Modelo - Firewall 3.x

De Wiki NOC

Script IPTABLES


#!/bin/bash
#                                                                                    #
#                       LupaFW - Firewall Linux / LupaInformatica                    #
#                                                                                    #
# Autor: Marcio dos Santos / marcio@lupainformatica.com.br                           #
#                                                                                    #
# Bloqueio do trafego entre sub-redes                                                #
# Ultima modificação por Ivandro Conradi / dia 19-07-19                              #
# Ultima modificação por Mestre Supremo / dia 17-08-2012                             #
#                                                                                    #
# Politicas de Segurança para redes lan com controle de acesso e filtros de conteudo #
#                                                                                    #
#------------------------------------------------------------------------------------#
#               Rua Wanderley Júnior, Ed. Dibernardi Tower, 05, Loja 12              #
#                     Campinas - São José - SC - CEP: 88101-010                      #
#                    Fone: (48) 3035-2366 | Fax: (48) 3241-1366                      #
#------------------------------------------------------------------------------------#

# Variaveis Globais

# -----------------------------------------------------------------------------------#
IF_LO="lo"              # Interface Loopback
IF_LAN="eth1"           # Interface Interna
IF_NET2="eth0"          # Interface Internet
IF_NET="eth2"           # Interface Internet - Redundancia
#------------------------------------------------------------------------------------#

#------------------------------------------------------------------------------------#
ALL="0/0"
LAN="192.168.0/24"
NET2="10.1.1.0/24"
NET="189.90.54.88/30"
LO="127.0.0.1/8"
IPFW="/sbin/iptables"
IFCFG="/sbin/ifconfig"
MODPROBE="/sbin/modprobe"
#------------------------------------------------------------------------------------#
#GW="10.1.1.1"
GW="189.90.54.89"
#------------------------------------------------------------------------------------#
IP_LO="127.0.0.1"
#IP_NET="`ifconfig eth0 |grep "inet end." |cut -d : -f 2 | cut -d " " -f2`"
IP_NET2="10.1.1.2"
IP_NET="189.90.54.90"
IP_LAN="192.168.0.1"

#------------------------------------------------------------------------------------#
# Ips dos Servidores
WEB="192.168.0.10"
WEB2="192.168.0.11"
WEB_PRO="192.168.0.14"
XEN="192.168.0.10"
APLIC="192.168.0.35"
NOC="192.168.0.2"
FTP="192.168.0.9"
DNS1="192.168.0.30"
DNS2="192.168.0.31"
MARCIO="192.168.0.15"
VIRT="192.168.0.11"
CAONRADI="192.168.0.16"
#ARTHUR=""
#JUNIOR=""
#IPS_LP=""



#------------ REGRAS E FUNÇÕES DO FIREWALL ------------------------------------------#

# LIBERA OS IPS PARA PASSAR POR FORA DO PROXY
liberaip(){

        $IPFW -t nat -I PREROUTING -p tcp -s $IP_LIBERADO1 -j ACCEPT

}

# Regra inserida na funcao politicas
squid(){

  $IPFW -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

}
#-----------------------------------------------------------------------------------#


#Bloqueando portas usadas por Trojans
trojan(){
  $IPFW -A INPUT -s $IP_LAN -p TCP --dport 666 -j REJECT
  $IPFW -A FORWARD -s $IP_LAN -p TCP --dport 666 -j REJECT
  $IPFW -A FORWARD -s $IP_LAN -p TCP --dport 4000 -j REJECT
  $IPFW -A INPUT -s $IP_LAN -p TCP --dport 4000 -j REJECT
  $IPFW -A FORWARD -s $IP_LAN -p TCP --dport 6000 -j REJECT
  $IPFW -A INPUT -s $IP_LAN -p TCP --dport 6000 -j REJECT
  $IPFW -A FORWARD -s $IP_LAN -p TCP --dport 6006 -j REJECT
  $IPFW -A FORWARD -s $IP_LAN -p TCP --dport 1660 -j REJECT
  $IPFW -A INPUT -s $IP_LAN -p TCP --dport 6006 -j REJECT
  $IPFW -A INPUT -s $IP_LAN -p TCP --dport 1660 -j REJECT

