Re: aceitando conexão SSH
desculpe a demora, eu tentei aqui não deu muito certo...
vou colocar o script junto para vc dar um a olhada para mim, fazendo
favor...
#!/bin/bash
iniciar(){
echo ""
echo "Ativando
modulos........................................................ [ OK ]"
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_conntrack
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_mangle
modprobe ip_conntrack_ftp
modprobe ipt_REDIRECT
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ipt_MARK
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
echo "Limpando as regras
antigas.............................................. [ OK ]"
iptables -F
iptables -F -t nat
iptables -F -t mangle
echo "Bloqueios..."
echo "--bloqueando
tudo....................................................... [ OK ]"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
echo "--bloqueando
tracertroute............................................... [ OK ]"
iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
echo "--bloqueando
ping....................................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo "Configurar interface
loopback........................................... [ OK ]"
#iptables -t filter -A INPUT -i lo -j ACCEPT
echo "Montando protecoes..."
echo "--protecao contra ICMP
Broadcasting..................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "--protecao contra
synflood.............................................. [ OK ]"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "--protecao contra IP
spoofing........................................... [ OK ]"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "--protecao contra
worms................................................. [ OK ]"
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT
echo "--protecao contra portscanners, ping of death, ataques DoS,
etc......... [ OK ]"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
#iptables -A FORWARD -m unclean -j DROP
echo "--protecao contra
trinoo................................................ [ OK ]"
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix
"FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 35555 -j TRINOO
echo "--protecao contra port
scanners......................................... [ OK ]"
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix
"FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j
SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER
echo "--protecao contra
ataques............................................... [ OK ]"
iptables -A INPUT -m state --state INVALID -j DROP
echo "Filtros - DROP nos pacotes TCP
indesejaveis............................. [ OK ]"
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level
6 --log-prefix "FIREWALL: NEW sem syn: "
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
echo "Fazendo o sistema operacional entender que eh um
roteador............... [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Compartilhando
conexao.................................................. [ OK ]"
iptables -t nat -A POSTROUTING -j MASQUERADE
echo "Configurar interface
loopback........................................... [ OK ]"
iptables -t filter -A INPUT -i lo -j ACCEPT
echo "Liberando PREROUTING e
POSTROUTING...................................... [ OK ]"
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
echo "Libera pacotes de retorno da
internet................................... [ OK ]"
iptables -A INPUT ! -i eth0 -j ACCEPT
#iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Liberando porta 53 para
DNS............................................. [ OK ]"
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
echo "Liberando portas SSH
................................................... [ OK ]"
iptables -A INPUT -p tcp --dport 22225 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22225 -j ACCEPT
echo "Abrindo as portas do samba rede
interna................................. [ OK ]"
iptables -A INPUT -p tcp -i eth1 --syn --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --syn --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --syn --dport 137 -j ACCEPT
echo "Rejeitando as portas do samba
externamente.............................. [ OK ]"
iptables -A INPUT -p tcp -i eth0 --syn --dport 139 -j REJECT
iptables -A INPUT -p tcp -i eth0 --syn --dport 138 -j REJECT
iptables -A INPUT -p tcp -i eth0 --syn --dport 137 -j REJECT
iptables -A INPUT -p tcp -i eth0 --syn --dport 139 -j DROP
iptables -A INPUT -p tcp -i eth0 --syn --dport 138 -j DROP
iptables -A INPUT -p tcp -i eth0 --syn --dport 137 -j DROP
echo "Montando redirecionamento
VNC........................................... [ OK ]"
iptables -t nat -I PREROUTING -p tcp --dport 5900 -j DNAT --to-destination
10.0.0.7:5900
echo "Liberando porta 80 e
443................................................ [ OK ]"
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
echo "Liberando e montando trafego da porta 80 para o squid
transparent....... [ OK ]"
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128
########################################################################################################
echo "Logs..."
#echo "--monitorando conexoes feitas na tabela
nat............................. [ OK ]"
echo "--loga tentativa de acesso a determinadas
portas........................ [ OK ]"
iptables -A INPUT -p tcp --dport 21 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 23 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p tcp --dport 113 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: identd: "
iptables -A INPUT -p tcp --dport 137:139 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i eth1 -j LOG --log-level
6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 6667:6668 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: irc: "
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j LOG --log-level
6 --log-prefix "FIREWALL: squid: "
########################################################################################################
}
parar(){
echo ""
echo "Parando
firewall........................................................ [ OK ]"
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X TRINOO
iptables -X SCANNER
echo "Fazendo o sistema operacional entender que ele continua um
roteador..... [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Compartilhando apenas a
conexao......................................... [ OK ]"
iptables -t nat -A POSTROUTING -j MASQUERADE
echo "Montando trafego da porta 80 para o squid
transparent................... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128
echo ""
}
restart(){
echo ""
echo "Parando
firewall........................................................ [ OK ]"
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X TRINOO
iptables -X SCANNER
echo "Iniciando
firewall...................................................... [ OK ]"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") restart; iniciar;;
*)
printf "paramentro do uso do script %s\n" "$(basename $0)
{start|stop|restart}"
exit 1
esac
exit 0
--------------------------------------------------
From: "Alexandre Pereira Bühler" <buhler@infobrindes.com.br>
Sent: Thursday, May 20, 2010 11:42 AM
To: <debian-user-portuguese@lists.debian.org>
Cc: "Jeferson Nataniel Slywitch" <jeferson.slywitch@gmail.com>
Subject: Re: aceitando conexão SSH
Amigo se você bloqueou o input, forward e o output deve lembrar que além
de liberar o input deve liberar também o output para o ssh.
Uma regra básica que deve existir também neste caso é:
liberar o localhost ou todos os serviços na sua máquina podem travar
iptables -t filter -A INPUT -i lo -j ACCEPT
também pense em colocar estas linhas abaixos:
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j
ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j
ACCEPT
Obrigado
--
Alexandre Pereira Bühler
Técnico Eletroeletrônica - Senai - MG
Linux User: 397.546
Colunista: www.delphisophp.com
Owner: http://br.groups.yahoo.com/group/freepascal/
Liberdade é essencial. Use GNU/Linux.
Legalize os softwares de sua empresa
Simão& Bühler Ltda (Infobrindes)
Instalação, manutenção e venda de servidores GNU/Linux.
http://www.simaoebuhler.com.br
Hardware acesse, veja e tenha produtos com qualidade, garantia e nota
fiscal.
http://www.simaoebuhler.com.br/loja
alexandre@simaoebuhler.com.br
Telefone: (41) 3538-5428
Infobrindes (Simão& Bühler Ltda)
Brindes e material promocional.
http://www.infobrindes.com.br
alexandre@infobrindes.com.br
Telefone: (41) 3532-5428
Reply to: