Configuração do IPTABLES

liromaster
(usa Ubuntu)

Enviado em 16/10/2013 - 12:21h

Alguem pode me ajudar a melhorar meu iptables
uso proxy autenticado e estou com grande problemas em sites que consegue quebrar o proxy

###############################################################################

##                          Inicio do Firewall                               ##

###############################################################################



## Variaveis



rede_mask=192.168.0.0/24

iface_int=eth1

iface_ext=eth0



echo Carregando Modulos

/sbin/modprobe ip_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_tables

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_nat

/sbin/modprobe iptable_mangle

/sbin/modprobe ipt_state

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_multiport

/sbin/modprobe ipt_mac

/sbin/modprobe ipt_string



echo Limpando as Regras existentes

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -t mangle -F

/sbin/iptables -t filter -F

/sbin/iptables -X

/sbin/iptables -Z



## Definindo politica padrao (Nega entrada e permite saida)

/sbin/iptables -P INPUT DROP     #drop

/sbin/iptables -P OUTPUT ACCEPT  #accept

/sbin/iptables -P FORWARD ACCEPT #accept







###############################################################################

##                     Protege contra ataques diversos                       ##

###############################################################################

echo Ativando Protecao contra ataques

###### Protege contra synflood

/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

echo 1 > /proc/sys/net/ipv4/tcp_syncookies



###### Protecao contra ICMP Broadcasting

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

###### Prote.. Contra IP Spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter



###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.

/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A INPUT -i $iface_ext -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP

/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -N VALID_CHECK

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP



###############################################################################

##                    Fim da regras de contra ataques                        ##

###############################################################################



## Impede navega.o sem proxy definido no navegador ########

#/sbin/iptables -t nat -A PREROUTING -i $iface_int -p tcp --dport 80 -j REDIRECT --to-port 3128

#/sbin/iptables -t nat -A PREROUTING -i $iface_int -p tcp --dport 443 -j REDIRECT --to-port 3129



## Impede o uso de outro proxy externo que use a porta 8080

/sbin/iptables -t nat -A PREROUTING -i $iface_int -p tcp --dport 8080 -j REDIRECT --to-port 3128



## Estabelece relaâ?Š.o de confian..a entre maquinas da rede local $iface_int(rede local)

/sbin/iptables -A INPUT -i $iface_int -s $rede_mask -j ACCEPT

/sbin/iptables -A INPUT -i $iface_int -m state --state NEW -j ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



## liberando o INPUT externo para o firewall ##



## Portas ##



# SSH â?? HTTP â?? SSL â?? RDPPPP

/sbin/iptables -A INPUT -i $iface_ext -p tcp -m multiport --dport 22,3389 -j ACCEPT



# VPN Windows Server

/sbin/iptables -A FORWARD -p tcp -i $iface_ext --dport 1723 -j ACCEPT

/sbin/iptables -A FORWARD -p 47 -i $iface_ext -j ACCEPT







###############################################################################

##           Redirecionamento para maquinas de rede interna                  ##

###############################################################################



## VPN



/sbin/iptables -A PREROUTING -t nat -p tcp -i $iface_ext --dport 1723 -j DNAT --to 192.168.0.1:1723

/sbin/iptables -A PREROUTING -t nat -p 47 -i $iface_ext -j DNAT --to 192.168.0.1



## SSH Outra maquina



## RDP

/sbin/iptables -t nat -A PREROUTING -i $iface_ext -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.1:3389



################################################################################

##                          Bloqueio de HTTPS                                 ##

################################################################################



#/sbin/iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "facebook.com" -j DROP

#/sbin/iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "youtube.com" -j DROP

#/sbin/iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP

#/sbin/iptables -I FORWARD -m string --algo bm --string "youtube.com" -j DROP

# Bloqueio do Facebook da 07:30 � s 11:45 e das 13:30 � s 17:45

/sbin/iptables -t filter -I FORWARD -p tcp --dport 443 -m string --algo bm --string "facebook.com" -m time --timestart 07:30 --timestop 07:28 -j DROP