}

#Bloquei P2P
p2p(){

#iMesh
  $IPFW -A FORWARD -d 216.35.208.0/24 -j DROP

#BearShare
  $IPFW -A FORWARD -p TCP --dport 6346 -j DROP

#WinMX
  $IPFW -A FORWARD -d 209.61.186.0/24 -j DROP
  $IPFW -A FORWARD -d 64.49.201.0/24 -j DROP

#KaZaa
  $IPFW -A FORWARD -d 213.248.112.0/24 -j DROP
  $IPFW -A FORWARD -p TCP --dport 1214 -j DROP

}

#openbsd(){
#      $IPFW -t nat -A PREROUTING -p tcp --dport 6622 -j DNAT --to-destination $IP_LAN:22
#}


politicas(){

## Define POLICIES do Firewall
#echo -n "       - Definindo politicas do firewall (DROP -> INPUT/FORWARD)...."
#$IPFW -P INPUT DROP
#$IPFW -P FORWARD DROP
#echo "OK"

## Ativar modulos do Firewall
echo -n "       - Caregando modulos.........................................."
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ipt_LOG
$MODPROBE ipt_REJECT
$MODPROBE ipt_MASQUERADE
echo "OK"

## Configuracoes no Kernel
echo -n "       - Configurando o KERNEL......................................"
#$IFCONFIG $IF_LAN:1 $RIGEL_LAN netmask $MASK_LAN

## Ativar roteamento no Kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
#sysctl -w net.ipv4.ip_forward=1

## Mudando o TTL
echo "128" > /proc/sys/net/ipv4/ip_default_ttl

##
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter

##
echo "1024" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "2048" > /proc/sys/net/ipv4/neigh/default/gc_thresh2

echo "4096" > /proc/sys/net/ipv4/neigh/default/gc_thresh3

echo "OK"


## Libera loopback
echo -n "       - Liberando o acesso
LOOPBACK................................"
$IPFW -A INPUT -i $IF_LO -j ACCEPT
$IPFW -A INPUT -s $IP_LO -j ACCEPT
$IPFW -A INPUT -s $IP_NET -j ACCEPT
$IPFW -A INPUT -s $IP_LAN -j ACCEPT
echo "OK"

## Libera outros servers

## Aceita PING 1 por segundo ##
echo -n "       - Aceitando apenas 1 ping por segundo........................"
#$IPFW -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
#$IPFW -A FORWARD -p icmp -m limit --limit 1/second -j ACCEPT
$IPFW -A INPUT -p icmp -j ACCEPT
$IPFW -A FORWARD -p icmp -j ACCEPT
echo "OK"

## Habilitando STATEFULL
echo -n "       - Habilitando o STATEFULL...................................."
$IPFW -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPFW -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPFW -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPFW -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPFW -A FORWARD -p 47 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "OK"

## Controle conexoes SSH a este servidor
echo -n "       - Controla acesso SSH (bruteforce)..........................."
$IPFW -N SSH-INPUT
$IPFW -F SSH-INPUT
$IPFW -A INPUT -p tcp --dport 22 -s $LAN -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 3 -j SSH-INPUT
$IPFW -A INPUT -p tcp --dport 22 -s $LAN -m state --state NEW -m recent --set --name SSH
$IPFW -A SSH-INPUT -s $LAN -m recent --rcheck --name SSH --seconds 60 --hitcount 10 -j DROP
$IPFW -A SSH-INPUT -j LOG --log-prefix SSH-Bruteforce:
$IPFW -A SSH-INPUT -p tcp -s $LAN -j REJECT --reject-with tcp-reset
$IPFW -A SSH-INPUT -j REJECT
echo "OK"

