[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default Policy = DROP. Help-me

Gentlemen,
I noticed that there is disagreement with regard to something not so important. What really matters is that the rules are efficient. In any case I will try many ways to validate the rules. 
I thank all those interested shrift.
I am tested the rules of the ssh -m state -- state NEW, and really worked. Thank you. 
What we think of the firewall now?

Sincerely,

Yuri Rodrigues

#!/bin/sh

clear

# Firewall System
# Author - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet

intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo -e "\033[01;33m-----------------=======\033[01;32m Firewall\033[01;33m =======------------------" 
echo "                    By: Yuri Rodrigues      "
echo -e "\033[01;37mLOGS: [ /var/log/kern.log ]                 "
echo ""
echo "Starting the script                                         "
echo ""

#### Loading Modules ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos &&\
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo -e "\033[01;36mLoading Modules\033[01;37m ...................................\033[01;32m [ OK ]" 

#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
echo -e "\033[01;36mPolicing\033[01;37m ..........................................\033[01;32m [ OK ]" 

#### Flush Rules ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo -e "\033[01;36mFlush Rules\033[01;37m .......................................\033[01;32m [ OK ]" 

echo "1" > /proc/sys/net/ipv4/ip_forward

#### Allowing already established connections ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
echo -e "\033[01;36mAllowing already established connections\033[01;37m ..........\033[01;32m [ OK ]" 

#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT

echo ""
echo -e "\033[01;33m>>>>>>>>>>>>>>>>>>\033[01;32m Regras para usuarios\033[01;33m <<<<<<<<<<<<<<<<<<" 
echo ""

#### Debugging ####
#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : " #$iptables -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] OUTPUT : " 
#$iptables -A FORWARD -j LOG --log-prefix "[IPTABLES] FORWARD : "

#### Remote Administrator ####
$iptables -A INPUT -p tcp --dport 4899 -j LOG --log-prefix "[IPTABLES] RA : " --log-level 6 --log-tcp-options --log-ip-options $iptables -A INPUT -i $internet -p tcp --dport 4899 -m state --state NEW -j ACCEPT $iptables -t nat -A PREROUTING -i $internet -p tcp --dport 4899 -j DNAT --to 192.168.121.4:4899 $iptables -A FORWARD -i $internet -o $intranet -p tcp --dport 4899 -m state --state NEW -j ACCEPT $iptables -A FORWARD -i $intranet -o $internet -p tcp --sport 4899 -m state --state NEW -j ACCEPT echo -e "\033[01;36mRemote Administrator\033[01;37m ..............................\033[01;32m [ OK ]" 

#### Transparent Proxy ####
#$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state new -j ACCEPT #$iptables -A INPUT -i $internet -p tcp --dport 443 -m state --state new -j ACCEPT #$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 80 -j REDIRECT --to-port 3128 #$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 443 -j REDIRECT --to-port 3128 #echo -e "\033[01;36mTransparent Proxy\033[01;37m ................................\033[01;32m [ OK ]" 

#### SSH Access ####
## LAN 2 FIREWALL
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG --log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options --log-ip-options $iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG --log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options --log-ip-options $iptables -A INPUT -p tcp --dport 22 -i $intranet -m state --state NEW -j ACCEPT $iptables -A OUTPUT -p tcp --sport 22 -o $intranet -m state --state NEW -j ACCEPT 
$iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
$iptables -A FORWARD -p tcp --sport 22 -m state --state NEW -j ACCEPT
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp --sport 22 -i $internet -m state --state NEW -j ACCEPT $iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW -j ACCEPT 
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp --dport 22 -i $internet -m state --state NEW -j ACCEPT $iptables -A OUTPUT -p tcp --sport 22 -o $internet -m state --state NEW -j ACCEPT 
## FIREWALL 2 LAN
$iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW -j ACCEPT $iptables -A INPUT -p tcp --sport 22 -i $intranet -m state --state NEW -j ACCEPT echo -e "\033[01;36mSSH Access\033[01;37m ........................................\033[01;32m [ OK ]" 

#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT
$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state NEW -j ACCEPT 
$iptables -t nat -A POSTROUTING -j MASQUERADE
echo -e "\033[01;36mInternet Sharing\033[01;37m ..................................\033[01;32m [ OK ]" 

echo ""
echo -e "\033[01;33m<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 
echo ""

#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo -e "\033[01;36mSynFloods Protection\033[01;37m ..............................\033[01;32m [ OK ]" 

#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "[IPTABLES] Fragmentos: " 
$iptables -A INPUT -f -i $internet -j REJECT
echo -e "\033[01;36mLocking fragmented packets\033[01;37m ........................\033[01;32m [ OK ]" 

#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo -e "\033[01;36mICMP Limit\033[01;37m ........................................\033[01;32m [ OK ]" 

#### QOS Remote Admin ####
$iptables -t mangle -A OUTPUT -o $internet -p tcp --sport 4899 -j TOS --set-tos 0x10 $iptables -t mangle -A INPUT -i $internet -p tcp --dport 4899 -j TOS --set-tos 0x10 $iptables -t mangle -A FORWARD -o $internet -p tcp --sport 4899 -j TOS --set-tos 0x10 echo -e "\033[01;36mQoS Remote Admin\033[01;37m ..................................\033[01;32m [ OK ]" 

echo ""
echo -e "\033[01;33m-------------======\033[01;32m Firewall Enabled\033[01;33m ======--------------" 
echo -e "\033[01;37m"
Reply to: