[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Script iptables con Firewall por defecto a DROP

Julián Esteban Perconti escribió:

Miguel Da Silva - Centro de Matemática escribió:

adriancito wrote:

Buenas lista.
Alguien tendrá algún ejemplo de un script de iptables donde tenga como política por defecto DROP y el mismo tenga varias interfaces (o segmentos)? 

Muchas Gracias.

Saludos.




Pero... solo querés eso?!
La verdad que el contenido del script puedo variar (y muchísimo) según lo que quieras. 

Danos un poco más de información.

Saludos.
huy que bueno un poco de tablas a la lista...te puedo pasar esto (el que yo uso) 

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" 
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -t nat -A PREROUTING -m state --state INVALID -j DROP
iptables -t nat -A POSTROUTING -m state --state INVALID -j DROP
iptables -t nat -A OUTPUT -m state --state INVALID -j DROP

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

iptables -N icmp_packets
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT


iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

# INPUT HP #

iptables -A INPUT -p tcp -j bad_tcp_packets
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT #DNS
iptables -t filter -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT #DNS
iptables -t filter -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT #DHCP
iptables -t filter -A INPUT -i eth1 -p udp --dport 445 -j ACCEPT #Microsoft-DS SMB file sharing iptables -t filter -A INPUT -i eth1 -p tcp --dport 137:139 -j ACCEPT #NetBios iptables -t filter -A INPUT -i eth1 -p udp --dport 137:139 -j ACCEPT #NetBios iptables -t filter -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT -s 192.168.0.2 #SSH iptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " 

# OUTPUT HP #

iptables -A OUTPUT -p tcp -j bad_tcp_packets
iptables -t filter -A OUTPUT -o lo -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -t filter -A OUTPUT -p udp --sport 67 -j ACCEPT #DHCP
iptables -t filter -A OUTPUT -p udp --dport 445 -j ACCEPT #Microsoft-DS SMB file sharing 
iptables -t filter -A OUTPUT -p tcp --dport 137:139 -j ACCEPT #NetBios
iptables -t filter -A OUTPUT -p udp --dport 137:139 -j ACCEPT #NetBios
iptables -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " 

# FORWARD LAN #
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 20 -j ACCEPT #ftp-control iptables -t filter -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT #ftp-data 
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 25 -j ACCEPT #smtp
iptables -t filter -A FORWARD -i eth1 -p udp --dport 25 -j ACCEPT #smtp
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT #www
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 110 -j ACCEPT #pop
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 137:139 -j ACCEPT #NetBios iptables -t filter -A FORWARD -i eth1 -p udp --dport 137:139 -j ACCEPT #NetBios 
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 143 -j ACCEPT #imap
iptables -t filter -A FORWARD -i eth1 -p udp --dport 143 -j ACCEPT #imap
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT #https
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 445 -j ACCEPT #Microsoft-DS SMB file sharing iptables -t filter -A FORWARD -i eth1 -p tcp --dport 465 -j ACCEPT #SMTP over SSL iptables -t filter -A FORWARD -i eth1 -p tcp --dport 989 -j ACCEPT #FTP Protocol (data) over TLS/SSL iptables -t filter -A FORWARD -i eth1 -p tcp --dport 990 -j ACCEPT #FTP Protocol (control) over TLS/SSL 

iptables -t filter -A FORWARD -i eth1 -p tcp --dport 993 -j ACCEPT #IMAPS
iptables -t filter -A FORWARD -i eth1 -p tcp --dport 995 -j ACCEPT #POP3S

# NAT #

# TEGNet
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5479 -j DNAT --to 192.168.0.2:5479 

# BitTorrent
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ? -j DNAT --to 192.168.0.2:? 

# eMule's
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000 -j DNAT --to 192.168.0.2:2000 iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2010 -j DNAT --to 192.168.0.2:2010 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3000 -j DNAT --to 192.168.0.3:3000 iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 3010 -j DNAT --to 192.168.0.3:3010 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4000 -j DNAT --to 192.168.0.4:4000 iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4010 -j DNAT --to 192.168.0.4:4010 iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5000 -j DNAT --to 192.168.0.5:5000 iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 5010 -j DNAT --to 192.168.0.5:5010 

iptables -t filter -A FORWARD -p tcp --dport 0:1024 -j DROP
iptables -t filter -A FORWARD -p udp --dport 0:1024 -j DROP
fijate que el forward no esta en drop por que tuve problemas con programas p2p.. 
espero que te sirva...
Suerte.


perdon mdasilva.
Reply to: