ALLOW" != "" ] ; then echo -n "AUTH accepts: " for host in ${AUTH_ALLOW} ; do ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j TCPACCEPT echo -n "${host} " done echo fi echo -n "Allowing established outbound connections back in..." ${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT echo "done" #What to do on those INET chains when we hit the end echo -n "Setting up INET policies: " #Drop if we cant find a valid inbound rule. ${IPTABLES} -t filter -A INETIN -j ${DROP} echo -n "INETIN:${DROP} " #We can send what we want to the internet ${IPTABLES} -t filter -A INETOUT -j ACCEPT echo -n "INETOUT:ACCEPT " echo #All done! echo "Done loading the firewall!" iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.2:8000
Criação de ports para slackware
Migração de Aplicações para Ambiente Web - Uma Abordagem Prática
Script - Realizando relatório do servidor
Relatório minuto a minuto de todas as conexões do servidor
Agora temos uma assistente virtual no fórum!!! (246)
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Flatpak: remover runtimes não usados e pacotes
Mudar o gerenciador de login (GDM para SDDM e vice-versa) - parte 2
Como eu faço para ativar o sistema de gestos do mousepad? (4)
NGNIX - Aplicar SNAT para evitar roteamento assimetrico (13)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta