Iptables
Olá caros amigos da lista, eu gostaria de pedir a ajuda de vocês
para melhorar um pouco algumas regras que coloquei no meu iptables,
pois não sou grande conhecedor do assunto, criticas, sugestões ou
escárneos são muito bem vindos.
Muito obrigado a todos.
#>LIMPEZA<##################################################################
echo Limpando regras de firewall
iptables -F
iptables -t nat -F
#>REPASSE<##################################################################
echo Permitindo o trafego de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
#>NAT<######################################################################
echo Mascaramento de enderecos
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
#>SQUID<####################################################################
echo Squid
iptables -t nat -A PREROUTING -i eth1 -p TCP --dport 80 -j REDIRECT
--to-port 3128
#>PORTAS PERMITIDAS<########################################################
echo Determinando permissoes de trafego
iptables -A FORWARD -p TCP --destination-port 21 -j ACCEPT
iptables -A OUTPUT -p TCP --destination-port 21 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 21 -j ACCEPT
iptables -A FORWARD -p TCP --destination-port 22 -j ACCEPT
iptables -A OUTPUT -p TCP --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 22 -j ACCEPT
iptables -A FORWARD -p TCP --destination-port 25 -j ACCEPT
iptables -A OUTPUT -p TCP --destination-port 53 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 53 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 80 -j ACCEPT
iptables -A FORWARD -p TCP --destination-port 110 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 3128 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 3550 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 4550 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 5550 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 8080 -j ACCEPT
#>CIRCUITO INTERNO DE TV<###################################################
echo Circuito interno de TV
iptables -t nat -A PREROUTING -p TCP -d 200.168.142.132 --dport 8080 -j DNAT
--to 192.168.0.4:8080
iptables -t nat -A PREROUTING -p TCP -d 200.168.142.132 --dport 3550 -j DNAT
--to 192.168.0.4:3550
iptables -t nat -A PREROUTING -p TCP -d 200.168.142.132 --dport 4550 -j DNAT
--to 192.168.0.4:4550
iptables -t nat -A PREROUTING -p TCP -d 200.168.142.132 --dport 5550 -j DNAT
--to 192.168.0.4:5550
#>BLOQUEANDO OS OPCIONAIS<##################################################
#echo Impedindo o acesso ao KaAza
#iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
#iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#echo Impedindo o acesso ao MSN Messenger
#iptables -A FORWARD -p TCP --dport 1863 -j REJECT
#iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
#echo Impedindo o acesso ao ICQ Instant Messenger
#iptables -A FORWARD -p TCP --dport 5190 -j REJECT
#iptables -A FORWARD -d login.icq.com -j REJECT
#>SEGURANCA<################################################################
echo Ignorando pings
iptables -A FORWARD -p ICMP --icmp-type echo-request -j DROP
echo Protecao contra Ping of Death
iptables -A FORWARD -p ICMP --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
echo Protecao contra ataques Syn-Flood
iptables -A FORWARD -p TCP -m limit --limit 1/s -j ACCEPT
echo Protecao contra port scanners avancados
iptables -A FORWARD -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
echo Protecao contra pacontes danificados
iptables -A FORWARD -m unclean -j DROP
echo Protecao contra ICMP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo Protecao contra acessos externos
iptables -A INPUT -p TCP --syn -j DROP
echo Protecao contra acessos a enderecos nao permitidos na interface 1
iptables -A INPUT -s 192.168.0.0/24 -i ! eth1 -j DROP
echo Protecao contra acessos a enderecos nao permitidos na interface 0
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 127.16.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A FORWARD -p TCP --destination-port 9 -j DROP
iptables -A FORWARD -p UDP --destination-port 9 -j DROP
iptables -A FORWARD -p TCP --destination-port 13 -j DROP
iptables -A FORWARD -p UDP --destination-port 13 -j DROP
iptables -A FORWARD -p TCP --destination-port 25 -j DROP
iptables -A FORWARD -p UDP --destination-port 25 -j DROP
iptables -A FORWARD -p TCP --destination-port 37 -j DROP
iptables -A FORWARD -p UDP --destination-port 37 -j DROP
iptables -A FORWARD -p TCP --destination-port 67 -j DROP
iptables -A FORWARD -p UDP --destination-port 67 -j DROP
iptables -A FORWARD -p TCP --destination-port 110 -j DROP
iptables -A FORWARD -p UDP --destination-port 110 -j DROP
iptables -A FORWARD -p TCP --destination-port 111 -j DROP
iptables -A FORWARD -p UDP --destination-port 111 -j DROP
iptables -A FORWARD -p TCP --destination-port 113 -j DROP
iptables -A FORWARD -p UDP --destination-port 113 -j DROP
iptables -A FORWARD -p TCP --destination-port 445 -j DROP
iptables -A FORWARD -p UDP --destination-port 445 -j DROP
iptables -A FORWARD -p TCP --destination-port 515 -j DROP
iptables -A FORWARD -p UDP --destination-port 515 -j DROP
iptables -A FORWARD -p TCP --destination-port 538 -j DROP
iptables -A FORWARD -p UDP --destination-port 538 -j DROP
iptables -A FORWARD -p TCP --destination-port 963 -j DROP
iptables -A FORWARD -p UDP --destination-port 963 -j DROP
############################################################################
Reply to: