Re: firewall
Achei um erro, mas como ninguém perguntou nada ...
Fabiano
Em 14/03/06, debopen<debopen@gmail.com> escreveu:
> #!/bin/sh
>
> # Variaveis
> IPTABLES="/sbin/iptables"
> MOD="/sbin/modprobe"
> WAN="ppp+"
> LAN="eth+"
> REDE="192.168.0.0/24"
> DNS="200.204.0.10, 200.204.0.138"
>
>
> case "$1" in
> start)
> echo -e "Iniciando Firewall TCL ... "
>
> depmod -a
> $MOD ip_tables
> $MOD iptable_filter
> $MOD ip_conntrack
> $MOD ip_conntrack_ftp
> $MOD iptable_nat
> $MOD ip_nat_ftp
> $MOD ipt_LOG
> $MOD ipt_state
> $MOD ipt_MASQUERADE
>
>
> #Limpando as Chains
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -X
> $IPTABLES -Z
>
>
> #Politica Padrão
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
>
>
> #Setando o Kernel para IP_Dinamico Mascarado
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> #Habilitando IP_Forwarding
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #Ativando Protecao no Kernel
> for tcl in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $tcl
> done
>
> #Ativando SynCookies para Protecao no Kernel
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> ##################TABELA INPUT########################
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #Porta FTP Data $IPTABLES -A INPUT -i $WAN -p tcp --dport 20 -j ACCEPT
> #Porta FTP $IPTABLES -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT
> #Porta Telnet $IPTABLES -A INPUT -i $WAN -p tcp --dport 23 -j ACCEPT
> #Porta Ssh $IPTABLES -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 1863 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 4444 -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp --dport $DNS -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p udp --dport $DNS -j ACCEPT
>
>
> #Opcao dois -> Libera conexoes de retorno dos servicos ativos na
> rede interna
> #$IPTABLES -A INPUT -i $WAN -p tcp -m --multiport --dport 20, 21,
> 23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT
>
>
> #Como eu vou ter que acessar esta Maquina Remotamente, para
> Manutenção ou
> #configuracoes que se mostrarem necessarias. Vou permitir o acesso
> ao SSH.
> $IPTABLES -A INPUT -i $WAN -p tcp --dport 2222 -j ACCEPT
>
>
> #A interface que está para a internet é a PPP0, é bom sempre logar
> o pacote
> #para saber o que ele é. Regras para ping, isso varia muito de
> Admin para Admin
> #eu tenho o costume de só permitir ping da rede interna para fora,
> para ver se
> #tem problemas na conexão com a internet, para poder verificar se o
> server está on-line.
> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>
>
> #Protecao contra enderecos spoofados da internet
> $IPTABLES -A INPUT -i $INTER -s 10.0.0.0/8 -j DROP
> $IPTABLES -A INPUT -i $INTER -s 172.16.0.0/12 -j DROP
> $IPTABLES -A INPUT -i $INTER -s 192.168.0.0/16 -j DROP
>
>
> #Ja temos tudo o que eu precisamos,vamos mandar todo o resto embora.
> $IPTABLES -A INPUT -p tcp -i $WAN -j LOG --log-level DEBUG
> --log-prefix "TCP Descartado:"
> $IPTABLES -A INPUT -p icmp -i $WAN -j LOG --log-level DEBUG
> --log-prefix "ICMP Descartado:"
> $IPTABLES -A INPUT -j DROP
>
> ##################TABELA FORWARD######################
>
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> #Porta FTP Data $IPTABLES -A FORWARD -i $LAN -p tcp --sport 20 -j
> ACCEPT
> #Porta FTP $IPTABLES -A FORWARD -i $LAN -p tcp --sport 21 -j
> ACCEPT
> #Porta Telnet $IPTABLES -A FORWARD -i $LAN -p tcp --sport 23 -j
> ACCEPT
> #Porta Ssh $IPTABLES -A FORWARD -i $LAN -p tcp --sport 22 -j
> ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 25 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 110 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 443 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 1863 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport 4444 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p tcp --sport $DNS -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -p udp --sport $DNS -j ACCEPT
>
>
> #Opcao dois -->Libera as Conexoes da Rede Interna para Internet
> #$IPTABLES -A FORWARD -i $LAN -p tcp -m --multiport --sport 20, 21,
> 23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT
>
>
> #Protecoes diversas contra PortScanners, Ping of Death, ataques
> DoS, etc...
> $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j ACCEPT
> $IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
> $IPTABLES -A FORWARD -m unclean -j DROP
>
>
> #Em muitas distribuições com o Kernel 2.6 é necessário usar um quarto
> #comando ao compartilhar uma conexão ADSL. Este comando ajusta os
> #tamanhos dos pacotes recebidos do modem ao MTU usado na rede local.
> $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m \
> tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
>
> ##################TABELA NAT####################
>
> #Acesso de Fora para Rede Local tendo Classe de IP 192.168.0.0
>
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.2:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.3:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.4:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.5:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.6:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.7:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.8:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.9:2222
> #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222
> -j DNAT --to-destination 192.168.0.10:2222
>
>
> #Aqui vai a simples linha que vai compartilhar o acesso a Internet.
> $IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
>
> ;;
> stop)
> echo "Parando Firewall TCL ... "
> $IPTABLES -X
> $IPTABLES -F
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> $IPTABLES -t nat -F
> $IPTABLES -t nat -X
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
>
> ;;
> restart)
> $0 stop
> $0 start
> ;;
> status)
> $IPTABLES -L -n
> $IPTABLES -t nat -L -n
> ;;
> *)
> echo "Use: $0 {start|stop|restart|status}"
> exit 1
> ;;
> esac
> exit 0
>
>
> --
> To UNSUBSCRIBE, email to debian-user-portuguese-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
Abraços,
Fabiano
Reply to:
- References:
- firewall
- From: debopen <debopen@gmail.com>