Re: Script iptables con Firewall por defecto a DROP

To: "Lista Debian" <debian-user-spanish@lists.debian.org>
Subject: Re: Script iptables con Firewall por defecto a DROP
From: IPv7 <listas.internet@gmail.com>
Date: Tue, 17 Jun 2008 15:25:55 -0300
Message-id: <[🔎] 6fa579500806171125v3e62df72n87f0ebfd703ac2a3@mail.gmail.com>
In-reply-to: <[🔎] 868096450806122319l7880d824m2add1776126706ee@mail.gmail.com>
References: <[🔎] 485189AE.7040904@gmail.com> <[🔎] 48518F74.8030504@fing.edu.uy> <48519308.4010307@yahoo.com.ar> <[🔎] 4851D7B6.4010304@yahoo.com.ar> <[🔎] 868096450806122319l7880d824m2add1776126706ee@mail.gmail.com>
On Fri, Jun 13, 2008 at 3:19 AM, Abraham Pérez <jockah@gmail.com> wrote:
>
>
> 2008/6/13 Julián Esteban Perconti <vh1988@yahoo.com.ar>:
>>
>> Julián Esteban Perconti escribió:
>>>
>>> Miguel Da Silva - Centro de Matemática escribió:
>>>>
>>>> adriancito wrote:
>>>>>
>>>>> Buenas lista.
>>>>>
>>>>> Alguien tendrá algún ejemplo de un script de iptables donde tenga como
>>>>> política por defecto DROP y el mismo tenga varias interfaces (o segmentos)?
>>>>>
>>>>> Muchas Gracias.
>>>>>
>>>>> Saludos.
>>>>>
>>>>>
>>>>
>>>> Pero... solo querés eso?!

te paso uno de reglas simples, pero funcional.
no es avanzado, pero creo que la forma es ordenada y ademas es facil
de modificar.
para poder agregarle segmento solo tendrias q agregar algunas cosas y
podes reutilizar las funciones.

#!/bin/bash
#    NetSecure team
#    info@netsecure.com.ar

iptables="/sbin/iptables";
E_dev="eth0";
I_dev="eth1";


open_tcp_ports="53 22 21 20";
open_udp_ports="53";
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT


flusher () {
                echo "[Borrando reglas]"
 #Flush de reglas
                $iptables -F
                $iptables -X
                echo "  [nat]"

                #Flush de reglas de nat
                $iptables -t nat -F
                $iptables -t nat -X

                echo "  [mangle]"
                #Flush de reglas mangle
                $iptables -t mangle -F
                $iptables -t mangle -X

                echo "";
                echo "{ - Restaurando reglas de acceso y egreso - }"
                #flush de reglas de acceso y egreso
                $iptables -P INPUT DROP
                $iptables -P OUTPUT DROP
                $iptables -P FORWARD DROP
                }
polices_reject ()
                {
                echo "";
                echo "[warn] Aplicando Politica cerrada"
                $iptables -P INPUT DROP
                $iptables -P OUTPUT DROP
                $iptables -P FORWARD DROP
                }
polices_accept ()
                {
                echo "";
                echo "[warn] Aplicando Politica abierta"
                $iptables -P INPUT ACCEPT
                $iptables -P OUTPUT ACCEPT
                $iptables -P FORWARD ACCEPT
                }

open_tcpport (){
                echo "Abriendo puerto tcp [ $1 ]"
                $iptables -I INPUT -p tcp --dport $1  -j ACCEPT
                $iptables -I INPUT -p tcp --sport $1 -j ACCEPT
                $iptables -I OUTPUT -p tcp --sport $1 -j ACCEPT
                $iptables -I OUTPUT -p tcp --dport $1 -j ACCEPT
                }
close_tcpport (){
                echo "Cerrando puerto tcp [ $1 ]"
                $iptables -D INPUT -p tcp --dport $1  -j ACCEPT
                $iptables -D INPUT -p tcp --sport $1 -j ACCEPT
                $iptables -D OUTPUT -p tcp --sport $1 -j ACCEPT
                $iptables -D OUTPUT -p tcp --dport $1 -j ACCEPT
                }
open_udpport (){
                echo "Abriendo puerto udp [ $1 ]"

                $iptables -I INPUT -p udp --dport $1  -j ACCEPT
                $iptables -I INPUT -p udp --sport $1 -j ACCEPT
                $iptables -I OUTPUT -p udp --sport $1 -j ACCEPT
                $iptables -I OUTPUT -p udp --dport $1 -j ACCEPT
                }

close_udpport (){
                 echo "Cerrando puerto tcp [ $1 ]"
                $iptables -D INPUT -p udp --dport $1  -j ACCEPT
                $iptables -D INPUT -p udp --sport $1 -j ACCEPT
                $iptables -D OUTPUT -p udp --sport $1 -j ACCEPT
                $iptables -D OUTPUT -p udp --dport $1 -j ACCEPT
                }
do_log ()
{
                $iptables -I INPUT -s ! $fw -p tcp --dport $sshp \
                  --syn -m state --state NEW \
                -j LOG --log-level 1 --log-prefix "IPT INTENTO SSH: "



