firewall
debopen
debopen gmail.com
Terça-Feira, 14 de Março de 2006 - 16:43:56 GMT
Gostaria que voces dessem uma sugestao como melhorari-a
isso
Obrigado
#!/bin/sh
# Variaveis
IPTABLES="/sbin/iptables"
MOD="/sbin/modprobe"
WAN="ppp+"
LAN="eth+"
REDE="192.168.0.0/24"
DNS="200.204.0.10, 200.204.0.138"
case "$1" in
start)
echo -e "Iniciando Firewall TCL ... "
depmod -a
$MOD ip_tables
$MOD iptable_filter
$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD iptable_nat
$MOD ip_nat_ftp
$MOD ipt_LOG
$MOD ipt_state
$MOD ipt_MASQUERADE
#Limpando as Chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z
#Politica Padrão
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#Setando o Kernel para IP_Dinamico Mascarado
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Habilitando IP_Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#Ativando Protecao no Kernel
for tcl in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $tcl
done
#Ativando SynCookies para Protecao no Kernel
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
##################TABELA INPUT########################
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Porta FTP Data $IPTABLES -A INPUT -i $WAN -p tcp --dport 20 -j ACCEPT
#Porta FTP $IPTABLES -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT
#Porta Telnet $IPTABLES -A INPUT -i $WAN -p tcp --dport 23 -j ACCEPT
#Porta Ssh $IPTABLES -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 1863 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 4444 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport $DNS -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p udp --dport $DNS -j ACCEPT
#Opcao dois -> Libera conexoes de retorno dos servicos ativos na
rede interna
#$IPTABLES -A INPUT -i $WAN -p tcp -m --multiport --dport 20, 21,
23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT
#Como eu vou ter que acessar esta Maquina Remotamente, para
Manutenção ou
#configuracoes que se mostrarem necessarias. Vou permitir o acesso
ao SSH.
$IPTABLES -A INPUT -i $WAN -p tcp --dport 2222 -j ACCEPT
#A interface que está para a internet é a PPP0, é bom sempre logar
o pacote
#para saber o que ele é. Regras para ping, isso varia muito de
Admin para Admin
#eu tenho o costume de só permitir ping da rede interna para fora,
para ver se
#tem problemas na conexão com a internet, para poder verificar se o
server está on-line.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
#Protecao contra enderecos spoofados da internet
$IPTABLES -A INPUT -i $INTER -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $INTER -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $INTER -s 192.168.0.0/16 -j DROP
#Ja temos tudo o que eu precisamos,vamos mandar todo o resto embora.
$IPTABLES -A INPUT -p tcp -i $WAN -j LOG --log-level DEBUG
--log-prefix "TCP Descartado:"
$IPTABLES -A INPUT -p icmp -i $WAN -j LOG --log-level DEBUG
--log-prefix "ICMP Descartado:"
$IPTABLES -A INPUT -j DROP
##################TABELA FORWARD######################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Porta FTP Data $IPTABLES -A FORWARD -i $LAN -p tcp --sport 20 -j
ACCEPT
#Porta FTP $IPTABLES -A FORWARD -i $LAN -p tcp --sport 21 -j
ACCEPT
#Porta Telnet $IPTABLES -A FORWARD -i $LAN -p tcp --sport 23 -j
ACCEPT
#Porta Ssh $IPTABLES -A FORWARD -i $LAN -p tcp --sport 22 -j
ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 110 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 1863 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport 4444 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p tcp --sport $DNS -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -p udp --sport $DNS -j ACCEPT
#Opcao dois -->Libera as Conexoes da Rede Interna para Internet
#$IPTABLES -A FORWARD -i $LAN -p tcp -m --multiport --sport 20, 21,
23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT
#Protecoes diversas contra PortScanners, Ping of Death, ataques
DoS, etc...
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP
#Em muitas distribuições com o Kernel 2.6 é necessário usar um quarto
#comando ao compartilhar uma conexão ADSL. Este comando ajusta os
#tamanhos dos pacotes recebidos do modem ao MTU usado na rede local.
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m \
tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
##################TABELA NAT####################
#Acesso de Fora para Rede Local tendo Classe de IP 192.168.0.0
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.2:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.3:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.4:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.5:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.6:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.7:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.8:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.9:2222
#$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
-j DNAT --to-destination 192.168.0.10:2222
#Aqui vai a simples linha que vai compartilhar o acesso a Internet.
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
;;
stop)
echo "Parando Firewall TCL ... "
$IPTABLES -X
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L -n
$IPTABLES -t nat -L -n
;;
*)
echo "Use: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0
More information about the ubuntu-pt
mailing list