(linux-br) ajuda c/ firewall (script)

fbertasso Mon, 02 Jun 2003 12:04:01 -0700

Foi mal, pessoal! Esqueci de anexar o tal script.

A� vai!

Fernando

#!/bin/sh

### Setar vari�veis
IFINT=""
IFEXT=""
MASCARA=""
NET=""
IP_GW_INT=""
IP_GW_EXT=""


WEB=""
MAIL=""
DNS=""
WIN=""
FTP=""

VALIDICMP=""
VALIDICMP="$VALIDICMP destination-unreachable"
VALIDICMP="$VALIDICMP source-quench"
VALIDICMP="$VALIDICMP time-exceeded"
VALIDICMP="$VALIDICMP parameter-problem"
VALIDICMP="$VALIDICMP echo-reply"


### Prote��es
for i in /proc/sys/net/ipv4/conf/*/rp_filter
   do echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/log_martians
   do echo 1 > $i
done

for i in /proc/sys/net/ipv4/conf/*/accept_source_route
   do echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/accept_redirects
   do echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/send_redirects
   do echo 0 > $i
done

for i in /proc/sys/net/ipv4/conf/*/secure_redirects
   do echo 0 > $i
done

### Alterar par�metros da configura��o de rede

IPV4="/proc/sys/net/ipv4"

echo 1 > $IPV4/icmp_echo_ignore_broadcasts
echo 1 > $IPV4/icmp_ignore_bogus_error_responses
echo 30 > $IPV4/tcp_fin_timeout
echo 60 > $IPV4/tcp_keepalive_intvl
echo 5 > $IPV4/tcp_keepalive_probes
echo 3600 > $IPV4/tcp_keepalive_time
echo 5 > $IPV4/tcp_retries1
echo 5 > $IPV4/tcp_retries2
echo 5 > $IPV4/tcp_syn_retries
echo 1 > $IPV4/tcp_syncookies

###START

case "$1" in
   start)
        echo -n "Ativando Firewall: "
        
        #Limpa as regras
        iptables -F INPUT
        iptables -F OUTPUT
        iptables -F FORWARD
        iptables -F -t nat
        iptables -F -t mangle

        #Hab. o Forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

        #Bloqueia entrada e forward, deixa saida livre
        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT ACCEPT

        #Seta as regras para cada caso de tr�fego
        iptables -N int-me
        iptables -N ext-me
        iptables -N int-ext
        iptables -N ext-int


        ### Outras Prote��es

        iptables -A INPUT -m unclean -j DROP
        iptables -A INPUT -m state --state INVALID -j DROP
        iptables -A INPUT -p tcp -m state --state NEW ! --syn -j DROP

        iptables -A FORWARD -m unclean -j DROP
        iptables -A FORWARD -m state --state INVALID -j DROP
        iptables -A FORWARD -p tcp -m state --state NEW ! --syn -j DROP

        #Redireciona cada fluxo para sua chain particular
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A INPUT -s $NET -d $IP_GW_INT -i $IFINT -j int-me
        iptables -A INPUT -s $NET -d $IP_GW_EXT -i $IFINT -j int-me
        iptables -A INPUT -i $IFEXT -d $IP_GW_INT -j ext-me
        iptables -A INPUT -i $IFEXT -d $IP_GW_EXT -j ext-me
        iptables -A INPUT -j BLOCK

        iptables -A FORWARD -i $IFINT -o $IFEXT -j int-ext
        iptables -A FORWARD -i $IFEXT -o $IFINT -j ext-int
        iptables -A FORWARD -j BLOCK

        ### Priorizar tr�fego dos principais servi�os

        iptables -t mangle -A POSTROUTING -p tcp --sport 21 -j TOS --set-tos 
Minimize-Delay
        iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j TOS --set-tos 
Minimize-Delay
        iptables -t mangle -A POSTROUTING -p tcp --sport 25 -j TOS --set-tos 
Minimize-Delay
        iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j TOS --set-tos 
Minimize-Delay
        iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j TOS --set-tos 
Minimize-Delay
        

### Seta regras para cada grupo de tr�fego
### int-me
        
        iptables -A int-me -i $IFINT -m state --state ESTABLISHED,RELATED -j ACCEPT
        #iptables -A int-me -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT

        for icmp_type in $VALIDICMP; do 
                iptables -A int-me -p icmp --icmp-type $icmp_type -j ACCEPT
        done

        iptables -A int-me -p icmp --icmp-type echo-request -m limit --limit 1/s -j 
ACCEPT
        
        iptables -A int-me -j BLOCK

### ext-me

        iptables -A ext-me -i $IFINT -m state --state ESTABLISHED,RELATED -j ACCEPT
        #iptables -A ext-me -p tcp -s 200.207.79.136 --dport 22 -j ACCEPT

        iptables -A INPUT -s 10.0.0.0/8 -j DROP
        iptables -A INPUT -s 127.0.0.0/8 -j DROP
        iptables -A INPUT -s 172.16.0.0/16 -j DROP
        iptables -A INPUT -s 192.168.0.0/24 -j DROP
        
        iptables -A ext-me -j BLOCK

### int-ext

        iptables -A int-ext -j ACCEPT

### ext-int

        #iptables -A ext-int -p ip -s 200.207.79.136 -j ACCEPT

        iptables -A FORWARD -s 10.0.0.0/8 -j DROP
        iptables -A FORWARD -s 127.0.0.0/8 -j DROP
        iptables -A FORWARD -s 172.16.0.0/16 -j DROP
        iptables -A FORWARD -s 192.168.0.0/24 -j DROP

        for icmp_type in $VALIDICMP; do
                iptables -A ext-int -p icmp --icmp-type $icmp_type -j ACCEPT
        done

        iptables -A int-me -p icmp --icmp-type echo-request -m limit --limit 1/s -j 
ACCEPT

        iptables -A ext-int -i $IFEXT -m state --state ESTABLISHED,RELATED -j ACCEP

        for server in $WEB; do
                server=xxx.xxx.xxx.$server
                iptables -A ext-int -p tcp -d $server --dport 80 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 443 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 3306 -j ACCEPT 
        done

        for server in $FTP; do
                server=xxx.xxx.xxx.$server
                iptables -A ext-int -p tcp -d $server --dport 20:21 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 60000:61000 -j ACCEPT
        done

        for server in $MAIL; do
                server=xxx.xxx.xxx.$server
                iptables -A ext-int -p tcp -d $server --dport 25 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 80 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 110 -j ACCEPT
                iptables -A ext-int -p tcp -d $server --dport 443 -j ACCEPT
        done

        for server in $DNS; do
                server=xxx.xxx.xxx.$server
                iptables -A ext-int -p tcp -d $server --dport 53 -j ACCEPT 
                iptables -A ext-int -p udp -d $server --dport 53 -j ACCEPT 
                iptables -A ext-int -p udp -d $server --sport 53 --dport 1024: -j 
ACCEPT 
        done


### Final das regras para start do Firewall

        iptables -A ext-int -j BLOCK
        echo done
        exit
        ;;

   stop)
        echo "Parando Firewall: "

        #Limpa as regras
        iptables -F int-me
        iptables -F ext-me
        iptables -F int-ext
        iptables -F ext-int
        iptables -F -t mangle
        iptables -F -t nat
        iptables -F INPUT
        iptables -F FORWARD
        iptables -F OUTPUT
        
        #Remove as chains e libera acesso
        iptables -X int-me
        iptables -X ext-me
        iptables -X int-ext
        iptables -X ext-int
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT

        #Remove o Forwarding
        echo 0 > /proc/sys/net/ipv4/ip_forward
        exit
        ;;
   restart)
        $0 stop
        $0 start
        exit
        ;;
   status)
        iptables -L -v
        exit
        ;;
   *)
        echo "Utilize somente: $0 {start|stop|restart|status}
        exit 
        ;;
esac

---------------------------------------------------------------------------
Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br

Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utiliza��o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html

(linux-br) ajuda c/ firewall (script)

Responder a