Clicky

Jump to content
  • Sign Up
Sign in to follow this  
Igor Barros

[Firewall] Proteção contra ip spoofing e etc...

Recommended Posts

Peguei esse firewall na net(nao tenho o link mais) há algum tempo atrás e uso ele no meu vps na burst.

Troque venet0 e venet0:1 pelo nome de suas interfaces de rede.

Crie um arquivo em /etc/init.d/firewallP com o conteudo abaixo. Aí para ativar, só usar: /etc/init.d/firewallP start


#!/bin/bash         

 # **********************************************    

 # ** Script de firewall para proteção básica

 # **********************************************    

 # Declaração de variáveis.   

 FIREWALL='/etc/init.d/firewall' 

 WAN1='venet0'        

 IPTABLES=$(which 'iptables') 

 MODPROBE=$(which 'modprobe')         



 start() { 


        echo "-------------------------------------"

    echo "Firewall!"

    echo "-------------------------------------"

        echo 'Loading modules...'       

        $MODPROBE 'ip_tables' 

        $MODPROBE 'x_tables'  

        echo 'Cleaning up firewall...'  


        iptables -F 

        iptables -t nat -F    

        iptables -t mangle -F 

        iptables -X 

        iptables -t nat -X    

        iptables -t mangle -X 

        iptables -Z 

        iptables -t nat -Z    

        iptables -t mangle -Z 



        iptables -P INPUT DROP

        iptables -P FORWARD DROP        

        iptables -P OUTPUT ACCEPT       

        echo 'OK -> Default policy defined...'    



        echo  'OK -> Loopback interface enabled...'         

        iptables -A INPUT -i lo -j ACCEPT         


        iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

        echo 'OK -> DOS Protection'        


        #echo 'OK -> Comunication trought interfaces enabled...'

        #echo '1' > /proc/sys/net/ipv4/ip_forward     


        # Bloquear pacotes com estado "novo/invalido" que saiam pela eth0 

        iptables -A FORWARD -o venet0 -m state --state NEW,INVALID -j DROP



        #Bloqueando conexão brute force via SSH:      

        iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT     

        echo 'OK -> Accepted SSH Connection (fail2ban enabled)...'      



        #PROTEÇÃO CONTRA ATAQUES     

        iptables -A INPUT -m state --state INVALID -j DROP         

        echo "OK -> Blocking attacks..."       


        #PROTEGE CONTRA PACOTES QUE PODEM PROCURAR E OBTER INFORMAÇÕES INTERNAS        

        iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP   

        echo "OK -> Spy-packages protection..."


        #BLOQUEANDO TRACEROUTE       

        iptables -A INPUT -p udp -s 0/0 -i venet0 --dport 33435:33525 -j DROP  

        echo "OK -> Blocking traceroute..."    


        #REGRAS DE SEGURANÇA NA INTERNET       

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT     

        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT   

        echo "OK -> Internet security rules..."


        #PROTECOES DE KERNEL         

    echo 0 > /proc/sys/net/ipv4/conf/venet0/accept_source_route

        echo 0 > /proc/sys/net/ipv4/conf/venet0/accept_redirects

        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

        echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

        echo 1 > /proc/sys/net/ipv4/tcp_syncookies

        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        echo "OK -> Kernel protections..."     



        #Liberar WebMin

        #iptables -A INPUT -p udp --dport 10000 -j ACCEPT        

        #iptables -A INPUT -p tcp --dport 10000 -j ACCEPT        



        #Portas Diversas

    echo "------> Abrindo Portas do Apache"

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

    #iptables -A INPUT -p tcp --dport 45659 -j ACCEPT

    echo"-------> Abrindo Portas para Email"

    iptables -A INPUT -p tcp --dport 25 -j ACCEPT

    iptables -A INPUT -p udp --dport 25 -j ACCEPT

    iptables -A INPUT -p tcp --dport 110 -j ACCEPT

    iptables -A INPUT -p udp --dport 110 -j ACCEPT

    iptables -A INPUT -p tcp --dport 143 -j ACCEPT

    iptables -A INPUT -p udp --dport 143 -j ACCEPT

    iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    iptables -A INPUT -p udp --dport 465 -j ACCEPT

    iptables -A INPUT -p tcp --dport 587 -j ACCEPT

    iptables -A INPUT -p udp --dport 587 -j ACCEPT

    iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    iptables -A INPUT -p udp --dport 995 -j ACCEPT

    iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    iptables -A INPUT -p udp --dport 993 -j ACCEPT

    echo"-------> Abrindo Portas para DNS"

    iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    iptables -A INPUT -p udp --dport 53 -j ACCEPT

    echo"-------> Abrindo Portas para MYSQL"

    iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

    iptables -A INPUT -p udp --dport 3306 -j ACCEPT

    echo"-------> Abrindo Portas para FTP"

    iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    iptables -A INPUT -p udp --dport 21 -j ACCEPT

    echo"-------> Abrindo Portas para SSH"

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    iptables -A INPUT -p udp --dport 22 -j ACCEPT



        #Proteções Adicionais       

        #iptables -A INPUT -p tcp --dport 5900 -j DROP  

        #iptables -A INPUT -p tcp --dport 53 -j DROP    



        #echo 'OK -> Definido redirecionamento de proxy transparente'

        #iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j REDIRECT --to-port 3128



        # Proteção contra ping da morte 

        # -------------------------------------------------------     

        iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT     



        # Proteção contra trinoo 

        # -------------------------------------------------------        

        iptables -N TRINOO       

        iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "   

        iptables -A TRINOO -j DROP         

        iptables -A INPUT -p TCP -i venet0 --dport 27444 -j TRINOO         

        iptables -A INPUT -p TCP -i venet0 --dport 27665 -j TRINOO         

        iptables -A INPUT -p TCP -i venet0 --dport 31335 -j TRINOO         

        iptables -A INPUT -p TCP -i venet0 --dport 34555 -j TRINOO         

        iptables -A INPUT -p TCP -i venet0 --dport 35555 -j TRINOO         

        echo 'OK -> Trinoo protection...'  


        # Proteção contra trojans

        # -------------------------------------------------------        

        iptables -N TROJAN       

        iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "   

        iptables -A TROJAN -j DROP         

        iptables -A INPUT -p TCP -i venet0 --dport 666 -j TROJAN 

        iptables -A INPUT -p TCP -i venet0 --dport 4000 -j TROJAN

        iptables -A INPUT -p TCP -i venet0 --dport 6000 -j TROJAN

        iptables -A INPUT -p TCP -i venet0 --dport 6006 -j TROJAN

        iptables -A INPUT -p TCP -i venet0 --dport 16660 -j TROJAN         

        echo 'OK -> Trojan protection...'  


        # Proteção contra worms  

        # -------------------------------------------------------        

        iptables -A FORWARD -p tcp --dport 135 -i venet0 -j REJECT         

        echo 'OK -> Worm protection...'    


        # Proteção contra port scanners    

        # -------------------------------------------------------        

        iptables -N SCANNER      

        iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "      

        iptables -A SCANNER -j DROP        

        iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i venet0 -j SCANNER    

        iptables -A INPUT -p tcp --tcp-flags ALL NONE -i venet0 -j SCANNER 

        iptables -A INPUT -p tcp --tcp-flags ALL ALL -i venet0 -j SCANNER  

        iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i venet0 -j SCANNER        

        iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i venet0 -j SCANNER         

        iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i venet0 -j SCANNER    

        iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i venet0 -j SCANNER    

        echo 'OK -> Port Scanner Protection...'      


    ## BLOQUEANDO PORT SCANNERS OCULTOS

        iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT         

        echo 'OK -> Hidden Port Scanner Protection...'  


        #BackOrifice   

        iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP  

        iptables -A INPUT -p udp -m udp --dport 31337 -j DROP  

        echo 'OK -> BackOrifice Protection...'       


        #NetBus        

        iptables -A INPUT -p tcp -m tcp --dport 12345:12346 -j DROP      

        iptables -A INPUT -p udp -m udp --dport 12345:12346 -j DROP      

        echo 'OK -> NetBus Protecion...'   


        # Ativa mascaramento de saída

        # -------------------------------------------------------

        iptables -A POSTROUTING -t nat -o venet0 -j MASQUERADE     

        echo 'OK -> Packages output masquerading...'   



        echo

        mkdir -p /var/lock/subsys/

        touch /var/lock/subsys/iptables 


      }   


   stop() {

        echo "Stopping Firewall!"

        echo "OK -> Flushing all chains" 

        iptables -F  

        iptables -t nat -F     

        iptables -t mangle -F  

        echo "OK -> Removed user defined chains" 

        iptables -X

        iptables -t nat -X   

        iptables -t mangle -X

        iptables -Z

        iptables -t nat -Z   

        iptables -t mangle -Z

        iptables -P INPUT ACCEPT       

        iptables -P FORWARD ACCEPT     

        iptables -P OUTPUT ACCEPT      

        echo "OK -> Resetted built-in chains to the default ACCEPT policy"

        echo OK         

        echo  

        rm -f /var/lock/subsys/iptables     

  } 


  case "$1" in

  start)      

  start       

  ;;


  stop)

  stop

  ;;


  restart)

  #  Função inútil, mas... sejam felizes...

  start

  ;;


  status)

  iptables --list

  ;;


  panic)

  echo "OK -> Changed target policies to DROP"

  iptables -P INPUT DROP && \

  iptables -P FORWARD DROP && \

  iptables -P OUTPUT DROP && \

  echo

  echo "OK -> Flushing all chains"

  iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT

  echo "OK -> Removed user defined chains"

  iptables -X

  echo "OK -> Extremelly paranoic mode [ON] (yes, you can be more paranoic than the default start function)"

  ;;


  *)

     echo "Opções disponíveis são: start|stop|restart|status|panic"

  ;;


 esac

 exit 0




Não respondo dúvidas em particular, nem via msn, bilhete elegante, PM, foto de mulher bonita no perfil, telegrama, pombo correio, sinal de fumaça, dança da chuva, fogueira, ou qualquer outra forma válida e/ou bizarra. Pergunte no fórum assim todos podem compartilhar a pizza.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.




×
×
  • Create New...