Bom dia Jeferson, sim, ja fiz um teste colocando em /etc/init.d
Me parece que esta funcionando legal, mas não sei fazer testes de ataques para verificar a funcionalidade.
[]s
Bom dia Wilson, Você vai colocar no /etc/init.d/ o script? Abraços Em 20 de março de 2012 11:18, Wilson Bom<[email protected]> escreveu:Bom dia Pessoal, Estou tentando instalar firewall e gostaria da opinião dos senhores a respeito do script abaixo. ------------------------------**-------- #! /bin/bash case "$1" in start) ############### # TITULO ABRE # ############### echo "Iniciando a Configuração do Firewall" ######################## # Zera todas as Regras # ######################## echo "Regras Zeradas" iptables -F ##############################**########## # Bloqueia tudo, nada entra e nada sai # ##############################**########## echo "Fechando tudo" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ##############################**##############################** ################ # Impede ataques DoS a maquina limitando a quantidade de respostas do ping # ##############################**##############################** ################ #echo "Previne ataques DoS" # iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ##############################**### # Bloqieia completamente o ping # ##############################**### echo "Bloqueia o pings" iptables -A INPUT -p icmp --icmp-type echo-request -j DROP ########################## # Politicas de segurança # ########################## echo "Implementação de politicas de segurança" echo 0> /proc/sys/net/ipv4/conf/all/**accept_source_route # Impede falsear pacote echo 0> /proc/sys/net/ipv4/conf/all/**accept_redirects # Perigo de descobrimento de rotas de roteamento (desativar em roteador) echo 1> /proc/sys/net/ipv4/icmp_echo_**ignore_broadcasts # Risco de DoS echo 1> /proc/sys/net/ipv4/tcp_**syncookies # Só inicia a conexão quando recebe a confirmação, diminuindo a banda gasta echo 1> /proc/sys/net/ipv4/conf/**default/rp_filter # Faz o firewall responder apenas a placa de rede que recebeu o pacote iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes invalidos ##############################**### # Libera conexoes estabelecidas # ##############################**### echo "Liberando conexões estabelecidas" iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT iptables -A INPUT -i lo -j ACCEPT ##############################**##############################** ########################### # Libera o acesso via SSH e Limita o número de tentativas de acesso a 4 a cada minuto # ##############################**##############################** ########################### echo "Liberando o SSH" iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 22 -j ACCEPT ################## # Libera o Samba # ################## echo "Liberando o Samba" iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT iptables -A INPUT -p udp --dport 137:139 -j ACCEPT ################### # Libera o Apache # ################### echo "Liberando o Apache" iptables -A INPUT -p tcp --dport 80 -j ACCEPT ################ # TITULO FECHA # ################ echo "Configuração do Firewall Concluida." ;; stop) echo "Finalizando o Firewall" rm -rf /var/lock/subsys/firewall # ------------------------------**------------------------------** ----- # Remove todas as regras existentes # ------------------------------**------------------------------** ----- iptables -F iptables -X iptables -t mangle -F # ------------------------------**------------------------------** ----- # Reseta as politicas padrões, aceitar tudo # ------------------------------**------------------------------** ----- iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; restart|reload) $0 stop $0 start ;; *) echo "Selecione uma opção valida {start|stop|status|restart|**reload}" exit 1 esac exit 0 -- Wilson Bom Serprodata Informática Ltda. Av. Marcelino Pires, 1405 - Sala 216 79800-004 - Dourados - MS (067) 3421-3343 - 8407-4808 - 8407-8808 Messenger: [email protected] E-mail...: [email protected] [email protected] [email protected] [email protected] Ubuntu Lucid Lynx 10.04 - 2.6.32-25 #44 Linux Counter: 292553 Dataflex 3.2 Linux - Dataflex 3.2 MS-Dos -- Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/**comece<http://www.ubuntu-br.org/comece> Lista de discussão Ubuntu Brasil Histórico, descadastramento e outras opções: https://lists.ubuntu.com/**mailman/listinfo/ubuntu-br<https://lists.ubuntu.com/mailman/listinfo/ubuntu-br>
-- Wilson Bom Serprodata Informática Ltda. Av. Marcelino Pires, 1405 - Sala 216 79800-004 - Dourados - MS (067) 3421-3343 - 8407-4808 - 8407-8808 Messenger: [email protected] E-mail...: [email protected] [email protected] [email protected] [email protected] Ubuntu Lucid Lynx 10.04 - 2.6.32-25 #44 Linux Counter: 292553 Dataflex 3.2 Linux - Dataflex 3.2 MS-Dos -- Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece Lista de discussão Ubuntu Brasil Histórico, descadastramento e outras opções: https://lists.ubuntu.com/mailman/listinfo/ubuntu-br
