Scritp de Firewall com Iptables
Publicado por Silvio Soares da Silva Junior 01/10/2005
[ Hits: 7.581 ]
Script de firewall usando iptables. Bloqueia e loga tentativas de conexão de trojans e worms mais conhecidos na sua rede interna. Muito eficiente.
#!/bin/bash echo "Carregando o firewall..." # Definindo as variaveis IPTABLES="/usr/sbin/iptables" REDEINT="192.168.0.0/24" IPDNSPROVEDOR="192.168.0.250" INT="eth0" EXT="eth0" TROJAN_PORTS_TCP="12345,12346,1524,27665,31337" TROJAN_PORTS_UDP="12345,12346,27444,31335,31337" WORM_PORTS="33270,1234,6711,16660,60001,6000,6001,6002,10999" ###################################################################### # SYN Cookie Protection #echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Disable response to ping echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects # Disable ICMP redirect acceptance echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # Turn on reverse path filtering for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done ###################################################################### # limpando as tabelas $IPTABLES -F $IPTABLES -t nat -F ###################################################################### # Protege contra os "Ping of Death" $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Protege contra os ataques do tipo "Syn-flood, DoS, etc" $IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT # Permitir repassamento (NAT,DNAT,SNAT) de pacotes etabilizados e os relatados ... $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Logar os pacotes mortos por inatividade ... $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG # Protege contra port scanners avançados (Ex.: nmap) $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Performance - Setando acesso a web com delay minimo $IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 53 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -o $EXT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay # Deixa passar as portas UDP do servidores DNS, e Rejeitar o restante $IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT $IPTABLES -A INPUT -i $EXT -p udp -s $IPDNSPROVEDOR -j ACCEPT # Responde pacotes icmp especificados e rejeita o restante #$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type host-unreachable -j ACCEPT #$IPTABLES -A INPUT -i $EXT -p icmp --icmp-type source-quench -j ACCEPT #$IPTABLES -A INPUT -i $EXT -p icmp -j REJECT --reject-with icmp-host-unreachable # libera acesso interno da rede $IPTABLES -A INPUT -p tcp --syn -s $REDEINT -j ACCEPT $IPTABLES -A OUTPUT -p tcp --syn -s $REDEINT -j ACCEPT $IPTABLES -A FORWARD -p tcp --syn -s $REDEINT -j ACCEPT # libera o loopback #$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT # libera conexoes de fora pra dentro $IPTABLES -A INPUT -p tcp --destination-port 80 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 443 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 20 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 21 -j ACCEPT #$IPTABLES -A INPUT -p tcp --destination-port 22 -j LOG --log-prefix "SSH: " #$IPTABLES -A INPUT -p tcp --destination-port 22 -j ACCEPT #libera conexoes de dentro pra fora: $IPTABLES -A OUTPUT -p tcp --destination-port 80 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 3306 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 22 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 20 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 21 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 86 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 5190 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --destination-port 443 -j ACCEPT # Liberando NTP (ntpd) porta 123 para envio e recepção protoclo UDP #$IPTABLES -A INPUT -i $EXT -p udp --dport 123 -j ACCEPT #$IPTABLES -A OUTPUT -o $INT -p udp --sport 123 -j ACCEPT ###################################################################### # Protecao contra trojans $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: " $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT: " $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT: " $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP ###################################################################### #Protecao contra worms $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: " $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM INT_IF: " $IPTABLES -A INPUT -i $INT -p tcp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $INT -p udp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: " $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j LOG --log-prefix "IPTABLES WORM EXT: " $IPTABLES -A INPUT -i $EXT -p tcp -m multiport --dport $WORM_PORTS -j DROP $IPTABLES -A INPUT -i $EXT -p udp -m multiport --dport $WORM_PORTS -j DROP # compartilha a web na rede interna #$IPTABLES -t nat -A POSTROUTING -s $REDEINT -o ppp0 -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward # Bloqueia todas as portas udp #$IPTABLES -A INPUT -i $EXT -p udp -j REJECT # Bloqueia qualquer tentativa de conexao de fora para dentro por TCP $IPTABLES -A INPUT -i $EXT -p tcp --syn -j DROP # Mesmo assim fechar todas as portas abaixo de 32000 $IPTABLES -A INPUT -i $EXT -p tcp --dport :32000 -j DROP # Protege contra pacotes que podem procurar e obter informações da rede interna ... $IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP # Bloqueando tracertroute $IPTABLES -A INPUT -p udp -s 0/0 -i $EXT --dport 33435:33525 -j DROP # Protecoes contra ataques $IPTABLES -A INPUT -m state --state INVALID -j DROP # Nada de pacotes fragmentados $IPTABLES -A INPUT -f -j DROP # bloqueia o resto $IPTABLES -A INPUT -p tcp --syn -j DROP $IPTABLES -A OUTPUT -p tcp --syn -j DROP $IPTABLES -A FORWARD -p tcp --syn -j DROP # ---------------------------------------------------------------- echo "Firewall carregado..." # Mais regras # libera ssh de casa #$IPTABLES -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT # bloqueia acesso ssh, ftp de fora e grava no log #$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "IN: SSH " #$IPTABLES -A INPUT -p tcp --dport 22 -j REJECT #$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "IN: Telnet " #$IPTABLES -A INPUT -p tcp --dport 23 -j REJECT # bloqueia acesso netbios de fora e da rede interna para fora #$IPTABLES -A INPUT -p tcp --sport 137:139 -i ppp+ -j DROP #$IPTABLES -A INPUT -p udp --sport 137:139 -i ppp+ -j DROP #$IPTABLES -A FORWARD -p tcp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A FORWARD -p udp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A OUTPUT -p tcp --sport 137:139 -o ppp+ -j DROP #$IPTABLES -A OUTPUT -p udp --sport 137:139 -o ppp+ -j DROP # libera o bittorrent - (não testado) # troque o X.X.X.X pelo IP da máquina correspondente #$IPTABLES -A INPUT -p tcp --destination-port 1214 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 1214 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 1214 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p udp -i ppp0 --dport 1214 -d X.X.X.X -j ACCEPT # faz o icq receber arquivos - (não testado) # troque o X.X.X.X pelo IP da máquina correspondente #$IPTABLES -A INPUT -p tcp --destination-port 2000:3000 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000:3000 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p tcp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT #$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 2000:3000 -j DNAT --to-dest X.X.X.X #$IPTABLES -A FORWARD -p udp -i ppp0 --dport 2000:3000 -d X.X.X.X -j ACCEPT # EOF
Firewall do mikrotik, limitando icmp (ping)
Script de Backup que compacta Segmentado.
Criação de unidades criptografadas
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (15)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)
Pendrive não formata de jeito nenhum (4)