nivel de =?ISO-8859-1?Q?seguran=E7a_desse_script_iptables?=

Sun, 08 May 2005 20:42:54 -0700

Ola. Gostaria de saber dos experts em iptables o nivel de segurança desse script : baixo, medio ou alto. sei q esta bem simples porem gostaria de algumas dicas para aumentar a segurança.

Obrigado


LAN='10.1.x.x/28'
# Limpa Tudo
iptables -F
iptables -F INPUT
iptables -t nat -F
# Definicao do Policiamento
#Table Filter
iptables -t filter -P INPUT     DROP
iptables -t filter -P OUTPUT    ACCEPT
iptables -t filter -P FORWARD   ACCEPT
#Table nat
iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P OUTPUT       ACCEPT
iptables -t nat -P POSTROUTING  ACCEPT

# Conexoes estabelecidas e loopback
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Filtrando a rede interna

iptables -t filter -A INPUT -p tcp -s $LAN --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p udp -s $LAN --dport 22 -j ACCEPT

iptables -t filter -A INPUT -p tcp --syn -s $LAN -j ACCEPT
iptables -t filter -A INPUT -s $LAN -p icmp -j ACCEPT

#Liberando para fora

iptables -t filter -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT

# Ip Masquerade

iptables -t nat -A POSTROUTING -s $LAN -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "1" > /proc/sys/net/ipv4/ip_forward


### Anti IP Spoofing ###
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done


# A tentativa de acesso externo a estes serviços serão registrados no syslog
# do sistema e serão bloqueados pela última regra abaixo.
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
iptables -A INPUT -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
iptables -A INPUT -p udp --dport 53 -j LOG --log-prefix "FIREWALL: dns "
iptables -A INPUT -p tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3 "
iptables -A INPUT -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
iptables -A INPUT -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
iptables -A INPUT -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
iptables -A INPUT -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
iptables -A INPUT -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "



# Bloquear MSN
iptables -A FORWARD -s $LAN -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s $LAN -d loginnet.passport.com -j REJECT
iptables -A FORWARD -s $LAN -d webmessenger.msn.com -j REJECT


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to