## Libera acesso para este servidor
#echo -n "       - Liberando acesso para este servidor (INPUT)................"
#for ip in `echo $IPS_LP`
#do
#  $IPFW -A INPUT -s $ip -p tcp --dport 22 -j ACCEPT
#done
#echo "OK"

## Libera acesso para a rede interna
echo -n "       - Liberando acesso para a rede interna......................."
$IPFW -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT

#IPFW -A INPUT -i $IF_LAN -p tcp --dport 161 -j ACCEPT
$IPFW -A INPUT -i $IF_LAN -p tcp --dport 53 -j ACCEPT
$IPFW -A INPUT -i $IF_LAN -p udp --dport 53 -j ACCEPT

$IPFW -A INPUT -i $IF_LAN -p tcp --dport 80 -j ACCEPT
$IPFW -A INPUT -i $IF_LAN -p tcp --dport 3128 -j ACCEPT
echo "OK"

## Libera a saida da LAN (pelo Firewall)
echo -n "       - Liberando o roteamento da LAN pelo Firewall................"
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 1194 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 1194 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 1195 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 1195 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 1196 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 1196 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 1197 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 1197 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 1198 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 1198 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 53 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 53 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 20 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 20 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 21 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 21 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 22 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 25 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 110 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 3389 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 22222 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 5500:5530 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p udp --dport 161 -j ACCEPT
$IPFW -A FORWARD -i $IF_LAN -s $LAN -p tcp --dport 161 -j ACCEPT
#$IPFW -t nat -N PROXY
#$IPFW -t nat -F PROXY
#$IPFW -t nat -A PREROUTING -i $IF_LAN -p tcp -d $IP_NET --dport 80 -j PROXY
#$IPFW -t nat -A PROXY -p tcp -d $IP_LAN -j ACCEPT
#$IPFW -t nat -A PROXY -s $IP_LIBERADO1 -j ACCEPT
#$IPFW -A FORWARD -s $IP_LIBERADO1 -j ACCEPT
#$IPFW -t nat -A PROXY -p tcp -d $IP_LAN --dport 80 -j REDIRECT --to-port 3128
echo "OK"

# Ativa mascaramento de saida
echo -n "       - Ativando o mascaramento (NAT/SNAT) saida (pelo link NET).."

### NAT Geral - saida NET:
$IPFW -t nat -A POSTROUTING -o $IF_NET -j MASQUERADE
$IPFW -t nat -A POSTROUTING -o $IF_NET2 -j MASQUERADE
#$IPFW -t nat -A POSTROUTING -o bond0 -j MASQUERADE
echo "OK"
# Redireciona portas para outros servidores
echo -n "       - Realizando redirecionamentos..............................."

### Redireciona para equipamento dentro da LAN
#$IPFW -t nat -A PREROUTING -i $IF_LAN -d $IP_NET -j DNAT --to-destination $IP_LAN

#VPN
$IPFW -A FORWARD -d $IF_NET -p udp --dport 1194 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p tcp --dport 1194 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p udp --dport 1195 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p tcp --dport 1195 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p udp --dport 1196 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p tcp --dport 1196 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p udp --dport 1197 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p tcp --dport 1197 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p udp --dport 1198 -j ACCEPT
$IPFW -A FORWARD -d $IF_NET -p tcp --dport 1198 -j ACCEPT

#Redirecionamento porta 53
$IPFW -A FORWARD -d $DNS1 -p udp --dport 53 -j ACCEPT
$IPFW -A FORWARD -d $DNS1 -p tcp --dport 53 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p udp --dport 53 -j DNAT --to $DNS1:53
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 53 -j DNAT --to $DNS1:53

#Redirecionamento NOC porta 22
$IPFW -A FORWARD -d $NOC -p tcp --dport 22 -j ACCEPT
$IPFW -A FORWARD -d $NOC -p tcp --dport 5001 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 5001 -j DNAT --to $NOC:5001
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2323 -j DNAT --to $NOC:22

#Redirecionamento NOC porta 22
$IPFW -A FORWARD -d $NOC -p tcp --dport 22 -j ACCEPT
$IPFW -A FORWARD -d $NOC -p tcp --dport 5001 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 5001 -j DNAT --to $NOC:5001
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2323 -j DNAT --to $NOC:22

#Redirecionamento MARCIO porta 22
$IPFW -A FORWARD -d $MARCIO -p tcp --dport 22 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2121 -j DNAT --to $MARCIO:22
#$IPFW -A FORWARD -d $MARCIO -p tcp --dport 22 -j ACCEPT
#$IPFW -t nat -A PREROUTING -i $IF_NET2 -p tcp --dport 2121 -j DNAT --to $MARCIO:22


#Redirecionamento ICONRADI porta 22
$IPFW -A FORWARD -d $CONRADI -p tcp --dport 22 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2222 -j DNAT --to $CONRADI:22

#Redirecionamentos FTP
$IPFW -A FORWARD -d $NOC -p tcp --dport 21 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 21 -j DNAT --to $FTP:21

#Redirecionamentos WEB
$IPFW -A FORWARD -d $WEB -p tcp --dport 80 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET2 -p tcp --dport 80 -j DNAT --to $WEB:80
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 80 -j DNAT --to $WEB:80

#Redirecionamentos WEB-PROJETOS
$IPFW -A FORWARD -d $WEB_PRO -p tcp --dport 81 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET2 -p tcp --dport 81 -j DNAT --to $WEB_PRO:80
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 81 -j DNAT --to $WEB_PRO:80

#Redirecionamentos Virtualizações VBox
$IPFW -A FORWARD -d $VIRT -p tcp --dport 22 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2211 -j DNAT --to $VIRT:22

#Redirecionamentos Homologacao JUNIOR
$IPFW -A FORWARD -d $APLIC -p tcp --dport 88 -j ACCEPT
$IPFW -A FORWARD -d $APLIC -p tcp --dport 3389 -j ACCEPT
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 3335 -j DNAT --to $APLIC:3389
$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 88 -j DNAT --to $APLIC:80

#Redirecionamento TEMPORARIO
#$IPFW -A FORWARD -d 192.168.0.8 -p tcp --dport 80 -j ACCEPT
#$IPFW -A FORWARD -d 192.168.0.8 -p tcp --dport 22 -j ACCEPT
#$IPFW -A FORWARD -d 192.168.0.8 -p tcp --dport 3306 -j ACCEPT
#$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 2208 -j DNAT --to 192.168.0.8:22
#$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 3306 -j DNAT --to 192.168.0.8:3306
#$IPFW -t nat -A PREROUTING -i $IF_NET -p tcp --dport 8888 -j DNAT --to 192.168.0.8:80


echo "OK"
}

rota_padrao(){
echo -n "       - Iniciando roteamento padrao................................"
# Rota Default
/sbin/route del default
/sbin/route add default gw $GW
echo "OK"
}
start(){
       stop
       politicas
       #liberaip
       squid
       trojan
       p2p
       rota_padrao
       show

}

stop(){
        $IPFW -F
        $IPFW -X
        $IPFW -F INPUT
        $IPFW -F OUTPUT
        $IPFW -F FORWARD
        $IPFW -F -t nat
        $IPFW -X -t nat
        $IPFW -P INPUT ACCEPT
        $IPFW -P OUTPUT ACCEPT
        $IPFW -P FORWARD ACCEPT
}

show(){
       echo "*** Filtro de Pacotes ***"
     $IPFW -L -n -v
       echo; echo "*** NAT ***"
     $IPFW -t nat -L -n -v
}

case $1 in
       "start")
               start
               ;;
       "stop")
               stop
               ;;
       "restart")
               stop
               start
               ;;
       "show")
               show
               ;;
       *)
               echo "Use: $0 (start|stop|restart|show)"
               exit -1
               ;;
esac
exit 0

Ferramentas pessoais