}
enmascaramiento ()
                {
                echo "Aplicando Reglas de routeo";
                $iptables -t nat -A POSTROUTING  -d 0.0.0.0/0 -j  MASQUERADE
                }

forward ()
                {
                echo "Aplicando Forward"
                echo 1 > /proc/sys/net/ipv4/ip_forward
                $iptables -A FORWARD -j ACCEPT
                }

icmp ()
                {
                case $1 in able)
                                $iptables -I INPUT -p icmp -j ACCEPT
                                $iptables -I OUTPUT -p icmp -j ACCEPT
                           ;;
                           disable)
                                $iptables -D INPUT -p icmp -j ACCEPT
                                $iptables -D OUTPUT -p icmp -j ACCEPT
                           ;;
                esac
                }

start ()
                {
                flusher ;
                polices_reject ;
                enmascaramiento ;
                forward ;
                for port in $open_tcp_ports;
                do
                        open_tcpport $port ;
                done;

                for uport in $open_udp_ports;
                do
                        open_udpport $uport ;
                done;
#                do_log ;
                }
stop ()
        {
                flusher ;
                polices_accept ;
        }
status ()
        {
                $iptables -nL | more
                $iptables -nL -t nat | more
        }



case $1 in start)
                start ;
        ;;
           stop)
                stop ;
        ;;
           status)
                status ;
        ;;
           openport)
                open_tcpport $2
        ;;
           closeport)
                close_tcpport $2
        ;;
           closeup)
                close_udpport $2
        ;;
           openup)
                open_udpport $2
        ;;
           icmpa)
                icmp  able
        ;;
           icmpd)
                icmp  disable
        ;;
           router)
                enmascaramiento
                forward


        ;;
           restart)
        stop ;
        start ;
        ;;
        *)
        echo "usage: $0  start  stop  restart  status  openport
[tcpport]  closeport [tcpport]  openup [tcpport]  closeup [udpport] }"
        ;;
esac








