[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

firewall

galera configuramos o firewall aqui na empresa... so que e o seuginte
ta com ums erros cabulos.. se alguem puder ajudar

##Erros
Setting default chain policies... Done!
Flushing chains... Done!
Adding custom chains... Done!
Setting rules for INPUT chain... Done!
Setting rules for FORWARD chain... Done!
Activating masquerade.../etc/init.d/firewall.sh: 3288IPTABLES: command not found 
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
usage: cal [-jy] [[month] year]
       ncal [-Jjpwy] [-s country_code] [[month] year]
       ncal [-Jeo] [year]
/etc/init.d/firewall.sh: Local: command not found
/etc/init.d/firewall.sh: Local: command not found
/etc/init.d/firewall.sh: External: command not found
Setting rules for OUTPUT chain... Done!
Setting rules for internet device incoming chain:
  Setup port blocking on vulnerable ports... Done!
  Allowing ssh, dns, and icmp (ping/traceroute) traffic... Done!
  Setting default INPUT to DROP... Done!
Setando regras para FLAGSiptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
 Done!
Setting rules for internet device outgoing chain:Setting TOS flags for www, telnet, ssh, and ftp done 


## Firewall
#!/bin/sh
#
# Firewall
#

# Change IPTABLES to the correct path for your system
IPTABLES=/sbin/iptables
#Modprobe
#MODPROBE=/sbin/modprobe
#LOGLEVEL - Log do kernel default
LOG_LEVEL="notice"

# Interface com a internet
INETDEV="eth0"

LAN="10.1.86.0/24"

# Interface com a rede
LANDEV="eth1"

# There should be no need to change this
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \  -f 1`

echo ""
echo "FireMasq version 0.7 by Dr. Teeth (2000)"
echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""

#Set default chain policy
echo -n "Setting default chain policies..."
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo " Done!"

#Flush all chains
echo -n "Flushing chains..."
$IPTABLES -F -t nat
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -X
echo " Done!"

#Add custom chains
echo -n "Adding custom chains..."
$IPTABLES -N inet-in
$IPTABLES -t mangle -N mangle_output
$IPTABLES -N CHECK_FLAGS
echo " Done!"

#Set INPUT rules
echo -n "Setting rules for INPUT chain..."
$IPTABLES -A INPUT -s $LAN -d $LAN -j ACCEPT
$IPTABLES -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPTABLES -A INPUT -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.10.0/24 -d $LAN -j ACCEPT
$IPTABLES -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-in
echo " Done!"

#Set FORWARD rules
echo -n "Setting rules for FORWARD chain..."
$IPTABLES -A FORWARD -s $LAN -d $LAN -j ACCEPT
$IPTABLES -A FORWARD -s $LAN -j ACCEPT
echo " Done!"

#Activate masquerade
echo -n "Activating masquerade..."
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 110 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 25 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 21 -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport  -j MASQUERADE

#Liberado Maquina Eder
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.95/32 -j MASQUERADE
#Maquina Cescon
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.130 -j MASQUERADE
#Servidor NBS
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.231 -j MASQUERADE
#Maquina Lucrecia (pedido dia 20/02/2004)
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.124 -j MASQUERADE
#Liberndo maq. p/ navegar sem proxy (Pedido do Eder 11/02/2004)
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.113 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.104 -j MASQUERADE


#Liberando Maquinas para acesso externo ao pcAnywhere
$IPTABLES -t nat -A POSTROUTING -s 10.86.1.104 -d 200.103.91.159 -p tcp --dport 5637 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 10.86.1.104 -d 200.103.91.159 -p tcp --dport 5638 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 10.86.1.104 -d 200.103.91.159 -p udp --dport 5637 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 10.86.1.104 -d 200.103.91.159 -p udp --dport 5638 -j MASQUERADE 
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.104 -j MASQUERADE
#Liberado Software Indiana
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.0/24 -p tcp --dport 1707 -j MASQUERADE 
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.111 -p tcp --dport 444 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 10.1.86.104 -p tcp --dport 25  -j MASQUERADE


#Set OUTPUT rules
echo -n "Setting rules for OUTPUT chain..."
$IPTABLES -A OUTPUT -s $LAN -d $LAN -j ACCEPT
$IPTABLES -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -o lo -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o $INETDEV -j mangle_output
echo " Done!"

#Set inet-in rules
echo "Setting rules for internet device incoming chain:"
echo -n "  Setup port blocking on vulnerable ports..."
#Block NFS
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 2049 -j DROP
$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 2049 -j DROP
#Block postgres
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport postgres -j DROP
$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport postgres -j DROP
#Block X
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 5999:6003 -j DROP
$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 5999:6003 -j DROP
#Block XFS
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 7100 -j DROP
$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 7100 -j DROP
#Block Back Orifice
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 31337 -j DROP
$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 31337 -j DROP
#Block netbus
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 12345:12346 -j DROP $IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 12345:12346 -j DROP 
echo " Done!"
echo -n "  Allowing ssh, dns, and icmp (ping/traceroute) traffic..."
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 --dport 21 -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 80 -j ACCEPT
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 22 -j ACCEPT
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 53 -j ACCEPT
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 3389 -j ACCEPT
#$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 5631 -j ACCEPT
#$IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 5632 -j ACCEPT
$IPTABLES -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1023:65535 -j ACCEPT $IPTABLES -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1023:65535 -j ACCEPT 
$IPTABLES -A inet-in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
echo -n "  Setting default INPUT to DROP..."
$IPTABLES -A inet-in -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP
echo " Done!"

#Set CHECK_FLAGS rules
echo -n "Setando regras para FLAGS"
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
echo " Done!"

#Set mangle_output rules
echo -n "Setting rules for internet device outgoing chain:"
echo -n "Setting TOS flags for www, telnet, ssh, and ftp..."
$IPTABLES -t mangle -A mangle_output -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport www -j TOS --set-tos 16 $IPTABLES -t mangle -A mangle_output -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport telnet -j TOS --set-tos 16 #$IPTABLES -t mangle -A mangle_output -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport ssh -j TOS --set-tos 16 $IPTABLES -t mangle -A mangle_output -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport ftp -j TOS --set-tos 16 $IPTABLES -t mangle -A mangle_output -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport ftp-data -j TOS --set-tos 8 
echo " Done!"

#Redirecionamento das Portas para SMI
$IPTABLES -t nat -A PREROUTING -s 200.138.21.178 -d 192.168.200.3 -p tcp --dport 3389 -j DNAT --to 10.1.86.231 $IPTABLES -t nat -A PREROUTING -s 200.181.251.78 -d 192.168.200.3 -p tcp --dport 3389 -j DNAT --to 10.1.86.231 $IPTABLES -t nat -A PREROUTING -s 200.181.251.186 -d 192.168.200.3 -p tcp --dport 3389 -j DNAT --to 10.1.86.231 #$IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p tcp --dport 5631 -j DNAT --to 10.1.86.95 #$IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p udp --dport 5632 -j DNAT --to 10.1.86.95 



##########################################################################
#proteções diversas contra portscanners, ping of death, ataques DoS, etc.#
##########################################################################
 $IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN, ACK -j DROP
 $IPTABLES -A INPUT -p icmp -i eth0 --icmp-type echo-request -j DROP

#########################
#TEste VPN DO MAIKAOOOO #
#########################
$IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p tcp --dport 1723 -j DNAT --to 10.1.86.231 $IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p udp --dport 1723 -j DNAT --to 10.1.86.231 $IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p tcp --dport 1723 -j DNAT --to 10.1.86.231 
$IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p 47 -j DNAT --to 10.1.86.231


#############
#teste snort#
#############
$IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p tcp --dport 80 -j DNAT --to 10.1.86.225 $IPTABLES -t nat -A PREROUTING -d 192.168.200.3 -p udp --dport 80 -j DNAT --to 10.1.86.225 

$IPTABLES -t nat -A PREROUTING   -p tcp --dport 5633 -j DNAT --to 10.1.86.223
$IPTABLES -t nat -A PREROUTING   -p udp --dport 5633 -j DNAT --to 10.1.86.223

$IPTABLES -t nat -A PREROUTING   -p tcp --dport 5634  -j DNAT --to 10.1.86.223
$IPTABLES -t nat -A PREROUTING   -p udp --dport 5634  -j DNAT --to 10.1.86.223

$IPTABLES -t nat -A PREROUTING   -p tcp --dport 2021  -j DNAT --to 10.1.86.155
$IPTABLES -t nat -A PREROUTING   -p udp --dport 2021  -j DNAT --to 10.1.86.155
Reply to: