Amigos da lista,
Algu�m poderia me ajudar a converter de ipchains para iptables, o
script abaixo?
Estou aprendendo tables agora, mas estou com urg�ncia nesta convers�o.
Obs:
1- Estou usando o Red Hat 7.1
2- Depois de convertido � s� iniciar o script com o
tables ou tenho que mudar mais
alguma coisa no Kernel ?
#!/bin/sh
#
# FIREWALL
#
#
#
#
#
# Interface para Internet
EXTIF=eth1
#
#
# Interface para LAN
LANIF=eth0
#
# IP da Internet
ANY=200.0.0.0/32
#
# IP da LAN
LAN=172.28.0.5/32
#
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
#
#Modulo para habilitar o mascaramento de FTP
modprobe ip_masq_ftp
#
# Abre PING para loopback
ipchains -A input -s 127.0.0.0/16 -p icmp -j ACCEPT
#
# Evita spoofing c/ a placa externa
ipchains -A input -l -i $EXTIF -s 200.0.0.0 -d 0/0 -j DENY
#
# Abre TRACEROUTE
#ipchains -A input -l -i $EXTIF -s 0/0 3 -d $ANY -p icmp -j ACCEPT
#ipchains -A input -l -i $EXTIF -s 0/0 11 -d $ANY -p icmp -j ACCEPT
#ipchains -A input -l -i $EXTIF -s 0/0 32769:65535 -d $ANY
33434:33523 -p udp -j ACCEPT
#
# Bloqueia Trinoo
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 27665 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 27444 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 31335 -p udp -j DENY
#
# Bloqueia Backdoors
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 666 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 666 -p udp -j DENY
#
# BackOriffice e Netbus
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 1234 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 31337 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 31337 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 12345:12346 -p tcp -
j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 12345:12346 -p udp -
j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 2049 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 20034 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 54321 -p udp -j DENY
#
# Bloqueia IRC
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6667 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6667 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 9000 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 9000 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 666 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 666 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6666 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6666 -p udp -j DENY
#
# Bloqueia ICQ
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 4000 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 4000 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d 64.12.25.27 -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d 205.188.248.25 -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d cb.icq.com -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d clustera.icq.com -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d 64.12.25.24 -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d 64.12.25.26 -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d 64.12.25.0/24 -j DENY
#
#
# Bloqueia Napster
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6702 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6702 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6703 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6703 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6704 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6704 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6705 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 6705 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 7777 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 7777 -p tcp -j DENY
#
#
# Outros Bloqueios
#
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 139 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 139 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 1433 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 1433 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 1521 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 1521 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 5432 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 5432 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 2049 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 2049 -p tcp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 5999:6003 -p tcp -j
DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 5999:6003 -p udp -j
DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 7100 -p udp -j DENY
ipchains -A input -l -b -i $EXTIF -s 0/0 -d $ANY 7100 -p tcp -j DENY
#
# Abre SSH
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 22 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 22 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre o SMTP
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 25 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 25 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre o POP3
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 110 -p tcp -j ACCEPT
#ipchains -A input -i $EXTIF -s 0/0 110 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre autenticacao
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 113 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 113 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre o HTTP
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 80 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 80 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre portas HTTP seguras
#ipchains -A input -i $EXTIF -d $ANY 443 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 443 -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre o DNS
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 53 -p udp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 53 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 53 -d $ANY 1024: -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 53 -d $ANY 1024: -p udp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 520 -p udp -j ACCEPT
#
# Abre portas altas UDP e TCP (esta regra libera acesso a todas as
portas externas)
#ipchains -A input -i $EXTIF -d $ANY 1024: -p udp -j ACCEPT
#ipchains -A input -i $EXTIF -d $ANY 1024: -p tcp -j ACCEPT
#
# Abre o FTP ativo e cliente
ipchains -A input -i $EXTIF -s 0/0 20 -d $ANY 1024: -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 21 -d $ANY 1024: -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 21 -p tcp -j ACCEPT
ipchains -A input -i $EXTIF -s 0/0 1024: -d $ANY 20 -p tcp -j ACCEPT
#
# Bloqueia pacote TCP e UDP nas portas privilegiadas
ipchains -A input -l -i $EXTIF -d $ANY -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY -p tcp -j DENY
#
# Fecha ICMP p/ todo mundo
ipchains -A input -l -i $EXTIF -p icmp -j DENY
#
# Faz mascaramento SMTP e POP3 para o servidor de e-mail
ipchains -A forward -s 172.28.0.60/32 -d 0/0 25 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.60/32 -d 0/0 110 -p tcp -j MASQ
#
# Faz mascaramento HTTP e SMTP para o servidor Web
ipchains -A forward -s 172.28.0.20/32 -d 0/0 80 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.20/32 -d 0/0 25 -p tcp -j MASQ
#
# Faz mascaramento liberando apenas FTP, SSH e
# consulta DNS para toda a rede interna
ipchains -A forward -s 172.28.0.0/24 -d 0/0 20 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.0/24 -d 0/0 21 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.0/24 -d 0/0 22 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.0/24 -d 0/0 53 -p tcp -j MASQ
ipchains -A forward -s 172.28.0.0/24 -d 0/0 53 -p udp -j MASQ
#
# A regra abaixo abre mascaramento para toda rede interna
#ipchains -A forward -s 172.28.0.0/24 -d 0/0 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
Desde j� agrade�o,
Assinantes em 04/06/2002: 2247
Mensagens recebidas desde 07/01/1999: 169746
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
