Firewall

Publicado por Charles Silva 21/09/2006

[ Hits: 9.163 ]

Homepage: www.charlessilva.com.br

Download rc.firewall




Esse firewall é super seguro. Algumas coisas coisas estão comentadas e as interfaces têm que ser modificadas para aquelas que você usa.

  



Esconder código-fonte

#!/bin/sh
#
############################################
#
# Script Firewall - Versao 1.0
# Atualizado 20/06/2006 - Charles Silva
#
#############################################

echo "Starting Firewall..."

#################################
# DEFINICAO DE VARIAVEIS:
#################################

IPTABLES="/usr/local/sbin/iptables"

# Interfaces:
#IFACE_EXTERNA="Whan0"
#IFACE_INTERNA="eth1"
LO_IFACE="lo"

# Redes:
REDE_INTERNA="192.168.0.0/24"
#IP_PROVEDOR="192.168.0.1"

#################################################
# LIMPANDO AS CHAINS E SETANDO A POLITICA PADRAO
#################################################

# Seta a politica padrao da tabela filter:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Seta a politica padrao na tabela NAT:
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# Limpa as regras nas tabelas filter e nat:
$IPTABLES -F
$IPTABLES -t nat -F

# Apaga qualquer chain fora do padrao nas tabelas filter e NAT:
$IPTABLES -X
$IPTABLES -t nat -X

###################################################
# Permitindo trafego no loopback e nas interfaces:
###################################################
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_INTERNA -s $REDE_INTERNA -j ACCEPT

###########################################
# Logdrop - loga todos pacotes dropados:
###########################################
$IPTABLES -N logdrop
$IPTABLES -A logdrop -j LOG --log-level WARN --log-prefix "[logdrop] "
$IPTABLES -A logdrop -j DROP

#####################################################
# Regras para dropar e logar scanners do tipo xmas:
#####################################################
$IPTABLES -N logxmas
$IPTABLES -A logxmas -j LOG --log-level WARN --log-prefix "[xmas_scanners] "
$IPTABLES -A logxmas -j DROP

########################################################
# Regras para dropar e logar scanners do tipo SYN,FIN
########################################################
$IPTABLES -N logsynfin
$IPTABLES -A logsynfin -j LOG --log-level WARN --log-prefix "[SYN FIN scanners] "
$IPTABLES -A logsynfin -j DROP

########################################################
# Regras para dropar e logar scanners do tipo SYN,RST
########################################################
$IPTABLES -N logsynrst
$IPTABLES -A logsynrst -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A logsynrst -j DROP

########################################################################################
# Regras para dropar e logar scanners que ativam o bit FIN sem estabelecer uma conexao:
########################################################################################
$IPTABLES -N logfin
$IPTABLES -A logfin -j LOG --log-level WARN --log-prefix "[FIN scanners] "
$IPTABLES -A logfin -j DROP

#############################################################################
# Regras para dropar e logar scanners do tipo que ativam todas as flags TCP:
#############################################################################
$IPTABLES -N logalltcp
$IPTABLES -A logalltcp -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A logalltcp -j DROP

#############################################################################
# Regras para dropar e logar scanners do tipo nao ativam nenhuma flag TCP:
#############################################################################
$IPTABLES -N lognonetcp
$IPTABLES -A lognonetcp -j LOG --log-level WARN --log-prefix "[SYN RST scanners] "
$IPTABLES -A lognonetcp -j DROP

#########################################################################
# Rule allowed - for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.

$IPTABLES -N allowed
#$IPTABLES -A allowed -p TCP --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j logdrop

#########################################################################
# Watch - loga pacotes suspeitos

$IPTABLES -N watch
#$IPTABLES -A watch -s 192.168.0.2 -j ACCEPT
$IPTABLES -A watch -j LOG --log-level WARN --log-prefix "[watch] "
$IPTABLES -A watch -j ACCEPT

#########################################################################
# Scanners - loga tentativas de scanners na rede

# Loga e bloqueia scanners do tipo Xmas Portscanner:
$IPTABLES -N xmas_scanner
$IPTABLES -A xmas_scanner -p TCP --tcp-flags ALL FIN,URG,PSH -m limit --limit 7/s --limit-burst 3 -j logxmas

# Loga e bloqueia scanners do tipo que ativa os bits SYN e FIN:
$IPTABLES -N synfin_scanner
$IPTABLES -A synfin_scanner -p TCP --tcp-flags ALL SYN,FIN -m limit --limit 7/s --limit-burst 3 -j logsynfin

# Loga e bloqueia scanners do tipo que ativa os bits SYN e RST:
$IPTABLES -N synrst_scanner
$IPTABLES -A synrst_scanner -p TCP --tcp-flags SYN,RST SYN,RST -m limit --limit 7/s --limit-burst 3 -j logsynrst

# Loga e bloqueia scanners do tipo que ativa o bit FIN sem estabelecer uma conexao:
$IPTABLES -N fin_scanner
$IPTABLES -A fin_scanner -p TCP --tcp-flags ALL FIN -m limit --limit 7/s --limit-burst 3 -m state --state ! ESTABLISHED -j logfin

# Loga e bloqueia scanners do tipo que ativa todas flags TCP:
$IPTABLES -N alltcp_scanner
$IPTABLES -A alltcp_scanner -p TCP --tcp-flags ALL ALL -m limit --limit 7/s --limit-burst 3 -j logalltcp

# Loga e bloqueia scanners do tipo que nao ativa nenhuma flag TCP:
$IPTABLES -N nonetcp_scanner
$IPTABLES -A nonetcp_scanner -p TCP --tcp-flags ALL NONE -m limit --limit 7/s --limit-burst 3 -j lognonetcp

#########################################################################
# icmptrap - para pacotes ICMP:

$IPTABLES -N icmptrap
$IPTABLES -A icmptrap -p icmp --icmp-type echo-reply                   -j ACCEPT
$IPTABLES -A icmptrap -p icmp --icmp-type destination-unreachable      -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-unreachable        -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-unreachable           -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   protocol-unreachable       -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   port-unreachable           -j DROP
$IPTABLES -A icmptrap -p icmp --icmp-type   fragmentation-needed       -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   source-route-failed        -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-unknown            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-unknown               -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   network-prohibited         -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-prohibited            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-network-unreachable    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-host-unreachable       -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   communication-prohibited   -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   host-precedence-violation  -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   precedence-cutoff          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type source-quench                -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type redirect                     -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   network-redirect           -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   host-redirect              -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-network-redirect       -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type   TOS-host-redirect          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type echo-request                 -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type router-advertisement         -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type router-solicitation          -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type time-exceeded                -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ttl-zero-during-transit    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ttl-zero-during-reassembly -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type parameter-problem            -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   ip-header-bad              -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type   required-option-missing    -j watch
$IPTABLES -A icmptrap -p icmp --icmp-type timestamp-request            -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type timestamp-reply              -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type address-mask-request         -j logdrop
$IPTABLES -A icmptrap -p icmp --icmp-type address-mask-reply           -j logdrop

#########################################################################
# dropiana - dropa IP's nao liberados pela IANA(RFC1918,RFC3330) e redes reservadas

$IPTABLES -N dropiana
$IPTABLES -A dropiana -s 0.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 1.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 2.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 5.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 10.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 23.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 27.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 31.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 36.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 37.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 39.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 41.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 42.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 58.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 59.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 60.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 71.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 88.0.0.0/5 -j logdrop
$IPTABLES -A dropiana -s 96.0.0.0/3 -j logdrop
$IPTABLES -A dropiana -s 128.0.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 172.16.0.0/12 -j logdrop
$IPTABLES -A dropiana -s 191.255.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 192.31.196.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.52.193.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.67.23.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.68.185.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.70.192.0/21 -j logdrop
$IPTABLES -A dropiana -s 192.70.201.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.94.77.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.94.78.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.97.38.0/24 -j logdrop
$IPTABLES -A dropiana -s 192.168.0.0/16 -j logdrop
$IPTABLES -A dropiana -s 197.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 221.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 222.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 223.0.0.0/8 -j logdrop
$IPTABLES -A dropiana -s 224.0.0.0/4 -j logdrop
$IPTABLES -A dropiana -s 240.0.0.0/4 -j logdrop

#########################################################################
# Rule safe - apenas para chamar a dropiana e a icmptrap

# Create safe rule
$IPTABLES -N safe

# Call todas regras de scanners
$IPTABLES -A safe -j xmas_scanner
$IPTABLES -A safe -j synfin_scanner
$IPTABLES -A safe -j synrst_scanner
$IPTABLES -A safe -j fin_scanner
$IPTABLES -A safe -j alltcp_scanner
$IPTABLES -A safe -j nonetcp_scanner

# ICMP packets
$IPTABLES -A safe -p ICMP -j icmptrap

# Call dropiana
$IPTABLES -A safe -j dropiana

# Call INPUT Safe
$IPTABLES -A INPUT -j safe

#########################################################################
# Regras especificas para Rede Interna

# Pacotes que entram na rede
$IPTABLES -N main-in

# Pacotes que saem da rede
$IPTABLES -N main-out

################################
# REGRAS GERAIS P/ REDE INTERNA
################################

#############################
# Libera DNS p/ rede interna
#############################
$IPTABLES -A main-in -p UDP -i $IFACE_EXTERNA -s 0/0--sport 53 -j ACCEPT
$IPTABLES -A main-out -p UDP -o $IFACE_EXTERNA -d 0/0 --dport 53 -j ACCEPT


################################
# Regra p/ Bloqueio da internet
################################
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --dport 80 -j logdrop 
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --sport 80 -j logdrop
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --dport 110 -j logdrop 
$IPTABLES -A main-in -p TCP -i $IFACE_INTERNA $REDE_INTERNA --sport 110 -j logdrop

########################
# SSH P/ outro usuario
########################
$IPTABLES -A main-in -p TCP -s 000.00.00.000 --dport 22 -j allowed
$IPTABLES -A main-out -p TCP -d 000.00.000.000 --sport 22 -j allowed
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 22 -j logdrop


##########################
# Libera NTP p/ servidor
##########################
$IPTABLES -A INPUT -p UDP -i $IFACE_EXTERNA -s 200.144.121.33 --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $IFACE_EXTERNA -d 200.144.121.33 --sport 123 -j ACCEPT


################################################################
# Bloqueia qualquer servico conhecido para IPs da Rede Interna
################################################################
#1025/tcp   listen
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1025 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1025 -j logdrop
#1026
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1026 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1026 -j logdrop
#1027
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1027 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1027 -j logdrop
#1028
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1028 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1028 -j logdrop
# KDEinit
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1029 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1029 -j logdrop
#1030
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1030 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1030 -j logdrop
#1031/udp   iad1
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1031 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1031 -j logdrop
#1032/udp   iad1
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1032 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1032 -j logdrop
#1033/tcp   netinfo
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1033 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1033 -j logdrop
#1050/tcp   java-or-OTGfileshare
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1050 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1050 -j logdrop
#1059/tcp   nimreg
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1059 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1059 -j logdrop
# instl_boots
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1067 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1067 -j logdrop
# SOCKS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1080 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1080 -j logdrop
# MSSQL
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1433 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1433 -j logdrop
# MSSQL-Monitor
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1434 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1434 -j logdrop
# VPN
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1723 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1723 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --sport 1723 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --sport 1723 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1083 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1083 -j logdrop
#1812/RADIUS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1812 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1812 -j logdrop
#1813/RADIUS
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1813 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1813 -j logdrop
#2105/eklogin
$IPTABLES -A main-in -p TCP -s 0/0 --dport 2105 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 2105 -j logdrop
# Squid
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3128 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3128 -j logdrop
# 3268 globalcatLDAP
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3268 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3268 -j logdrop
# 3269 globalcatLDAPssl
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3269 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3269 -j logdrop
# MySQL
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3306 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3306 -j logdrop
# Msdtc
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3372 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3372 -j logdrop
# IISrpc-or-vat
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3456 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3456 -j logdrop
# Terminal Server
$IPTABLES -A main-in -p TCP -s 0/0 --dport 3389 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 3389 -j logdrop
# RPC
$IPTABLES -A main-in -p TCP -s 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p TCP -d 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 4444 -j logdrop
$IPTABLES -A main-in -p UDP -d 0/0 --dport 4444 -j logdrop
# Sae-Urn
$IPTABLES -A main-in -p TCP -s 0/0 --dport 4500 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 4500 -j logdrop
# VNC
$IPTABLES -A main-in -p TCP -s 0/0 --dport 5900 -j logdrop
# X
$IPTABLES -A main-in -p TCP -s 0/0 --dport 6000 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 6000 -j logdrop
# BACULA
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9101 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9101 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9102 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9102 -j logdrop
$IPTABLES -A main-in -p TCP -s 0/0 --dport 9103 -j logdrop
$IPTABLES -A main-in -p UDP -s 0/0 --dport 9103 -j logdrop

##############################################################
# REGRAS PARA REDIRECIONAMENTO DE PACOTES - FORWARD
##############################################################

# Libera acesso da Rede Interna para as outras redes:
$IPTABLES -A FORWARD -i $IFACE_INTERNA -s $REDE_INTERNA -d 0/0 -j ACCEPT

# Permite trafego de entrada de forma segura
$IPTABLES -A FORWARD -i $IFACE_EXTERNA -o $IFACE_INTERNA -j safe
$IPTABLES -A FORWARD -i $IFACE_EXTERNA -o $IFACE_INTERNA -j main-in


# Permite trafego de saida de forma segura
$IPTABLES -A FORWARD -i $IFACE_INTERNA -o $IFACE_EXTERNA -j safe
$IPTABLES -A FORWARD -i $IFACE_INTERNA -o $IFACE_EXTERNA -j main-out


#################
# Portas >= 1024
#################
$IPTABLES -A main-in -p TCP -s 0/0 --dport 1024: -j allowed
$IPTABLES -A main-in -p UDP -s 0/0 --dport 1024: -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 1024: -j allowed
$IPTABLES -A INPUT -p UDP -s 0/0 --dport 1024: -j ACCEPT



#############################################################
# Redireciona o trafego internet da rede interna p/ o squid
#############################################################
$IPTABLES -t nat -A PREROUTING -p TCP -i $IFACE_INTERNA -d ! 192.168.0.1 -s $REDE_INTERNA --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A POSTROUTING -o $IFACE_EXTERNA -j MASQUERADE

###################################
# Libera pacotes ICMP p/ o Gateway
###################################
$IPTABLES -A INPUT -i $IFACE_EXTERNA -s 0/0 -p ICMP -m limit --limit 1/s -j icmptrap

#########################
# CONFIGURACOES FINAIS:
#########################

# Habilita o IP Forward:
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

#####################################
# Dropa e loga todos outros pacotes
#####################################
$IPTABLES -A INPUT -j logdrop
$IPTABLES -A FORWARD -j logdrop

echo "Firewall Started!"

Scripts recomendados

Debian - inicializando VMs (VirtualBox) no boot

LINUX+SAMBA+QUOTAS

Script de compilação automática do GCC-5.3.0 para Debian/Ubuntu de 32 bits

Instalando o SIESTA no Linux automaticamente

Script de Firewall


  

Comentários
[1] Comentário enviado por y2h4ck em 18/10/2006 - 13:12h

O arquivo do codigo fonte e o arquivo do download são diferentes.
Baixem e olhem o fonte verão a diferença.

Obrigado.

[2] Comentário enviado por sequelinha em 18/10/2006 - 18:15h

Respondendo a resposta acima
Obrigado por ter verificado isso (o script verdadeiro que eu publiquei e o que esta no codigo fonte )o outro eu fiz o dowloand e dei uma olha naum foi eu que fiz
Obrigado
sequelinha


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts