Firewall - FECHADO
Publicado por Luciano Gomes 02/04/2007
[ Hits: 7.123 ]
Firewall bem fechado
echo "Ativando Firewall" echo "Ativando Dispositivos" #------------------------------------------------- EXTERNA=eth1 INTERNA=eth0 REDELOCAL=192.168.1.0/24 echo "Ativando Módulos" #-------------------------------------------------- modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_conntrack_ftp modprobe ipt_LOG modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe iptable_mangle modprobe iptable_filter modprobe ipt_TOS echo "Limpando Regras" #-------------------------------------------------- iptables -F iptables -X iptables -F -t nat iptables -X -t nat iptables -F -t mangle iptables -X -t mangle iptables -F POSTROUTING -t nat iptables -F PREROUTING -t nat echo "Aplicando Regras" #-------------------------------------------------- iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT echo "Aceitando retorno da internet" #-------------------------------------------------- iptables -A INPUT -i ! $EXTERNA -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A FORWARD -o $INTERNA -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT echo "Ativando roteamento" #------------------------------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward echo "Ativando Squid Local" #------------------------------------------------- iptables -A INPUT -p tcp --dport 3128 -i $INTERNA -j ACCEPT echo "Mascarando Roteador" #--------------------------------------------------- iptables -t nat -A POSTROUTING -s $REDELOCAL -o $EXTERNA -j MASQUERADE echo "Ativando Proxy Transparente" #--------------------------------------------------- iptables -t nat -A PREROUTING -i $INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128 echo "Acelerando Conexão" #-------------------------------------------------- iptables -t mangle -A OUTPUT -p tcp -j TOS --sport 80 --set-tos 0x08 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 0x08 iptables -t mangle -A OUTPUT -p tcp -j TOS --sport 80 --set-tos 0x10 echo "Abrindo portas externa" #-------------------------------------------------- iptables -A FORWARD -i $EXTERNA -p tcp --dport https -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport www -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport domain -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport domain -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport ftp -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport ftp-data -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport ssh -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 25 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 110 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 110 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport ntp -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport ntp -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 3389 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 3389 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 143 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 143 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 465 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 446 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 446 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 995 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 5800:5900 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 5800:5900 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p tcp --dport 5801:5901 -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 5801:5901 -j ACCEPT echo "Abrindo portas internas" #-------------------------------------------------- iptables -A FORWARD -i $INTERNA -p tcp --dport https -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport domain -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport domain -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport ftp -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport ftp-data -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport ssh -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 25 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 110 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 110 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport ntp -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport ntp -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 3389 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 3389 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 143 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 143 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 465 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 446 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 446 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 995 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 5800:5900 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 5800:5900 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 5801:5901 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 5801:5901 -j ACCEPT iptables -A FORWARD -i $INTERNA -p tcp --dport 10000 -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 10000 -j ACCEPT echo "Liberando Conectividade Social" #-------------------------------------------------- iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT echo "Redirecionando VNC" #-------------------------------------------------- iptables -A FORWARD -i $EXTERNA -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXTERNA -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900 iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900 iptables -A FORWARD -i $INTERNA -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNA -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i $INTERNA --dport 5800:5900 -j DNAT --to 192.168.1.4:5800-5900 iptables -t nat -A PREROUTING -p udp -i $INTERNA --dport 5900:5900 -j DNAT --to 192.168.1.4:5800-5900 echo "Aplicando Proteção contra Spoofing" #-------------------------------------------------- for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i done echo "Aplicando Proteção contra Syn-flood e ataque DoS" #-------------------------------------------------- iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT echo "Aplicando Proteção contra ping da morte" #-------------------------------------------------- iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "Aplicando Proteção contra ataques" #-------------------------------------------------- iptables -A INPUT -m state --state INVALID -j DROP echo "Aplicando Proteção contra pacotes danificados" #-------------------------------------------------- iptables -A INPUT -p icmp -s 192.168.1.1/24 -j DROP echo "Aplicando proteção nos pacotes TCP indesejaveis" #--------------------------------------------------- iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: " iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP echo "Bloqueando Point-to-Point" #-------------------------------------------------- #--> AIM iptables -A FORWARD -d login.oscar.aol.com -j DROP #--> ICQ iptables -A FORWARD -p TCP --dport 5190 -j DROP iptables -A FORWARD -d login.icq.com -j DROP #--> MSN iptables -A FORWARD -p tcp --dport 1863 -j DROP iptables -A FORWARD -d 64.4.13.0/24 -j DROP iptables -A FORWARD -p tcp -d 65.54.239.0/24 -j DROP #--> Bittorrent iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.1.1 iptables -A FORWARD -p TCP -i eth1 --dport 6881:6889 -d 192.168.1.1 -j DROP #--> iMesh iptables -A FORWARD -d 216.35.208.0/24 -j DROP #--> BearShare ToadNode iptables -A FORWARD -p TCP --dport 6346 -j DROP #--> WinMX iptables -A FORWARD -d 209.61.186.0/24 -j DROP iptables -A FORWARD -d 64.49.201.0/24 -j DROP #--> Napigator iptables -A FORWARD -d 209.25.178.0/24 -j DROP #--> Morpheus iptables -A FORWARD -s 0/0 -d 206.142.53.0/24 -j DROP iptables -A FORWARD -s 0/0 -p TCP --dport 1214 -j DROP iptables -A INPUT -s 0/0 -d 206.142.53.0/24 -j DROP iptables -A INPUT -s 0/0 -p TCP --dport 1214 -j DROP iptables -A OUTPUT -s 0/0 -d 206.142.53.0/24 -j DROP iptables -A OUTPUT -s 0/0 -p TCP --dport 1214 -j DROP #--> Kazaa iptables -A FORWARD -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP iptables -A FORWARD -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP iptables -A INPUT -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP iptables -A INPUT -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP iptables -A OUTPUT -s 192.168.1.0/24 -d 213.248.112.0/24 -j DROP iptables -A OUTPUT -s 192.168.1.0/24 -p TCP --dport 1214 -j DROP #--> Limewire iptables -A FORWARD -p TCP --dport 6346 -j DROP #--> Audiogalaxy iptables -A FORWARD -d 64.245.58.0/23 -j DROP #--> Shareaza iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 6346 -j DROP iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 6346 -j DROP iptables -A OUTPUT -s 192.168.1.0/24 -p tcp --dport 6346 -j DROP iptables -A OUTPUT -s 192.168.1.0/24 -p udp --dport 6346 -j DROP echo "Trocando Portas" #-------------------------------------------------- PORT_INI=61000 PORT_FIM=65095 echo $PORT_INI $PORT_FIM > /proc/sys/net/ipv4/ip_local_port_range echo "Bloqueando pocotes não liberados" #--------------------------------------------------- iptables -A FORWARD -j DROP iptables -A INPUT -j DROP echo echo "Firewall Ativo!"
Script para criação de pacotes auto extrator.
Backup de Maquina Virtual (Vmware)
Retra de iptables para DMZ na porta 80
Conversor de Dicionarios do Babylon
Intervalo de tempo v.2 - Corrigido
Nenhum comentário foi encontrado.
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Como ordenar datas corretamente usando o Calc? (2)
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (21)