Firewall - FECHADO

Publicado por Luciano Gomes 02/04/2007

[ Hits: 7.091 ]

Download firewall-fechado.sh




Firewall bem fechado

  



Esconder código-fonte

echo "Ativando Firewall"

echo "Ativando Dispositivos"
#-------------------------------------------------
EXTERNA=eth1
INTERNA=eth0
REDELOCAL=192.168.1.0/24


echo "Ativando Módulos"
#--------------------------------------------------
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe iptable_mangle
modprobe iptable_filter
modprobe ipt_TOS


echo "Limpando Regras"
#--------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat


echo "Aplicando Regras"
#--------------------------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


echo "Aceitando retorno da internet"
#--------------------------------------------------
iptables -A INPUT -i ! $EXTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -o $INTERNA -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


echo "Ativando roteamento"
#-------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward


echo "Ativando Squid Local"
#-------------------------------------------------
iptables -A INPUT -p tcp --dport 3128 -i $INTERNA -j ACCEPT


echo "Mascarando Roteador"
#---------------------------------------------------
iptables -t nat -A POSTROUTING -s $REDELOCAL -o $EXTERNA -j MASQUERADE


echo "Ativando Proxy Transparente"
#---------------------------------------------------
iptables -t nat -A PREROUTING -i $INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128


echo "Acelerando Conexão"
#--------------------------------------------------
iptables -t mangle -A OUTPUT -p tcp -j TOS --sport 80 --set-tos 0x08
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS  --set-tos 0x08
iptables -t mangle -A OUTPUT -p tcp -j TOS --sport 80 --set-tos 0x10


echo "Abrindo portas externa"
#--------------------------------------------------
iptables -A FORWARD -i $EXTERNA -p tcp --dport https -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport www -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport domain -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport domain -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport ftp -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport ftp-data -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport ssh -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 110 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport ntp -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport ntp -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 3389 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 143 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 446 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 446 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 5800:5900 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 5800:5900 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p tcp --dport 5801:5901 -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 5801:5901 -j ACCEPT


echo "Abrindo portas internas"
#--------------------------------------------------
iptables -A FORWARD -i $INTERNA -p tcp --dport https -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport domain -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport domain -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport ftp -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport ftp-data -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport ssh -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 110 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport ntp -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport ntp -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 3389 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 143 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 446 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 446 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 5800:5900 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 5800:5900 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 5801:5901 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 5801:5901 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p tcp --dport 10000 -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 10000 -j ACCEPT


echo "Liberando Conectividade Social"
#--------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT


echo "Redirecionando VNC"
#--------------------------------------------------
iptables -A FORWARD -i $EXTERNA -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900
iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900

iptables -A FORWARD -i $INTERNA -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNA -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $INTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900
iptables -t nat -A PREROUTING -p udp -i $INTERNA --dport 5900:5900 -j DNAT --to 192.168.1.4:5800-5900


echo "Aplicando Proteção contra Spoofing"
#--------------------------------------------------
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done


echo "Aplicando Proteção contra Syn-flood e ataque DoS"
#--------------------------------------------------
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT


echo "Aplicando Proteção contra ping da morte"
#--------------------------------------------------
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all


echo "Aplicando Proteção contra ataques"
#--------------------------------------------------
iptables -A INPUT -m state --state INVALID -j DROP


echo "Aplicando Proteção contra pacotes danificados"
#--------------------------------------------------
iptables -A INPUT -p icmp -s 192.168.1.1/24 -j DROP


echo "Aplicando proteção nos pacotes TCP indesejaveis"
#---------------------------------------------------
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP


echo "Bloqueando Point-to-Point"
#--------------------------------------------------
#--> AIM
iptables -A FORWARD -d login.oscar.aol.com -j DROP

#--> ICQ
iptables -A FORWARD -p TCP --dport 5190 -j DROP
iptables -A FORWARD -d login.icq.com -j DROP

#--> MSN
iptables -A FORWARD -p tcp --dport 1863 -j DROP
iptables -A FORWARD -d 64.4.13.0/24 -j DROP
iptables -A FORWARD -p tcp -d 65.54.239.0/24 -j DROP

#--> Bittorrent
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.1.1
iptables -A FORWARD -p TCP -i eth1 --dport 6881:6889 -d 192.168.1.1 -j DROP

#--> iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j DROP

#--> BearShare ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j DROP

#--> WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j DROP
iptables -A FORWARD -d 64.49.201.0/24 -j DROP

#--> Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j DROP

#--> Morpheus
iptables -A FORWARD -s 0/0 -d 206.142.53.0/24 -j DROP
iptables -A FORWARD -s 0/0 -p TCP --dport 1214 -j DROP
iptables -A INPUT -s 0/0 -d 206.142.53.0/24 -j DROP
iptables -A INPUT -s 0/0 -p TCP --dport 1214 -j DROP
iptables -A OUTPUT -s 0/0 -d 206.142.53.0/24 -j DROP
iptables -A OUTPUT -s 0/0 -p TCP --dport 1214 -j DROP

#--> Kazaa
iptables -A FORWARD -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP
iptables -A INPUT -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP
iptables -A INPUT -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP
iptables -A OUTPUT -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP
iptables -A OUTPUT -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP

#--> Limewire
iptables -A FORWARD -p TCP --dport 6346 -j DROP

#--> Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j DROP

#--> Shareaza
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 6346 -j DROP
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 6346 -j DROP
iptables -A OUTPUT -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP
iptables -A OUTPUT -s 192.168.1.0/24 -p udp --dport 6346 -j DROP


echo "Trocando Portas"
#--------------------------------------------------
PORT_INI=61000
PORT_FIM=65095
echo $PORT_INI $PORT_FIM > /proc/sys/net/ipv4/ip_local_port_range


echo "Bloqueando pocotes não liberados"
#---------------------------------------------------
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP

echo
echo "Firewall Ativo!"

Scripts recomendados

Script para Newsletters

Inventário e Análise de hardware

Script para atualizar o sistema

Distribuindo arquivos para máquinas em rede

Script para adicionar usuarios ftp


  

Comentários

Nenhum comentário foi encontrado.


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts