(linux-br) Regras de iptables ...

Rimeson Cardoso Fri, 05 Apr 2002 13:09:21 -0800

    Ola pessoal da lista.

    Que implementar essas regras de iptables no meu servidor mas nao sei se
estao corretas ... se alguem puder me ajudar ficarei muito grato. Se for
possivel ser alterado e melhorado para que funcione corretamente ficarei
muito grato.




############################# INICIO

NET="192.168.0.0/16"
ANY="0.0.0.0/0"
IPTABLES="/usr/sbin/iptables"
MODPROBE="/sbin/modprobe"


# TAG: Modulos Especiais.
#
#      :ip_nat_ftp
#      :ip_conntrack
#      :ip_conntrack_ftp
#
#      Modulos requeridos para os servicos de ftp log e masquerade.
#
#

$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_tables
$MODPROBE ipt_state
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ipt_limit
$MODPROBE ipt_LOG
$MODPROBE ipt_MASQUERADE


# TAG: Altera parametos do Kernel para a filtragem dos pacotes
#
#      :ip_forward
#      :tcp_syncookies
#
#      Alteracoes nescessarios para seguranca no kernel do Firewall.
#
#

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 >$f
done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 >$f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 >$f
done

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 >$f
done


# TAG: Regras para limpesa de nat e forward input e output
#
#      :iptables -F
#      :iptables -F -t nat
#
#      Regras para limpesa de nat e forward input e output
#
#

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT


# TAG: Regra de input, output e forward
#
#    :input
#    :output
#    :forward
#
#    Regras para proibir portas e liberar portas.
#
#

$IPTABLES -A OUTPUT -p tcp -s $NET -d $ANY --dport 80 -j DROP
$IPTABLES -A OUTPUT -p tcp -s $NET -d $ANY --dport 8080 -j DROP
$IPTABLES -A INPUT -p tcp -s $ANY -d $ANY --dport netbios-ns:netbios-ssn -i
ppp0 -j DROP
$IPTABLES -A INPUT -p udp -s $ANY -d $ANY --dport netbios-ns:netbios-ssn -i
ppp0 -j DROP
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT


# TAG: Regras de nat e masquerade.
#
#      :NAT
#      :MASQUERADE
#
#      Regras para nat e masquerade das principais portas do Servidor.
#
#

$IPTABLES -t nat -A POSTROUTING -s $NET -o ppp0 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
ftp-data:ftp -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport 25 -j
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport 80 -j
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
110 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
8888 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
https -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp -o ppp0 -s $NET -d $ANY --dport
https -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
irc -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp -o ppp0 -s $NET -d $ANY --dport
irc -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp -o ppp0 -s $NET -d $ANY --dport
1521 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp  -o ppp0 -s $NET -d $ANY --dport
1521 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp  -o ppp0 -s $NET -d $ANY --dport
42 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp  -o ppp0 -s $NET -d $ANY --dport
42 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp  -o ppp0 -s $NET -d $ANY --dport
domain -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp  -o ppp0 -s $NET -d $ANY --dport
domain -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp  -o ppp0 -s $NET -d $ANY --dport
6667:7000 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp  -o ppp0 -s $NET -d $ANY --dport
6667:7000 -j MASQUERADE


# TAG: Regras para protecao Extra.
#
#    :forward
#
#    Protecao extra sempre e bom ...
#
#

$IPTABLES -A FORWARD -m unclean -j DROP
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT


############################ FIM


Rimeson Cardoso


Assinantes em 05/04/2002: 2238
Mensagens recebidas desde 07/01/1999: 161178
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista: 
            mailto:[EMAIL PROTECTED]

(linux-br) Regras de iptables ...

Responder a