Me ajudem configurar iptables [RESOLVIDO]

ghoostuser
(usa Arch Linux)

Enviado em 08/12/2011 - 01:48h

pessoal, seguinte...no debian ja vem com o iptables, mas não sei configura-lo.

O que quero é firewall sim, que bloqueia todas conexão que possa acessar minha maquina ou modificar algo nela (ou seja, ninguem entrando em minha rede), mas que eu tenha acesso a internet normalmente, e faça downlods normalmente. Firewall domestico mesmo, simples.

O tipo de internet que uso é wlan0.

podem me dizer como é os comando?


grato.

saitam
(usa Slackware)

Enviado em 08/12/2011 - 08:00h

se é um firewall para uso doméstico então as regras são simples

#!/bin/bash

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

#Permite pacotes transmitidos através da interface de loopback(localhost)

iptables -A INPUT -i lo -j ACCEPT

#Protege contra synflood

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Protege contra ping na máquina

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Proteção contra ICMP Broadcasting

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Proteção contra ataques DoS

iptables -A INPUT -m state –state INVALID -j DROP

iptables -A OUTPUT -p tcp ! –tcp-flags SYN,RST,ACK,SYN -m state –state NEW -j DROP

#Proteção contra IP Spoofing

iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j DROP

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $i

done

#Bloqueia tudo que não foi especificado acima:

iptables -A INPUT -p tcp –syn -j DROP

 

INPUT: o que entra na máquina
OUTPUT: o que sai da máquina
FORWARD: o que atravessa a máquina(ponte) na rede

Material iptables
http://www.guiafoca.org/cgs/guia/avancado/ch-fw-iptables.html

ghoostuser
(usa Arch Linux)

Enviado em 08/12/2011 - 18:21h

Saitam, criei o script e rodei ele, esta dando erro na linha:

iptables -A OUTPUT -p tcp ! --tcp-flags SYN,RST,ACK,SYN -m state --state NEW -j DROP

Não esta reconhecendo a sintaxe --tcp-flags.



O erro no terminal:

root@debian:/home/gabriel/Documentos# ./firewall
iptables v1.4.8: --tcp-flags requires two args.
Try `iptables -h' or 'iptables --help' for more information.
root@debian:/home/gabriel/Documentos#


E também esta bloqueando minha internet.


grato

andrecanhadas
(usa Debian)

Enviado em 08/12/2011 - 19:04h

#!/bin/bash
################################################################################
#################### Inicio Firewall ##############################
################################################################################

## Limpando as Regras existentes #######
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -Z

## Definindo politica padr..o (Nega entrada e permite saida)
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

################################################################################
################# LOG de acesso externo para a rede interna ####################
################################################################################


################################################################################
######################## Protege contra ataques diversos #######################
################################################################################

###### Protege contra synflood
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###### Protecao contra ICMP Broadcasting
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

###### Prote.. Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

################################################################################
######################### Fim da regras de contra ataques ######################
################################################################################

## Permite o Input de conexoes iniciadas por vc
/sbin/iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


################################################################################
################################# Bloqueio de entrada ##########################
################################################################################

/sbin/iptables -A INPUT -i eth1 -j REJECT
## Liberar ping ##
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

################################################################################
############################ Compartilhamento Internet #########################
################################################################################

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

################################################################################
######################################## Fim ###################################
################################################################################
Salve esse arquivo em /usr/local/bin/firewall.sh defina a permissão de execução: chmod +x /usr/local/bin/firewall.sh
Para habilitar automaticamente (Debian e derivados)edite /etc/rc.local e adicione a linha: /usr/local/bin/firewall.sh

ghoostuser
(usa Arch Linux)

Enviado em 09/12/2011 - 00:24h

andrecanhadas, fiz o firewall que me passou, esta bloqueando meu oracle-xe, como faço pra não bloquear?

removido
(usa Nenhuma)

Enviado em 09/12/2011 - 09:28h

http://blog.cesar.augustus.nom.br/instalando-o-firewall-no-linux.html

andrecanhadas
(usa Debian)

Enviado em 09/12/2011 - 10:46h

O bloqueio que se refere e ao acesso externo ao Oracle?

andrecanhadas
(usa Debian)

Enviado em 09/12/2011 - 10:57h

Se for bloqueio de acesso externo use:

/sbin/iptables -A INPUT -i ethX -p tcp -m tcp --dport 8080 -j ACCEPT

Se for interno use:
/sbin/iptables -A INPUT -i ethx -s 127.0.0.1/8 -j ACCEPT

Coloque a regra na parte que permite conexões iniciadas por vc

ghoostuser
(usa Arch Linux)

Enviado em 12/12/2011 - 04:46h

Gostei Cesar ,deu certinho seu firewall aqui, ja tinha visto outros tuto seu também, muito bom! :D

Obrigado.


Feliz Natal a Todos!