ton.work
(usa Debian)
Enviado em 25/08/2010 - 18:54h
Fui fazer um scan de portas para testar meu firewall entrei no site 'shields up' e todas as portas estavam 'stealth' depois entrei no site 'PC Flank' e retornou a mensagem 'Too many connections' ou seja 'Excesso de conexões'. Antes conseguia fazer este teste normal, será que é por causa do meu firewall ou squid?
#!/bin/bash
## VARIABLES ##
IFWAN=`ifconfig | sed -n "1p" | awk {'print $1'}` # Filtra Saida do comando 'ifconfig' - Automatiza a implantação do Script
IPWAN=`ifconfig | sed -n "2p" | awk {'print $3'}`
IFLAN=`ifconfig | sed -n "11p" | awk {'print $1'}`
IPLAN=`ifconfig | sed -n "12p" | awk {'print $3'}`
LAN=192.168.1.10/24
## PROGRAMS ##
IPT=`which iptables`
EC=`which echo`
MODUP=`which modprobe`
## FIREWALL START ##
START_FW(){
echo " [ Firewall Starting ... ]"
# LOAD MODULES
$MODUP ip_tables
$MODUP ip_conntrack
$MODUP iptable_filter
$MODUP iptable_mangle
$MODUP iptable_nat
$MODUP ipt_LOG
$MODUP ipt_limit
$MODUP ipt_state
$MODUP ipt_REDIRECT
$MODUP ipt_owner
$MODUP ipt_REJECT
$MODUP ipt_MASQUERADE
$MODUP ip_conntrack_ftp
$MODUP ip_nat_ftp
######
#liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&
iptables -A OUTPUT -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&
iptables -A FORWARD -p tcp --syn -s 192.168.1.10/255.255.255.0 -j ACCEPT &&
#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 192.168.1.10/255.255.255.0 -o eth1 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
######
# POLICES THIS FIREWALL
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT ACCEPT
# ENABLE LOOPBACK
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT
# ENABLE IMPORTANT PORTS
$IPT -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -m state --state RELATED -j ACCEPT
DOOROPEN=`cat "/server/firewall/portasabertas.conf"`
for n in $DOOROPEN; do
PROTOCOL=`$EC $n | cut -d '@' -f 1`
DOOR=`$EC $n | cut -d '@' -f 2`
if [ "$PROTOCOL" = "tcp" ]; then
$IPT -t filter -A INPUT -p tcp --dport $DOOR -j ACCEPT
elif [ "$PROTOCOL" = "udp" ]; then
$IPT -t filter -A INPUT -p udp --dport $DOOR -j ACCEPT
fi
done
# BLOCK SITES FROM INTRANET
$IPT -t filter -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -m state --state RELATED -j ACCEPT
SITES=`cat "/server/firewall/sitesdesativados.conf"`
for n in $SITES ; do
$IPT -t filter -A FORWARD -s $LAN -d $n -j DROP
$IPT -t filter -A FORWARD -s $n -d $LAN -j DROP
done
# PING OF DEATH
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
$IPT -N PING
$IPT -A INPUT -p icmp --icmp-type echo-request -j PING
$IPT -A PING -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A PING -j DROP
# SYN-FLOOD
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
$IPT -N syn-flood
$IPT -A INPUT -i $IFWAN -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
# BRUTE-SSH
$IPT -N BRUTE-SSH
$IPT -A INPUT -i $IFWAN -p tcp --dport 22 -j BRUTE-SSH
$IPT -A BRUTE-SSH -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A BRUTE-SSH -j DROP
# ANTI-SPOOFINGS
$IPT -A INPUT -s 10.0.0.0/8 -i $IFWAN -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -i $IFWAN -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -i $IFWAN -j DROP
$IPT -A INPUT -s 192.168.1.0/16 -i $IFWAN -j DROP
# SHEALT SCAN
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
# ENABLE FORWARDING
DOORCROSS=`cat "/server/firewall/portasfoward.conf"`
for n in $DOORCROSS; do
STAT=`$EC $n | cut -d '@' -f 1`
PROTO=`$EC $n | cut -d '@' -f 2`
PORT_IN=`$EC $n | cut -d '@' -f 3`
IPTARGET=`$EC $n | cut -d '@' -f 4`
PORT_OUT=`$EC $n | cut -d '@' -f 5`
if [ "$STAT" = "0" ]; then
$IPT -t filter -A FORWARD -p $PROTO --dport $PORT_IN -j ACCEPT
$IPT -t filter -A FORWARD -p $PROTO --sport $PORT_IN -j ACCEPT
$IPT -t nat -A PREROUTING -p $PROTO --dport $PORT_IN -j DNAT --to $IPTARGET
$IPT -t nat -A POSTROUTING -d $IPTARGET -j SNAT --to $IPLAN
elif [ "$STAT" = "1" ]; then
$IPT -t filter -A FORWARD -p $PROTO --dport $PORT_IN -j ACCEPT
$IPT -t filter -A FORWARD -p $PROTO --sport $PORT_IN -j ACCEPT
$IPT -t nat -A PREROUTING -p $PROTO --dport $PORT_IN -j DNAT --to $IPTARGET:$PORT_OUT
$IPT -t nat -A POSTROUTING -d $IPTARGET -j SNAT --to $IPLAN
fi
done
# ENABLE PROXY
#$IPT -t nat -A PREROUTING -i $IFLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A PREROUTING -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.1.10/24 --dport 80,443 -j REDIRECT --to-ports 3128
#ENABLE MASQUERADE
DOORMASQ=`cat "/server/firewall/portasmascaradas.conf"`
for n in $DOORMASQ; do
PROTO=`$EC $n | cut -d '@' -f 1`
PORT=`$EC $n | cut -d '@' -f 2`
if [ "$PROTO" = 'tcp' ]; then
$IPT -t filter -A FORWARD -p tcp --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p tcp --sport $PORT -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IFWAN -p tcp --dport $PORT -j MASQUERADE
elif [ "$PROTO" = 'udp' ]; then
$IPT -t filter -A FORWARD -p udp --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp --sport $PORT -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IFWAN -p udp --dport $PORT -j MASQUERADE
fi
done
echo " [ OK ]"
}
STOP_FW(){
echo " [ Firewall Stopping ... ]"
## CLEAN RULES NETFILTER ##
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z
## DISABLE ROUTING ##
$EC "0" > /proc/sys/net/ipv4/ip_forward
echo " [ OK ]"
}
case "$1" in
"start") START_FW ;;
"stop") STOP_FW ;;
"restart") STOP_FW; START_FW ;;
*) echo
$EC " [ FIREWALL: start, stop ou restart. ]"
$EC " [ Uso incorreto do firewall, restart em ]"
$EC " [ 3 segundos. ]"
echo
sleep 3
/server/firewall/sh.firewall.conf restart
esac
################squid#######################
############################################
############################################
http_port 3128
visible_hostname SW
error_directory /usr/share/squid/errors/Portuguese/
cache_mem 285 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 700 MB
minimum_object_size 5 KB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid 40000 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl especial src 192.168.1.197 192.168.1.196 192.168.1.205
acl almoco time 12:00-13:30
acl orkut dstdomain orkut.com
www.orkut.com
http_access allow orkut especial
http_access allow orkut almoco
http_access deny orkut
acl bloqueados url_regex -i "/etc/squid/bloqueados"
http_access deny bloqueados
# Bloqueia acessos de fora da rede local antes de passar pela autenticação:
acl redelocal src 192.168.1.0/24
http_access deny !redelocal
# Outras regras de restrição vão aqui, de forma que o acesso seja negado
# antes mesmo de passar pela autenticação:
acl bloqueados url_regex -i "/etc/squid/bloqueados"
http_access deny bloqueados
# Autentica o usuário:
auth_param basic realm Squid
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl autenticados proxy_auth REQUIRED
http_access allow autenticados
# Libera o acesso da rede local e do localhost para os autenticados,
# bloqueia os demais:
http_access allow localhost
http_access allow redelocal
http_access deny all