Bom dia Pessoal, Estou dando os primeiros passos no mundo linux e criei este script de firewall. Gostaria que vcs, mestres no assunto, desse uma avaliada no script e por fazer, fazem todas as criticas possiveis. Conto com a ajuda de todos. Abraços
========================INICIO================================= #!/bin/sh # ## Script de Firewall com Iptables ## Chamada: /etc/rc.d/rc.firewall # # Desabilitando echo 0 > /proc/sys/net/ipv4/ip_forward # Desabilita ForWard echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignorando Broadcasts echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter # Protecao contra spoofing # Criando variaveis echo "Criando Variaveis" REDEEXT="200.XXX.XXX.XXX/24" REDEINT="172.XXX.XXX.XXX/24" IPLPB="127.0.0.1" IPEXT="200.XXX.XXX.XXX" IPINT=172.XXX.XXX.XXX" IFACEEXT="eth0" IFACEINT="eth1" # Ativa módulos echo "Ativando os Modulos" modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_LOG modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_tables modprobe ipt_state modprobe ipt_limit # Zerar regras echo "Zerando Regras ja Existentes" iptables -F iptables -Z iptables -X # Politica Default echo "Definindo politica default como DROP" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Conexao estabelecida echo "Mantendo conexao estabelecida/relatada iptables -A INPUT -i ! $IFACEEXT -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT # INPUT para LOOPBACK echo "Liberando INPUT para LoopBack" iptables -A INPUT -p ALL -s $IPLPB -i lo -j ACCEPT iptables -A INPUT -p ALL -s $IPEXT -i lo -j ACCEPT iptables -A INPUT -p ALL -s $IPINT -i lo -j ACCEPT # Liberando portas do firewall para Interface Interna echo "Liberando portas do Firewall para Rede Local" iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 20:21 -j ACCEPT ### FTP iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 20:21 -j ACCEPT ### FTP iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 22 -j ACCEPT ### SSH iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 23 -j ACCEPT ### TELNET iptables -A INPUT -p udp -m state --state NEW -s $REDEINT --dport 23 -j ACCEPT ### TELNET iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 25 -j ACCEPT ### SMTP iptables -A INPUT -p udp -m state --state NEW -s $REDEINT --dport 53 -j ACCEPT ### DNS iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 53 -j ACCEPT ### DNS iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 80 -j ACCEPT ### HTTP iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 110 -j ACCEPT ### POP iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 143 -j ACCEPT ### IMAP iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 465 -j ACCEPT ### SMTP-S iptables -A INPUT -p tcp -m state --state NEW -s $REDEINT --dport 995 -j ACCEPT ### POP3-S # Liberando portas do firewall para Rede Externa echo "Liberando portas do Firewall para Rede External" iptables -A INPUT -p tcp -m state --state NEW -s $REDEEXT --dport 20:21 -j ACCEPT ### FTP iptables -A INPUT -p tcp -m state --state NEW -s $REDEEXT --dport 22 -j ACCEPT ### SSH iptables -A INPUT -p tcp -m state --state NEW -s $REDEEXT --dport 80 -j ACCEPT ### HTTP iptables -A INPUT -p tcp -m state --state NEW -s $REDEEXT --dport 143 -j ACCEPT ### IMAP # Tabelas de log´s echo "Criando os Log´s do Firewall" iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log- level 6 --log-prefix "FIREWALL: NEW sem syn: " iptables -A INPUT -i IFACEEXT -m unclean -j LOG --log-level 6 --log- prefix "FIREWALL: pacote mal formado: " iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log- prefix "FIREWALL: trinoo: " iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log- prefix "FIREWALL: trojan: " iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log- prefix "FIREWALL: port scanner: " iptables -A INPUT -p tcp --dport 21 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: " iptables -A INPUT -p tcp --dport 23 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: " iptables -A INPUT -p tcp --dport 25 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: " iptables -A INPUT -p tcp --dport 80 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: http: " iptables -A INPUT -p tcp --dport 110 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: " iptables -A INPUT -p udp --dport 111 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: " iptables -A INPUT -p tcp --dport 113 -i $IFACEEXT -j LOG --log-level 6 --log-prefix "FIREWALL: identd: " iptables -A INPUT -p tcp --dport 137:139 -i $IFACEEXT -j LOG --log- level 6 --log-prefix "FIREWALL: samba: " iptables -A INPUT -p udp --dport 137:139 -i $IFACEEXT -j LOG --log- level 6 --log-prefix "FIREWALL: samba: " iptables -A INPUT -p tcp --dport 161:162 -i $IFACEEXT -j LOG --log- level 6 --log-prefix "FIREWALL: snmp: " iptables -A INPUT -p tcp --dport 6667:6668 -i $IFACEEXT -j LOG --log- level 6 --log-prefix "FIREWALL: irc: " iptables -A INPUT -d $IFACEINT -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80" # Protecoes Diversas echo "Protecoes contra diversos tipo de ataque" echo "Protecao contra TRINOO" iptables -N TRINOO iptables -A TRINOO -j DROP iptables -A INPUT -p TCP -i $IFACEEXT --dport 27444 -j TRINOO iptables -A INPUT -p TCP -i $IFACEEXT --dport 27665 -j TRINOO iptables -A INPUT -p TCP -i $IFACEEXT --dport 31335 -j TRINOO iptables -A INPUT -p TCP -i $IFACEEXT --dport 34555 -j TRINOO iptables -A INPUT -p TCP -i $IFACEEXT --dport 35555 -j TRINOO echo "Protecao Contra TRONJANS" iptables -N TROJAN iptables -A TROJAN -j DROP iptables -A INPUT -p TCP -i $IFACEEXT --dport 666 -j TROJAN iptables -A INPUT -p TCP -i $IFACEEXT --dport 666 -j TROJAN iptables -A INPUT -p TCP -i $IFACEEXT --dport 4000 -j TROJAN iptables -A INPUT -p TCP -i $IFACEEXT --dport 6000 -j TROJAN iptables -A INPUT -p TCP -i $IFACEEXT --dport 6006 -j TROJAN iptables -A INPUT -p TCP -i $IFACEEXT --dport 16660 -j TROJAN echo "Protecao contra WORMS" iptables -A FORWARD -p tcp --dport 135 -i $IFACEINT -j REJECT echo "Dropar Pacotes TCP Indesejaveis" iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP echo "Dropar pacotes mal formados" iptables -A INPUT -i $IFACEEXT -m unclean -j DROP echo "Proteção contra syn-flood" iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT echo "Proteção contra ping da morte" iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 8/s -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -m limit -- limit 8/s -j ACCEPT echo "Protecao contra port scanners" iptables -N SCANNER iptables -A SCANNER -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IFACEEXT -j SCANNER iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IFACEEXT -j SCANNER echo "Bloqueando Tracertroute" iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j REJECT echo "Protecao contra Pacotes Invalidos iptables -A INPUT -m state --state INVALID -j REJECT #Bloqueia todo o resto echo "Bloqueando o restante" iptables -A INPUT -p tcp --syn -j DROP iptables -A INPUT -p tcp -j DROP iptables -A INPUT -p udp -j DROP # Habilitando echo 1 > /proc/sys/net/ipv4/ip_forward # Desabilita ForWard echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignorando Broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Protecao contra spoofing ======================= FIM ==================================== Obrigado a todos.
