clovesjr
(usa Slackware)
Enviado em 17/08/2007 - 18:31h
Ola galera...
To com um problema...
Segue abaixo o script do meu firewall que garimpei aki do VOL... O problema eh que as maquinas da minha rede interna naum navegam na internet, mas a partir do meu firewall consigo navegar sem problemas...
Alguem pode me ajudar a descobrir o que ta errado?
##############################################
#!/bin/sh
# Variáveis
# -------------------------------------------------------
iptables="/usr/sbin/iptables" ## location to iptables binary file
IF_EXTERNA="eth1"
IF_INTERNA="eth0"
REDEINT="172.16.0.0/24"
EXTIP=`ifconfig $IF_EXTERNA | grep inet | cut -f2 -d: | cut -f1 -d" "` ## external ip address
INTIP=`ifconfig $IF_INTERNA | grep inet | cut -f2 -d: | cut -f1 -d" "` ## internal ip address
case "$1" in
start)
clear
echo " "
echo "############### ATIVANDO FIREWALL ###############"
echo " "
# Carregando os modulos do iptables
# -------------------------------------------------------
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE
# Ativa roteamento no kernel
# -------------------------------------------------------
modprobe iptable_nat
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Roteamento de pacotes ativo"
# Zera regras
# -------------------------------------------------------
$iptables -F INPUT
$iptables -F FORWARD
$iptables -F OUTPUT
echo "Efetuada a limpeza das regras"
# Determina a política padrão
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP
echo "Padrao de roteamento configurado"
echo " "
echo "**** REGRAS DE BLOQUEIOS ****"
echo " "
# Proteção contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "IP Spoofing"
# Proteção contra responses bogus
# -------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Response Bogus"
# Impedindo que um atacante possa maliciosamente alterar alguma rota
# -------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Alterar porta"
# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) até seu destino. Junto com spoof, isso se torna muito perigoso.
# -------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Source Route"
# Proteção contra ataques de syn flood (inicio da conexão TCP). Tenta conter ataques de DoS.
# -------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Syn-Flood"
# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $EXTIP -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pac mal formado: "
$iptables -A INPUT -i $EXTIP -m unclean -j DROP
echo "Dropa mal formados"
# Proteção contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "Ping of Death"
#Bloqueio de broadcast
iptables -t mangle -A PREROUTING -m pkttype --pkt-type broadcast -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport 10080 -m limit --limit 1/s -j ACCEPT
echo "Broadcast"
# Dropa pacotes TCP indesejáveis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
$iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP
echo "Dropa indesejaveis"
# Proteção contra trinoo
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p TCP -i $EXTIP --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $EXTIP --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $EXTIP --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $EXTIP --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $EXTIP --dport 35555 -j TRINOO
echo "Trinoo"
# Proteção contra tronjans
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p TCP -i $EXTIP --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $EXTIP --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $EXTIP --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $EXTIP --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $EXTIP --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $EXTIP --dport 16660 -j TROJAN
echo "Trojans"
# Proteção contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $INTIP -j REJECT
echo "Worms"
# Proteção contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
echo "Syn-Flood"
# Proteção contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $EXTIP -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $EXTIP -j SCANNER
echo "Port Scan"
# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 21 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
$iptables -A INPUT -p tcp --dport 23 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
$iptables -A INPUT -p tcp --dport 80 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
$iptables -A INPUT -p tcp --dport 110 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
$iptables -A INPUT -p tcp --dport 3128 -i $EXTIP -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
echo "Habilita Logs"
echo " "
echo "**** FIM DOS BLOQUEIOS ****"
# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Libera acesso a interface local
# -------------------------------------------------------
$iptables -A INPUT -i lo -j ACCEPT
# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $EXTIP -j ACCEPT
# Libera acesso da rede interna
# -------------------------------------------------------
$iptables -A INPUT -p tcp --syn -s $REDEINT -j ACCEPT
# PORTA 80 - ACEITA PARA A REDE LOCAL
# -------------------------------------------------------
$iptables -A INPUT -i $IF_INTERNA -p tcp --dport 80 -j ACCEPT
#Ativa mascaramento de saída com o IP EXTERNO
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $EXTIP -j MASQUERADE
#Proxy Transparente
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
$iptables -t nat -A PREROUTING -i $INTIP -p tcp --dport 80 -j REDIRECT --to-port 3128
# Redireciona as conexões vindas da rede externa na porta 3389 para o ip 172.16.0.2
# -------------------------------------------------------
$iptables -t nat -A PREROUTING -i $EXTIP -p tcp --dport 3389 -j DNAT --to 172.16.0.2
# Permite o acesso externo aos servicos de e-mail
# -------------------------------------------------------
$iptables -A FORWARD -i $INTIP -o $EXTIP -p tcp --dport 25 -j ACCEPT
$iptables -A FORWARD -i $INTIP -o $EXTIP -p tcp --dport 110 -j ACCEPT
echo " "
echo "############### FIREWALL ATIVO ###############"
echo " "
;;
stop)
echo " "
echo "lIMPANDO TODAS AS REGRAS ... "
echo " "
$iptables -F INPUT
$iptables -F FORWARD
$iptables -F OUTPUT
echo "REGRAS LIMPAS"
echo " "
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
*)
echo "usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
#############################################