[slack-users] Re: Squid e iptables naum segura o msn

Jedi Tue, 16 Oct 2007 06:36:56 -0700


Desculpas mandei o iptables errado este que eu tenho no servidor
tambem naum faz masi referencia a porta 1863 pois, ja tentei bloquea-
la com o iptables usando a regra:
iptables -A FORWARD -s 192.168.1.0/24 rede -p tcp --dport 1863 -j
REJECT
iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j
REJECT
mas não funcionou.


#/bin/sh
#
# Nigthwolf.firewall
#
#
# Habilitar o FORWARD
# echo "1" > /proc/sys/net/ipv4/ip_forward

firewall_start() {

# Logar portas proibidas
iptables -A INPUT -p tcp --dport 21 -j LOG --log-level 1 --log-prefix
"FTP: "
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-level 1 --log-
prefix "Wincrash: "
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-level 1 --log-
prefix "BackOrifice: "
iptables -A INPUT -p tcp --dport 6667 -j LOG --log-level 1 --log-
prefix "IrcD: "
iptables -A INPUT -p tcp --dport 53 -j LOG --log-level 1 --log-prefix
"DNS: "
iptables -A INPUT -p tcp --dport 31336 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 31337 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 31338 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 3024 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 4092 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 5714 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 5742 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 2583 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 8787 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 5556 -j LOG --log-level 1 --log-
prefix "TROJAN: "
iptables -A INPUT -p tcp --dport 5557 -j LOG --log-level 1 --log-
prefix "TROJAN: "

# Ignora PING
# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -A INPUT -s 127.0.0.0/255.255.255.0 -p icmp --icmp-type 8 -j
ACCEPT
iptables -A INPUT -s 10.0.0.0/255.255.255.0 -p icmp --icmp-type 8 -j
ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j DROP

# Prepara POSTROUTING
# iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE

# Abre a faixa de endereço na rede local
iptables -A INPUT -p tcp --syn -s 10.0.0.0/255.255.255.0 -j ACCEPT
#iptables -A INPUT -p tcp --syn -s 10.1.1.0/255.255.255.0 -j ACCEPT

# Abre acesso IRC
iptables -A INPUT -p tcp -s 0.0.0.0/0 --destination-port 6667 -j
ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --destination-port 7001 -j
ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --destination-port 8000 -j
ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --destination-port 9000 -j
ACCEPT

# Abre acesso SSH
iptables -A INPUT -p tcp -s 10.0.0.139 --destination-port 22 -j
ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.140 --destination-port 22 -j ACCEPT

# Fecha acesso SSH para os demais
iptables -A INPUT -p tcp --destination-port 22 -j REJECT

# Abre o AZUREUS
iptables -A INPUT -p tcp -s 0.0.0.0/0 --destination-port 56894 -j
ACCEPT

# Abre porta de DNS
#iptables -A INPUT -p tcp -s 201.67.80.195 --destination-port 53 -j
ACCEPT

# Abre acesso via TELNET
iptables -A INPUT -p tcp -s 10.0.0.139 --destination-port 23 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.140 --destination-port 23 -j ACCEPT

# Fecha para as demais
iptables -A INPUT -p tcp --destination-port 23 -j REJECT

# Porta sendmail
iptables -A INPUT -p tcp -j DROP -s 0.0.0.0/0 --dport 587

# Porta SMTP
iptables -A OUTPUT -p tcp -j ACCEPT -s 0.0.0.0/0 --dport 25

# Porta POP3
iptables -A INPUT -p tcp -j ACCEPT -s 0.0.0.0/0 --dport 110

# Rergas para servidor FTP
iptables -A INPUT -p tcp -j ACCEPT -s 127.0.0.1 --dport 21
iptables -A INPUT -p tcp -j ACCEPT -s 10.0.0.139 --dport 21
iptables -A INPUT -p tcp -j ACCEPT -s 10.0.0.140 --dport 21

# Bloqueando entradas invalidas
iptables -A INPUT -p tcp -j REJECT -s 0.0.0.0/0 --dport 20

# Bloqueio contra portscanners, pind of death, ataques DoS, etc.
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/
s -j ACCEPT
iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --
limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A INPUT -m unclean -j DROP

# Abre para a interface LOOKPACK
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT

# Bloqueando BACK ORIFICE
iptables -A INPUT -p tcp -i eth0 --dport 31337 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 31337 -j REJECT

# Bloqueando Trojans
iptables -A INPUT -p tcp -i eth0 --dport 31338 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 31338 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 3024 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 3024 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 4092 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 4092 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 5714 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 5714 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 5742 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 5742 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 2583 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 2583 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 8787 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 8787 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 5556 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 5556 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 5557 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 5557 -j REJECT

# Bloqueando NetBus
iptables -A INPUT -p tcp -i eth0 --dport 12345:12346 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 12345:12346 -j REJECT

# Bloqueando Trin00
iptables -A INPUT -p tcp -i eth0 --dport 1524 -j REJECT
iptables -A INPUT -p tcp -i eth0 --dport 27665 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 27444 -j REJECT
iptables -A INPUT -p udp -i eth0 --dport 31335 -j REJECT

# Bloqueando indexador
iptables -A INPUT -p tcp -j REJECT -s 200.152.194.50 --dport 22
iptables -A INPUT -p tcp -j REJECT -s 201.3.47.189 --dport 80
iptables -A INPUT -p tcp -j REJECT -s 80.61.144.130 --dport 80

# Ignora qualquer pacote de entrada, vondo de qualquer endereço não
# especificado
iptables -A INPUT -p tcp --syn -j DROP

}

firewall_stop() {
# Inicia limpando configuração do FIREWALL
iptables --flush
iptables --table nat --flush
iptables --delete-chain

}

firewall_restart() {
firewall_stop
sleep 1
firewall_start
}

case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
 echo "Use $0 start|stop|restart"
esac

#EOF


--~--~---------~--~----~------------~-------~--~----~
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
-~----------~----~----~----~------~----~------~--~---

[slack-users] Re: Squid e iptables naum segura o msn

Responder a