Layer7 não bloqueia

weltonpba
(usa Debian)

Enviado em 31/05/2013 - 15:28h

Implantei o Layer 7 normal recopilei o kernel sem problemas, levanto os protocolos normal, mas na hora de bloquear ele não bloqueia nada, e não gera nenhuma mensagem de erro i ainda consigo visualizar as regras..

root@debian:~# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 LOG flags 0 level 6 prefix `WORMS >'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 LOG flags 0 level 6 prefix `WORMS REDE>'

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto skypeout
DROP all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto skypetoskype
DROP all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
DROP all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ssh
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
ACCEPT tcp -- 0.0.0.0/0 200.201.0.0/16


Segue o meu script de Firewall:

echo Limpando as tabelas e Chains
iptables -F
iptables -F -t nat
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t mangle -F
iptables -t nat -F
iptables -X

echo Limpeza das Tabelas ..... [ok]
### Habilitando os modulos
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
modprobe xt_layer7
modprobe ipt_layer7
echo Modulos Carregados ..... [ok]

### Compartilhamento da Internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo Internet Compartilhada ..... [ok]

#Seguranca
#layer7
iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP
iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP
iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
iptables -A FORWARD -m layer7 --l7proto ssh -j DROP

#Bloqueando porta 80 de entrada para nao acessar o sarg. Conexao de fora
iptables -A INPUT -i eth1 -p tcp --destination-port 80 -j DROP

#Nao responde a pings
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

#Protecao contra Ip Spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP

#Autoriza pacotes provenientes da interface de loopback lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT

#Impedindo ataque Ping of Death na rede
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Impedindo ataque de Denial Of Service Dos na rede e servidor
iptables -I FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT

#Protecao contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Protecao contra worms
iptables -I FORWARD -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS REDE>'
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -I INPUT -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS >'
iptables -A INPUT -p tcp --dport 135 -j DROP

#bloqueador de tentativas de conexao da internet
iptables -A INPUT -p tcp --syn -j DROP
echo Seguranca Carregada ..... [ok]

#CONECTIVIDADE SOCIAL
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
echo Conectividade Social Carregada ..... [ok]

#PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo Proxy Transparente Carregado ..... [ok]

#Redirecionamentos

#PORTA EMULE WELTON
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 54 -i eth1 -j DNAT --to 10.1.1.10
iptables -t nat -A PREROUTING -p udp -s 0/0 --dport 55 -i eth1 -j DNAT --to 10.1.1.10