De:  fbertasso Para:  Antonio F. Zago Assunto:  Re: (linux-br) ajuda c/ firewall (script) Data:  Sun, 08 Jun 2003 12:25:17 GMT Então, eu atualizei o script sim...tem uma nova versão... Fernando Antonio F. Zago escreveu: > Em Dom, 2003-06-01 às 16:04, fbertasso escreveu: >> Foi mal, pessoal! Esqueci de anexar o tal script. >> >> Aí vai! >> >> Fernando > > Olá Fernando > > Estou atualizando o FAQ, o teu script vai para: > > http://www.zago.eti.br/iptables-modelos-2.txt > > qualquer alteração pode mandar outro no lugar que faço a substituição. > > Abraços > > Zago > #!/bin/sh ### Setar variáveis IFINT="" IFEXT="" NET="" IP_GW_INT="" IP_GW_EXT="" #Somente o final do ip de cada servidor WEB="" MAIL="" DNS="" WIN="" FTP="" VALIDICMP="destination-unreachable source-quench time-exceeded parameter-problem echo-reply" case "$1" in start) echo -n "Ativando Firewall: " ### Proteções for i in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $i done for i in /proc/sys/net/ipv4/conf/*/log_martians do echo 1 > $i done for i in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $i done for i in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $i done for i in /proc/sys/net/ipv4/conf/*/send_redirects do echo 0 > $i done for i in /proc/sys/net/ipv4/conf/*/secure_redirects do echo 1 > $i done echo -n "." ### Alterar parâmetros da configuração de rede IPV4="/proc/sys/net/ipv4" echo 1 > $IPV4/icmp_echo_ignore_broadcasts echo 1 > $IPV4/icmp_ignore_bogus_error_responses echo 60 > $IPV4/tcp_fin_timeout echo 60 > $IPV4/tcp_keepalive_intvl echo 5 > $IPV4/tcp_keepalive_probes echo 1800 > $IPV4/tcp_keepalive_time echo 5 > $IPV4/tcp_retries1 echo 5 > $IPV4/tcp_retries2 echo 5 > $IPV4/tcp_syn_retries echo 5 > $IPV4/tcp_synack_retries echo 1024 > $IPV4/tcp_max_syn_backlog echo 1024 > /proc/sys/net/core/netdev_max_backlog echo 1 > $IPV4/tcp_syncookies echo -n "." ###START #Limpa as regras iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t nat iptables -F -t mangle #Hab. o Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Bloqueia entrada e forward, deixa saida livre iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT #Seta as regras para cada caso de tráfego iptables -N int-me iptables -N ext-me iptables -N int-ext iptables -N ext-int iptables -N PROTECAO echo -n "." ### Outras Proteções #iptables -A INPUT -j PROTECAO #iptables -A FORWARD -j PROTECAO #iptables -A PROTECAO -m state --state INVALID -j DROP #iptables -A PROTECAO -p tcp -m state --state NEW ! --syn -j DROP #iptables -A PROTECAO -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #iptables -A PROTECAO -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #iptables -A PROTECAO -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #iptables -A PROTECAO -p tcp --tcp-option 64 -j DROP #iptables -A PROTECAO -p tcp --tcp-option 128 -j DROP echo -n "." #Redireciona cada fluxo para sua chain particular iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s $NET -d $IP_GW_INT -i $IFINT -j int-me iptables -A INPUT -s $NET -d $IP_GW_EXT -i $IFINT -j int-me iptables -A INPUT -i $IFEXT -d $IP_GW_INT -j ext-me iptables -A INPUT -i $IFEXT -d $IP_GW_EXT -j ext-me iptables -A INPUT -j DROP iptables -A FORWARD -i $IFINT -o $IFEXT -j int-ext iptables -A FORWARD -i $IFEXT -o $IFINT -j ext-int iptables -A FORWARD -j DROP echo -n "." ### Priorizar tráfego dos principais serviços iptables -t mangle -A POSTROUTING -p tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -p tcp --sport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j TOS --set-tos Minimize-Delay echo -n "." ### Seta regras para cada grupo de tráfego ### int-me iptables -A int-me -i $IFINT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A int-me -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT for icmp_type in $VALIDICMP; do iptables -A int-me -p icmp --icmp-type $icmp_type -j ACCEPT done iptables -A int-me -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A int-me -j DROP echo -n "." ### ext-me iptables -A ext-me -s 10.0.0.0/8 -j DROP iptables -A ext-me -s 127.0.0.0/8 -j DROP iptables -A ext-me -s 172.16.0.0/16 -j DROP iptables -A ext-me -s 192.168.0.0/24 -j DROP iptables -A ext-me -i $IFEXT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A ext-me -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT iptables -A ext-me -j DROP echo -n "." ### int-ext iptables -A int-ext -j ACCEPT echo -n "." ### ext-int iptables -A ext-int -p ip -s xxx.xxx.xxx.xxx -j ACCEPT iptables -A ext-int -s 10.0.0.0/8 -j DROP iptables -A ext-int -s 127.0.0.0/8 -j DROP iptables -A ext-int -s 172.16.0.0/16 -j DROP iptables -A ext-int -s 192.168.0.0/24 -j DROP for icmp_type in $VALIDICMP; do iptables -A ext-int -p icmp --icmp-type $icmp_type -j ACCEPT done iptables -A int-me -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A ext-int -i $IFEXT -m state --state ESTABLISHED,RELATED -j ACCEPT for server in $WEB; do server=192.168.12.$server iptables -A ext-int -p tcp -d $server --dport 80 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 443 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 3306 -j ACCEPT done for server in $FTP; do server=192.168.12.$server iptables -A ext-int -p tcp -d $server --dport 20:21 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 60000:61000 -j ACCEPT done for server in $MAIL; do server=192.168.12.$server iptables -A ext-int -p tcp -d $server --dport 25 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 80 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 110 -j ACCEPT iptables -A ext-int -p tcp -d $server --dport 443 -j ACCEPT done for server in $DNS; do server=192.168.12.$server iptables -A ext-int -p tcp -d $server --dport 53 -j ACCEPT iptables -A ext-int -p udp -d $server --dport 53 -j ACCEPT iptables -A ext-int -p udp -d $server --sport 53 --dport 1024: -j ACCEPT done echo -n "." ### Final das regras para start do Firewall iptables -A ext-int -j DROP echo done exit ;; stop) echo "Parando Firewall: " #Limpa as regras iptables -F int-me iptables -F ext-me iptables -F int-ext iptables -F ext-int iptables -F PROTECAO iptables -F -t mangle iptables -F -t nat iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT #Remove as chains e libera acesso iptables -X int-me iptables -X ext-me iptables -X int-ext iptables -X ext-int iptables -X PROTECAO iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT #Remove o Forwarding echo 0 > /proc/sys/net/ipv4/ip_forward exit ;; restart) $0 stop $0 start exit ;; status) iptables -L -n -v exit ;; *) echo echo "Utilize somente: $0 {start|stop|restart|status}" echo exit ;; esac