/sbin/iptables -t filter -I FORWARD -p tcp --sport 443 -m string --algo bm --string "youtube.com" -m time --timestart 07:30 --timestop 07:28 -j DROP

#/sbin/iptables -t filter -I FORWARD -p tcp --sport 443 -m string --algo bm --string "bancopan.com" -m time --timestart 07:30 --timestop 07:28 -j ACCEPT



################################################################################

##                         Bloqueio de entrada                                ##

################################################################################



/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i $iface_int -j ACCEPT

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

/sbin/iptables -A INPUT -i $iface_ext -j REJECT



## Liberar ping ## 0=on 1=off

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all



################################################################################

##                            Liberando Site                                  ##

################################################################################



#/sbin/iptables -t nat -I PREROUTING -i eth1 -p tcp -d www.bancopan.com.br --dport 80 -j ACCEPT



################################################################################

##                         Liberando Portas                                   ##

################################################################################



/sbin/iptables -I FORWARD -s 192.168.0.0/24 -j DROP

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 587 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 465 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 143 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 993 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 2684 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 1179 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 1138 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 2548 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 2631 -j ACCEPT

#webadmin

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 10000 -j ACCEPT

#teamvieaw

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5938 -j ACCEPT

#deggy web

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 49163 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 55427 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 59714 -j ACCEPT

#VNC

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5900 -j ACCEPT



#cat dp

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5017 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5022 -j ACCEPT



#drogaria nazare

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 1313 -j ACCEPT



#receitanet

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3456 -j ACCEPT



#spark

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5222 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 9090 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 9091 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 7777 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 7070 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 7443 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 5229 -j ACCEPT



#dvr

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3706 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3007 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3001 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -j ACCEPT

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 3364 -j ACCEPT



#comodo

#/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 407 -j ACCEPT



################################################################################

##                             IPS LIBERADOS                                  ##

################################################################################



/sbin/iptables -I FORWARD -s 192.168.0.254 -j ACCEPT



################################################################################

##                        Configura\E7\E3o do Outlook                         ##

################################################################################



#LIBERA PORTAS

#[ SMTP ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 25 -j ACCEPT

#[ SMTP-587 ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 587 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 587 -j ACCEPT

#[ SMTPS ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 465 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 465 -j ACCEPT

#[ POP ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

#[ SPOP-3 ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 995 -j ACCEPT

#[ IMAP ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 143 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 143 -j ACCEPT

#[ IMAPS ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 993 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 993 -j ACCEPT

#[ DNS ]

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 53 -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT

/sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT



#teste outlook



################################################################################

##                       Compartilhamento Internet                            ##

################################################################################



/sbin/iptables -t nat -A POSTROUTING -o $iface_ext -j MASQUERADE



echo 1 > /proc/sys/net/ipv4/ip_forward



echo Firewall Ativado....



################################################################################

##                                   Fim                                      ##

################################################################################

 

renato_pacheco
(usa Debian)

Enviado em 16/10/2013 - 13:45h

Troque a política FORWARD ACCEPT para FORWARD DROP e libere apenas o necessário.

liromaster
(usa Ubuntu)

Enviado em 17/10/2013 - 09:26h

Ok. troquei e ta funcionando normal... so preciso bloquear sites que quebra o proxy e bloquear o skype.. onde to com grande dificuldade

renato_pacheco
(usa Debian)

Enviado em 17/10/2013 - 10:00h

Essa regra d FORWARD aki:

/sbin/iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT

 

Vc não pode liberá-la dessa forma, pois qq site pode ser acessado por esta rede. O certo é vc fazer uma lista restrita para acesso a porta 443 (IPs de bancos, e-mails etc.). Eu não gosto d proxy transparente por isso: a gerência é complicada. Se vc optar por isso, boa sorte.

Buckminster
(usa Debian)

Enviado em 17/10/2013 - 10:24h

Faça o que o Renato disse.

E para bloquear o Skype faça o seguinte:

iptables -I FORWARD -m string --algo bm --string "skype.com" -j DROP

Para bloquear os sites que você quer somente substitua o domínio em "skype.com".

Mas veja bem, uma regra com -I insere a regra no topo da chain e uma regra com -A adiciona a regra no fim da chain.
Por exemplo, uma regra com -I na chain OUTPUT não interfere diretamente em uma regra com -I na chain FORWARD.

Você tem várias regras com -I FORWARD, como o Iptables lê as regras de cima para baixo, a ÚLTIMA regra com -I FORWARD que você colocou, na verdade será a primeira a ser executada na chain FORWARD:
sbin/iptables -I FORWARD -s 192.168.0.254 -j ACCEPT

As regras com -A vão sendo lidas e executadas na sequência em que estão no script.

Para maior controle, se quiser, numere as regras com -I, mas somente -I aceita numeração, por exemplo:

/sbin/iptables -I FORWARD 1 -s 192.168.0.0/24 -j DROP

/sbin/iptables -I FORWARD 2 -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT

/sbin/iptables -I FORWARD 3 -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT

/sbin/iptables -I FORWARD 4 -s 192.168.0.0/24 -p tcp --dport 587 -j ACCEPT

e assim por diante.
A numeração é dentro de cada chain também, por exemplo:

/sbin/iptables -I FORWARD 1 -s 192.168.0.0/24 -j DROP

/sbin/iptables -I FORWARD 2 -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT

/sbin/iptables -I INPUT 1 -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT

/sbin/iptables -I INPUT 2 -s 192.168.0.0/24 -p tcp --dport 587 -j ACCEPT

Você pode pular a sequência da numeração se quiser, ou seja, colocar o número 1 em uma regra que esteja depois do número 4, por exemplo. Assim você define qual regra quer que seja executada primeiro.

liromaster
(usa Ubuntu)

Enviado em 18/10/2013 - 16:18h

Obrigado pela ajuda Buckminster e renato_pacheco.
vou fazer as alterações e testar.

Buckminster
(usa Debian)

Enviado em 18/10/2013 - 20:08h

Essa regra aqui

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

deixe assim:

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

liromaster
(usa Ubuntu)

Enviado em 18/10/2013 - 21:40h

pode me explicar essa regra?

Buckminster
(usa Debian)

Enviado em 18/10/2013 - 22:11h

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

Iptables adicione (-A) uma regra na chain FORWARD com o(s) estado(s) (state) ESTABLISHED,RELATED,NEW e aceite.

state :: Este módulo, quando combinado com rastreamento de conexão, permite o acesso ao estado de rastreamento de conexão para este pacote.
[!] --state state :: Onde o estado é uma lista separada por vírgulas dos estados de conexão. Estados possíveis são invalid significa que o pacote não pode ser identificado por alguma razão, que inclui falta de memória e erros ICMP que não correspondem a qualquer conexão conhecida. "established" significa que o pacote está associado a uma conexão que viu pacotes em ambas direções, new significa que o pacote começou uma nova conexão, ou de outra forma associado a uma conexão que não viu pacotes em ambos os sentidos e related significa que o pacote está começando uma nova conexão, mas está associado a uma conexão existente, como um ftp de transferência de dados, ou um erro ICMP.

Trocando em miúdos, somente serão aceitas novas conexões, estabilizadas e/ou relacionadas com conexões já existentes.
Esse tipo de regra aumenta a segurança e deve ser colocada no início antes das regras de bloqueio e liberação.

Veja o Manuel:
http://www.vivaolinux.com.br/artigo/Manual-do-IPtables-Comentarios-e-sugestoes-de-regras

saitam
(usa Slackware)

Enviado em 18/10/2013 - 22:57h

http://mundodacomputacaointegral.blogspot.com.br/2012/05/entendendo-o-funcionamento-de-um.html

liromaster
(usa Ubuntu)

Enviado em 23/10/2013 - 12:49h

Ok obrigado pela ajuda de todos...

A principio ta funcionando... mas o skype continua funcionando ;-/

Desculpa pela demora...

Buckminster
(usa Debian)

Enviado em 23/10/2013 - 12:57h

Você colocou essa regtra?

/sbin/iptables -I FORWARD -m string --algo bm --string "skype.com" -j DROP