Meu Firewall - Sugestao - Correcoes - Ajustes

Iniciado por joaotime, 06 de Janeiro de 2015, 14:25

tópico anterior - próximo tópico

joaotime

Ola Pessoal Abaixo posto meu firewall - gostria de sugestão para ver se as regras estao certas - estao boas na ordem , aceito novas sugestao para que possa aprender e melhorar meu firewall para futuas implementações

#!/bin/sh

#Declaracao de variaveis
PATH=/sbin:/bin:/usr/sbin:/usr/bin

#Interfaces de Rede
internet="eth1"
redelocal="eth0"
PORTSTCP="/etc/configuracao/portastcp"
PORTSUPD="/etc/configuracao/portasupd"

#IP="192.168.0.1"
#IPS_LIBERADOS=$(cat /etc/configuracao/ip_liberados)

iniciar() {

echo "####################ATIVANDO IPTABLES#######################"

### Caregando modulos
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_tos
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_MARK
echo "Modulos Modprobe Carregados com exito.....................[ OK ]"

### Passo 1: Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -F -t nat
echo "Limpando as regras ......................................[ OK ]"
# Definindo a Politica Default das Cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j LOG

#iptables -N FACEBOOK
echo "Politica Default das Cadeias ...........................[ OK ]"
#iptables -N FACEBOOK
echo "Politica Default das Cadeias ...........................[ OK ]"
### Passo 2: Desabilitar o trafego IP entre as placas de rede ###

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Desabilitar o trafego IP entre as placas ..............[ OK ]"
# Configurando a Protecao anti-spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
#        echo "1" > $spoofing
#done
echo "Prote ao  anti-spoofing ................................[ OK ]"
# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Impedimos alterar alguma rota .........................[ OK ]"
# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Impossibilita que o atacante determine o "caminho" ....[ OK ]"
echo "Impedimos alterar alguma rota .........................[ OK ]"
# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Impossibilita que o atacante determine o "caminho" ....[ OK ]"

# Protecao contra responses bogus
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Protecao contra responses bogus .......................[ OK ]"

# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Protecao contra ataques de syn ........................[ OK ]"

# Protecao contra port scanners
#iptables -N SCANNER
#iptables -A SCANNER -m limit --limit 15/m -j LOG --log-prefix "FIREWALL: port scanner: "
#iptables -A SCANNER -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i  $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i  $internet -j SCANNER
echo "Scaner de Portas ....................................[ OK ]"
# Libera acesso externo a determinadas portas

##Algumas portas devem ser negadas.

#iptables -A INPUT -p tcp --dport 1433 -j DROP
#iptables -A INPUT -p tcp --dport 1433 -j DROP
iptables -A INPUT -p tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp --dport 20034 -j DROP
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp --dport 6000  -j DROP
#iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
echo "Negando portas invalidas ............................[ OK ]"
#Traceroutes caindo
#iptables -A INPUT -p udp --dport 33434:33523 -j DROP
#iptables -A INPUT -p tcp --dport 113 -j REJECT
#iptables -A INPUT -p igmp -j REJECT
#iptables -A INPUT -p tcp --dport 80 -j DROP
#iptables -A INPUT -p tcp --dport 443 -j REJECT
echo "Rejeitando lixo :....................................[ OK ]"
#iptables -I FORWARD -s 192.168.0.25 -j ACCEPT

# Regra Para Cameras
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 4550 -j DNAT --to-destination 192.168.0.4
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 5550 -j DNAT --to-destination 192.168.0.4
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 6550 -j DNAT --to-destination 192.168.0.4
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1200 -j DNAT --to-destination 192.168.0.4
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 37777 -j DNAT --to-destination 192.168.0.4

# Banco de dados Mysql
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1025 -j DNAT --to-destination 192.168.0.10
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.0.10
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.10

# Servido Sql dsoft
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1433 -j DNAT --to-destination 192.168.0.23
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 5022 -j DNAT --to-destination 192.168.0.23
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1035 -j DNAT --to-destination 192.168.0.23
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1500 -j DNAT --to-destination 192.168.0.11
# Banco de dados Mysql Servidor
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.0.1

#Failt System
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 3300 -j DNAT --to-destination 192.168.0.21:3300
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 12020 -j DNAT --to-destination 192.168.0.21

# Demais Servidore
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.9
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 33899 -j DNAT --to-destination 192.168.0.110:33899
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 7832 -j DNAT --to-destination 192.168.0.17:7832
#iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 7832 -j DNAT --to-destination 192.168.0.17:7832
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1243 -j DNAT --to-destination 192.168.0.16:1243
iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1232 -j DNAT --to-destination 192.168.0.232:1232
#iptables -t nat -A PREROUTING -i $internet -p tcp -m tcp --dport 1738 -j DNAT --to-destination 192.168.0.1
echo "Maquinas Liberadas.........................................[ OK ]"
iptables -A FORWARD -s 192.168.0.25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.209 -j ACCEPT
iptables -A FORWARD -s 192.168.0.16 -j ACCEPT
iptables -A FORWARD -s 192.168.0.17 -j ACCEPT
iptables -A FORWARD -s 192.168.0.36 -j ACCEPT
iptables -A FORWARD -s 192.168.0.37 -j ACCEPT
iptables -A FORWARD -s 192.168.0.7 -j ACCEPT
iptables -A FORWARD -s 192.168.0.110 -j ACCEPT
iptables -A FORWARD -s 192.168.0.2 -j ACCEPT
iptables -A FORWARD -s 192.168.0.29 -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -j ACCEPT

iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.25 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.209 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.16 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.17 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.36 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.37 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.7 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.110 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.2 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.29 -j RETURN
iptables -t nat -A PREROUTING -i $redelocal -p tcp -s 192.168.0.4 -j RETURN
echo "Regras Terminal Server ....................................[ OK ]"

iptables -t nat -A PREROUTING -i  $redelocal -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Regra Squid................................................[ OK ]"
# Libera as portas UPD / TCP

#PORTA 3128 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i  $redelocal -p tcp --dport 3128 -j ACCEPT
#PORTA 53 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i  $redelocal -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i  $redelocal -p udp --dport 53 -j ACCEPT

#PORTA 110 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i  $redelocal -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i  $redelocal -p udp --dport 110 -j ACCEPT

# PORTA 25 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i  $redelocal -p tcp --dport 25 -j ACCEPT
# https
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A FORWARD -i  $redelocal -p tcp --dport 443 -j ACCEPT


################### REGRAS DE LIBERACAO DE PORTAS ############################

########## REGRAS DE LIBERACAO DE PORTAS TCP##################################
for i in `cat $PORTSTCP`; do
        iptables -A INPUT -p tcp -m multiport --dports $i -j ACCEPT
        iptables -A OUTPUT -p tcp -m multiport --dports $i -j ACCEPT
        iptables -A FORWARD -p tcp -m multiport --dports $i -j ACCEPT
        echo "PORTA TCP  $i LIBERADA".
done
echo "Portas TCP LIBERADAS.............................................[ OK ]"

################### REGRAS DE LIBERACAO DE PORTAS UDP ########################
for i in `cat $PORTSUPD`; do
        iptables -A INPUT -p udp -m multiport --dports $i -j ACCEPT
        iptables -A OUTPUT -p udp -m multiport --dports $i -j ACCEPT
        iptables -A FORWARD -p udp -m multiport --dports $i -j ACCEPT
        echo "PORTA UPD $i LIBERADA".
done
echo " Portas UPD LIBERADAS............................................[ OK ]"

######################################################################################
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
######################################################################################

#bloqueia  qualquer tentativa de nova conexao de fora para esta maquina

#iptables -A INPUT -i  $internet -m state --state ! ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "FIREWALL entrada "
# ver esta regra em outro firewall

#iptables -A INPUT -i  $internet -m state --state ! ESTABLISHED,RELATED -j DROP
#no iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Cadeia de Entrada ...................................[ OK ]"
################################
# Primeiro, ativar o mascaramento (nat).
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o  $internet -j MASQUERADE
echo "Ativando o mascaramento..................................[ OK ]"
# Agora dizemos quem e o que podem acessar externamente
# O controle do acesso a rede externa e feito na cadeia "FORWARD"
iptables -A FORWARD -i  $internet -j ACCEPT
iptables -A FORWARD -o  $internet -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Ativando o acesso ftp.. .............................[ OK ]"
#BROQUEANDO TODAS AS SAIDAS E PORTAS

iptables -A INPUT -p all -j DROP
iptables -A FORWARD -p all -j DROP

echo "Rejeitando saida e entrada ..........................[ OK ]"
########################

# No iptables, temos de dizer quais sockets sao validos em uma conexao


iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Quais sockets sao validos ...........................[ OK ]"


#################################################

# Tabela FILTER

#################################################
# Protecao contra tronjans
iptables -A INPUT -p TCP -i  $internet --dport 666 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 4000 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 6000 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 6006 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 16660 -j DROP
# Protecao contra trinoo
# Protecao contra trinoo
# -------------------------------------------------------
iptables -A INPUT -p TCP -i  $internet --dport 27444 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 27665 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 31335 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 34555 -j DROP
iptables -A INPUT -p TCP -i  $internet --dport 35555 -j DROP
echo "Protecao contrara trinoo ............................. [ OK ]"
# Protecao contra acesso externo squid
#iptables -A INPUT -p TCP -i  $internet --dport 3128 -j DROP
#iptables -A INPUT -p TCP -i  $internet --dport 80 -j DROP
#iptables -A INPUT -p TCP -i  $internet --dport 8080 -j DROP
echo "Protecao contra squid externo....................... [ OK ]"

# Protecao contra telnet
iptables -A INPUT -p TCP -i  $internet --dport telnet -j DROP
echo "Protecao contra telnet       ....................... [ OK ]"
# Dropa pacotes TCP indesejaveis
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Protecao contra worms
iptables -A FORWARD -p tcp --dport 135 -i  $internet -j REJECT

# Protecaocontra syn-flood
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

# Protecao contra ping da morte
#iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


#Allow ALL other forwarding going out
iptables -A FORWARD -o  $internet -i  $redelocal -j ACCEPT

echo "Caregado tabela filter ............................ [ OK ]"

# Finalmente: Habilitando o trafego IP, entre as Interfaces de rede

echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "Habilitar o trafego IP entre as placas: .............[ OK ]"

echo "##################FIM DE REGRAS IPTABLES####################"

}

parar() {
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo
echo "==============================================================================="
echo "| FIREWALL DESLIGADO |"
echo

}
status() {
$IPT -L -v -n
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
"status") status;;
*) echo "Use os parametros start ou stop ou restart ou status"
esac