>>>>
>>>> La verdad que el contenido del script puedo variar (y muchísimo) según
>>>> lo que quieras.
>>>>
>>>> Danos un poco más de información.
>>>>
>>>> Saludos.
>>>
>>> huy que bueno un poco de tablas a la lista...te puedo pasar esto (el que
>>> yo uso)
>>>
>>> #!/bin/bash
>>>
>>> /sbin/modprobe ip_conntrack
>>> /sbin/modprobe ip_conntrack_ftp
>>> /sbin/modprobe ip_tables
>>> /sbin/modprobe iptable_filter
>>> /sbin/modprobe iptable_mangle
>>> /sbin/modprobe iptable_nat
>>> /sbin/modprobe ipt_LOG
>>> /sbin/modprobe ipt_REJECT
>>> /sbin/modprobe ipt_MASQUERADE
>>>
>>> iptables -t filter -F
>>> iptables -t filter -X
>>> iptables -t filter -Z
>>> iptables -t nat -F
>>> iptables -t nat -X
>>> iptables -t nat -Z
>>> iptables -t filter -P INPUT DROP
>>> iptables -t filter -P OUTPUT DROP
>>> iptables -t filter -P FORWARD ACCEPT
>>> iptables -t nat -P PREROUTING ACCEPT
>>> iptables -t nat -P OUTPUT ACCEPT
>>> iptables -t nat -P POSTROUTING ACCEPT
>>>
>>> iptables -N bad_tcp_packets
>>> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
>>> --log-prefix "New not syn:"
>>> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>>> iptables -A bad_tcp_packets -i ppp0 -s 192.168.0.0/16 -j DROP
>>> iptables -A bad_tcp_packets -i ppp0 -s 10.0.0.0/8 -j DROP
>>> iptables -A bad_tcp_packets -i ppp0 -s 172.16.0.0/12 -j DROP
>>>
>>> iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j
>>> ACCEPT
>>> iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j
>>> ACCEPT
>>> iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j
>>> ACCEPT
>>> iptables -t nat -A PREROUTING -m state --state INVALID -j DROP
>>> iptables -t nat -A POSTROUTING -m state --state INVALID -j DROP
>>> iptables -t nat -A OUTPUT -m state --state INVALID -j DROP
>>>
>>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
>>> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>>> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>>> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>>> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
>>> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
>>> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
>>> echo 0 > /proc/sys/net/ipv4/tcp_sack
>>>
>>> iptables -N icmp_packets
>>> iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>>> iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>>>
>>>
>>> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
>>> iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
>>> iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
>>>
>>> # INPUT HP #
>>>
>>> iptables -A INPUT -p tcp -j bad_tcp_packets
>>> iptables -t filter -A INPUT -i lo -j ACCEPT
>>> iptables -t filter -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT #DNS
>>> iptables -t filter -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT #DNS
>>> iptables -t filter -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT #DHCP
>>> iptables -t filter -A INPUT -i eth1 -p udp --dport 445 -j ACCEPT
>>> #Microsoft-DS SMB file sharing
>>> iptables -t filter -A INPUT -i eth1 -p tcp --dport 137:139 -j ACCEPT
>>> #NetBios
>>> iptables -t filter -A INPUT -i eth1 -p udp --dport 137:139 -j ACCEPT
>>> #NetBios
>>> iptables -t filter -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT -s
>>> 192.168.0.2 #SSH
>>> iptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
>>> LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
>>>
>>> # OUTPUT HP #
>>>
>>> iptables -A OUTPUT -p tcp -j bad_tcp_packets
>>> iptables -t filter -A OUTPUT -o lo -j ACCEPT
>>> iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT #DNS
>>> iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT #DNS
>>> iptables -t filter -A OUTPUT -p udp --sport 67 -j ACCEPT #DHCP
>>> iptables -t filter -A OUTPUT -p udp --dport 445 -j ACCEPT #Microsoft-DS
>>> SMB file sharing
>>> iptables -t filter -A OUTPUT -p tcp --dport 137:139 -j ACCEPT #NetBios
>>> iptables -t filter -A OUTPUT -p udp --dport 137:139 -j ACCEPT #NetBios
>>> iptables -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
>>> LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
>>>
>>> # FORWARD LAN #
>>>
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 20 -j ACCEPT
>>> #ftp-control
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
>>> #ftp-data
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 25 -j ACCEPT #smtp
>>> iptables -t filter -A FORWARD -i eth1 -p udp --dport 25 -j ACCEPT #smtp
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT #www
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 110 -j ACCEPT #pop
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 137:139 -j ACCEPT
>>> #NetBios
>>> iptables -t filter -A FORWARD -i eth1 -p udp --dport 137:139 -j ACCEPT
>>> #NetBios
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 143 -j ACCEPT #imap
>>> iptables -t filter -A FORWARD -i eth1 -p udp --dport 143 -j ACCEPT #imap
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT #https
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 445 -j ACCEPT
>>> #Microsoft-DS SMB file sharing
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 465 -j ACCEPT #SMTP
>>> over SSL
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 989 -j ACCEPT #FTP
>>> Protocol (data) over TLS/SSL
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 990 -j ACCEPT #FTP
>>> Protocol (control) over TLS/SSL
>>>
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 993 -j ACCEPT #IMAPS
>>> iptables -t filter -A FORWARD -i eth1 -p tcp --dport 995 -j ACCEPT #POP3S
>>>
>>> # NAT #
>>>
>>> # TEGNet
>>> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5479 -j DNAT --to
>>> 192.168.0.2:5479
>>>
>>> # BitTorrent
>>> #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ? -j DNAT --to
>>> 192.168.0.2:?
>>>
>>> # eMule's
>>> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000 -j DNAT --to
>>> 192.168.0.2:2000
>>> iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2010 -j DNAT --to
>>> 192.168.0.2:2010
>>> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3000 -j DNAT --to
>>> 192.168.0.3:3000
>>> iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 3010 -j DNAT --to
>>> 192.168.0.3:3010
>>> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4000 -j DNAT --to
>>> 192.168.0.4:4000
>>> iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4010 -j DNAT --to
>>> 192.168.0.4:4010
>>> iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5000 -j DNAT --to
>>> 192.168.0.5:5000
>>> iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 5010 -j DNAT --to
>>> 192.168.0.5:5010
>>>
>>> iptables -t filter -A FORWARD -p tcp --dport 0:1024 -j DROP
>>> iptables -t filter -A FORWARD -p udp --dport 0:1024 -j DROP
>>>
>>> fijate que el forward no esta en drop por que tuve problemas con
>>> programas p2p..
>>> espero que te sirva...
>>> Suerte.
>>>
>> perdon mdasilva.
>
> Limitándome a proporcionarte lo que solicitas sin entrar a valorar nada de
> forma personal, aquí tienes un buen tuto algo antiguo:
> http://www.seguridad.unam.mx/red-seguridad/documentos/descarga.dsc?arch=12&damedoc=doc-iptables-firewall.pdf
>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>>
>
>



-- 
---------------------------------------
- El conocimiento es poder -
- y el saber nos hace libres. -
---------------------------------------
irrealnet.blogspot.com.ar
Linux User #405757
Machine Linux #310536
Reply to:
References:
- Script iptables con Firewall por defecto a DROP
  - From: adriancito <adrianfranggi@gmail.com>
- Re: Script iptables con Firewall por defecto a DROP
  - From: Miguel Da Silva - Centro de Matemática <mdasilva@fing.edu.uy>
- Re: Script iptables con Firewall por defecto a DROP
  - From: Julián Esteban Perconti <vh1988@yahoo.com.ar>
- Re: Script iptables con Firewall por defecto a DROP
  - From: "Abraham Pérez" <jockah@gmail.com>
Prev by Date: Regla de Iptables para DNS
Next by Date: Re: Regla de Iptables para DNS
Previous by thread: Re: Script iptables con Firewall por defecto a DROP
Next by thread: Re: Script iptables con Firewall por defecto a DROP
Index(es):
- Date
- Thread