Exemplo de um Firewall
-
A seguir eu disponibilizo um firewall que eu considero bom. Fiz em conjunto com o pessoal da lista debian-firewall, que me deram muitas dicas e conselhos.
-
Ele trabalha com duas interfaces de rede (eth0 e eth1), e apenas compartilha a internet e disponibiliza serviços de ssh multilateralmente. Tentei deixar o mais limpo possível, para facilitar alterações. Deixei-o inteiramente em inglês para que o pessoal da lista pudesse ter mais facilidade em me ajudar.
-
Trabalha com cores e com uma política default para as CHAINS sendo DROP.
-
Em especial gostaria de agradecer a: Andreas Kuglgruber, Ansgar Wiechers, Stefan Weilhartner, Paolo e Paulo Bruck.
-
#!/bin/sh
clear
# Firewall System
# Author – Yuri Rodrigues
# Mail – yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet
intranet=”eth0″
iptables=”/sbin/iptables”
internet=”eth1″
rede=”192.168.121.0/24″
echo “0″ > /proc/sys/net/ipv4/ip_forward
echo -e “33[01;33m-----------------=======33[01;32m Firewall33[01;33m =======------------------"
echo " By: Yuri Rodrigues "
echo -e "33[01;37mLOGS: [ /var/log/kern.log ] “
echo “”
echo “Starting the script “
echo “”
#### Loading Modules ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos &&\
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo -e “33[01;36mLoading Modules33[01;37m ...................................33[01;32m [ OK ]“
#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
echo -e “33[01;36mPolicing33[01;37m ..........................................33[01;32m [ OK ]“
#### Flush Rules ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo -e “33[01;36mFlush Rules33[01;37m .......................................33[01;32m [ OK ]“
echo “1″ > /proc/sys/net/ipv4/ip_forward
#### Allowing already established connections ####
$iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
echo -e “33[01;36mAllowing already established connections33[01;37m ..........33[01;32m [ OK ]“
#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT
echo “”
echo -e “33[01;33m>>>>>>>>>>>>>>>>>>33[01;32m Regras para usuarios33[01;33m <<<<<<<<<<<<<<<<<<"
echo ""
#### Debugging ####
#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : “
#$iptables -A OUTPUT -m limit –limit 3/minute -j LOG –log-prefix “[IPTABLES] OUTPUT : “
#$iptables -A FORWARD -j LOG –log-prefix “[IPTABLES] FORWARD : “
#### Remote Administrator ####
$iptables -A INPUT -p tcp –dport 4899 -j LOG –log-prefix “[IPTABLES] RA : ” –log-level 6 –log-tcp-options –log-ip-options
$iptables -A INPUT -i $internet -p tcp –dport 4899 -m state –state NEW -j ACCEPT
$iptables -t nat -A PREROUTING -i $internet -p tcp –dport 4899 -j DNAT –to 192.168.121.4:4899
$iptables -A FORWARD -i $internet -o $intranet -p tcp –dport 4899 -m state –state NEW -j ACCEPT
$iptables -A FORWARD -i $intranet -o $internet -p tcp –sport 4899 -m state –state NEW -j ACCEPT
echo -e “33[01;36mRemote Administrator33[01;37m ..............................33[01;32m [ OK ]“
#### Transparent Proxy ####
#$iptables -A INPUT -i $internet -p tcp –dport 80 -m state –state new -j ACCEPT
#$iptables -A INPUT -i $internet -p tcp –dport 443 -m state –state new -j ACCEPT
#$iptables -t nat -A PREROUTING -i $intranet -p tcp –dport 80 -j REDIRECT –to-port 3128
#$iptables -t nat -A PREROUTING -i $intranet -p tcp –dport 443 -j REDIRECT –to-port 3128
#echo -e “33[01;36mTransparent Proxy33[01;37m ................................33[01;32m [ OK ]“
#### SSH Access ####
## LAN 2 FIREWALL
$iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j LOG –log-prefix “[IPTABLES] SSH : ” –log-level 6 –log-tcp-options –log-ip-options
$iptables -A INPUT -p tcp -m tcp –sport 22 -m state –state NEW -j LOG –log-prefix “[IPTABLES] SSH : ” –log-level 6 –log-tcp-options –log-ip-options
$iptables -A INPUT -p tcp –dport 22 -i $intranet -m state –state NEW -j ACCEPT
$iptables -A OUTPUT -p tcp –sport 22 -o $intranet -m state –state NEW -j ACCEPT
$iptables -A FORWARD -p tcp –dport 22 -m state –state NEW -j ACCEPT
$iptables -A FORWARD -p tcp –sport 22 -m state –state NEW -j ACCEPT
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp –sport 22 -i $internet -m state –state NEW -j ACCEPT
$iptables -A OUTPUT -p tcp –dport 22 -o $internet -m state –state NEW -j ACCEPT
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp –dport 22 -i $internet -m state –state NEW -j ACCEPT
$iptables -A OUTPUT -p tcp –sport 22 -o $internet -m state –state NEW -j ACCEPT
## FIREWALL 2 LAN
$iptables -A OUTPUT -p tcp –dport 22 -o $intranet -m state –state NEW -j ACCEPT
$iptables -A INPUT -p tcp –sport 22 -i $intranet -m state –state NEW -j ACCEPT
echo -e “33[01;36mSSH Access33[01;37m ........................................33[01;32m [ OK ]“
#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp –dport 80 -m state –state NEW -j ACCEPT
$iptables -A FORWARD -i $internet -p tcp –sport 80 -m state –state NEW -j ACCEPT
$iptables -A INPUT -i $internet -p tcp –dport 80 -m state –state NEW -j ACCEPT
$iptables -t nat -A POSTROUTING -j MASQUERADE
echo -e “33[01;36mInternet Sharing33[01;37m ..................................33[01;32m [ OK ]“
echo “”
echo -e “33[01;33m<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
echo ""
#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo -e "33[01;36mSynFloods Protection33[01;37m ..............................33[01;32m [ OK ]“
#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG –log-prefix “[IPTABLES] Fragmentos: “
$iptables -A INPUT -f -i $internet -j REJECT
echo -e “33[01;36mLocking fragmented packets33[01;37m ........................33[01;32m [ OK ]“
#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit –limit 1/s -j ACCEPT
echo -e “33[01;36mICMP Limit33[01;37m ........................................33[01;32m [ OK ]“
#### QOS Remote Admin ####
$iptables -t mangle -A OUTPUT -o $internet -p tcp –sport 4899 -j TOS –set-tos 0×10
$iptables -t mangle -A INPUT -i $internet -p tcp –dport 4899 -j TOS –set-tos 0×10
$iptables -t mangle -A FORWARD -o $internet -p tcp –sport 4899 -j TOS –set-tos 0×10
echo -e “33[01;36mQoS Remote Admin33[01;37m ..................................33[01;32m [ OK ]“
echo “”
echo -e “33[01;33m————-======33[01;32m Firewall Enabled33[01;33m ======————–”
echo -e “33[01;37m”
No comments yet
Feed de comentários deste artigo