andriopj
(usa Fedora)
Enviado em 08/03/2009 - 13:52h
aqui eu uso fedora 10, rodando:
squid (Version 3.0.stable13) como proxy/webcache
dhcp (MACxIP)
tenho o seguinte cenario, uma rede onde nao posso barrar nada (skype, msn, hotmail, acesso a web, etc).
mas tenho que encontrar um meio de aumentar a seguranca do servidor ou/e ate mesmo dos usuarios (ataques).
esse eh o firewall atual que estou usando:
##############################################################################
#Rede Interna= eth0
#Internet= eth1
ifup eth0
ifup eth1
service dhcpd restart
service squid start
echo "Iniciando Interfaces de Rede...............................[ OK ]"
# # carregando modulos
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_MARK
modprobe ipt_mark
modprobe ipt_mac
modprobe ipt_tos
modprobe iptable_mangle
echo "Carregando modulos.........................................[ OK ]"
# # limpando regras
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
echo "Limpando Regras............................................[ OK ]"
# # Determina a politica
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
echo "politica padrao............................................[ OK ]"
# # Aceita os pacotes que realmente devem entrar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# # Aceita todo o trafego vndo do loopback e indo para o loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
# # Protecoes # # # #
# 1> Protecao contra IP spoofing
# 2> Protege contra synflood
# 3> Protecao contra icmp Broadcasting
# 4> Bloqueia tracerout
# 5> Protecao contra Dos
# 6> Protecao diversa contra portscanners, ping of death, ataque DOS, etc.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
# Outras protecoes
# Impedimos que um atacante possa maliciosamente alterar alguma rota, e
# Impossibilita que o atacante determine o "caminho" que o pacote vai percorrer (roteadores) ate seu destino
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# # Fim Protecoes # # # #
echo "Carregando Protecoes de Seguranca..........................[ OK ]"
# # Proxy Transpatent
iptables -t nat -A PREROUTING -s 172.167.0.0/24 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i 172.167.0.0/24 -p udp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
# # Ativa roteamento no kernel
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo "Ativando Roteamento........................................[ OK ]"
# #SSH
iptables -A INPUT -p tcp --dport 2210 --syn -j ACCEPT
# # Bandlimit
bandlimit restart
# # Fecha o resto
#iptables -A INPUT -p tcp --syn -j DROP
#iptables -A INPUT -j DROP
#iptables -A FORWARD -j DROP
###############################################################################
se eu altero as politicas padrao, e adiciono algum drop, minha rede nao navega
se no final eu fecho a resto, minha rede tbm nao navega.
mas afinal, o que posso fazer para incrementar esse firewall, de modo que nao barre nada na navegacao da rede interna, mas tenha um pouco de seguranca referente a ataques ou acesso nao autorizado externo?
Segue meu squid
###############################################################################
http_port 192.168.70.1:3128 transparent
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 80
cache_swap_high 85
maximum_object_size 64 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 128 KB
ipcache_size 3072
ipcache_low 90
ipcache_high 93
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid/cache1 2048 16 64
cache_dir ufs /var/spool/squid/cache2 2048 16 64
cache_dir ufs /var/spool/squid/cache3 2048 16 64
cache_dir ufs /var/spool/squid/cache4 2048 16 64
cache_dir ufs /var/spool/squid/cache5 2048 16 64
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
dns_nameservers 201.10.128.2
dns_nameservers 201.10.120.3
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
negative_ttl 3 minutes
positive_dns_ttl 5 minutes
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl BADPORTS port 7 9 11 19 22 23 25 53 110 119 513 514 3128 8080
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ---- Cache do Windows Update ----
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern msgruser.dlservice.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern
www.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims
acl rede src 192.168.70.0/255.255.255.0
http_access allow localhost
http_access allow rede
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny BADPORTS
http_access deny CONNECT !SSL_ports
http_access deny all
#icp_access allow rede
cache_effective_user squid
cache_effective_group squid
visible_hostname andrio.jasper
memory_pools off
forwarded_for off
error_directory /usr/share/squid/errors/Portuguese
strip_query_terms off
coredump_dir none
detect_broken_pconn on
pipeline_prefetch on
################################################################################
nesse script, teria algo que poderia mudar?
outra coisa que pensei em implementar na rede, seria vlan para cada usuario, mas nao sei como faco isso, alguem ai poderia me ajudar?