API tools faq
paste
Advertisement
Guest User

Firewall

a guest
Aug 23rd, 2013
75
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.56 KB | None | 0 0
raw download clone embed print report
  1. ## Criado por: Igor Pereira
  2.  
  3. echo "Carregando o firewall..."
  4.  
  5. #Limpa as regras do Firewall anteriores
  6. iptables -F
  7. iptables -X
  8.  
  9. #Permitir trafego para sessoes estabelecidas:
  10. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  11.  
  12. #Libera conexoes de fora para dentro
  13. iptables -A INPUT -p tcp -i eth0 --dport 2743 -j ACCEPT #SSH
  14. iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT #WEB
  15.  
  16. #Libera o loopback
  17. iptables -A INPUT -s 127.0.0.1 -j ACCEPT
  18. iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
  19. iptables -A FORWARD -s 127.0.0.1 -j ACCEPT
  20.  
  21. #Libera conexoes de dentro para fora
  22. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #WEB
  23. iptables -A OUTPUT -p tcp --dport 7171 -j ACCEPT #TIBIA
  24. iptables -A OUTPUT -p tcp --dport 7172 -j ACCEPT #TIBIA2
  25.  
  26. #Protecao Contra SynFlood
  27. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  28. iptables -A INPUT -f -j DROP
  29. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  30. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  31. iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  32. iptables -A FORWARD -p tcp --syn -j DROP
  33. iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 7 -j REJECT
  34.  
  35. #Protecao contra IP Spoof Syn
  36. iptables -A INPUT -i ext_face -s 0.0.0.0/8 -j DROP
  37. iptables -A INPUT -i ext_face -s 127.0.0.0/8 -j DROP
  38. iptables -A INPUT -i ext_face -s 10.0.0.0/8 -j DROP
  39. iptables -A INPUT -i ext_face -s 172.16.0.0/12 -j DROP
  40. iptables -A INPUT -i ext_face -s 192.168.0.0/16 -j DROP
  41. iptables -A INPUT -i ext_face -s 224.0.0.0/3 -j DROP
  42. iptables -A INPUT -i ext_face -s 0.0.0.0/7 -j DROP
  43. iptables -A INPUT -i ext_face -s 2.0.0.0/8 -j DROP
  44. iptables -A INPUT -i ext_face -s 5.0.0.0/8 -j DROP
  45. iptables -A INPUT -i ext_face -s 7.0.0.0/8 -j DROP
  46. iptables -A INPUT -i ext_face -s 10.0.0.0/8 -j DROP
  47. iptables -A INPUT -i ext_face -s 23.0.0.0/8 -j DROP
  48. iptables -A INPUT -i ext_face -s 27.0.0.0/8 -j DROP
  49. iptables -A INPUT -i ext_face -s 31.0.0.0/8 -j DROP
  50. iptables -A INPUT -i ext_face -s 36.0.0.0/7 -j DROP
  51. iptables -A INPUT -i ext_face -s 39.0.0.0/8 -j DROP
  52. iptables -A INPUT -i ext_face -s 42.0.0.0/8 -j DROP
  53. iptables -A INPUT -i ext_face -s 49.0.0.0/8 -j DROP
  54. iptables -A INPUT -i ext_face -s 50.0.0.0/8 -j DROP
  55. iptables -A INPUT -i ext_face -s 77.0.0.0/8 -j DROP
  56. iptables -A INPUT -i ext_face -s 78.0.0.0/7 -j DROP
  57. iptables -A INPUT -i ext_face -s 92.0.0.0/6 -j DROP
  58. iptables -A INPUT -i ext_face -s 96.0.0.0/4 -j DROP
  59. iptables -A INPUT -i ext_face -s 112.0.0.0/5 -j DROP
  60. iptables -A INPUT -i ext_face -s 120.0.0.0/8 -j DROP
  61. iptables -A INPUT -i ext_face -s 169.254.0.0/16 -j DROP
  62. iptables -A INPUT -i ext_face -s 172.16.0.0/12 -j DROP
  63. iptables -A INPUT -i ext_face -s 173.0.0.0/8 -j DROP
  64. iptables -A INPUT -i ext_face -s 174.0.0.0/7 -j DROP
  65. iptables -A INPUT -i ext_face -s 176.0.0.0/5 -j DROP
  66. iptables -A INPUT -i ext_face -s 184.0.0.0/6 -j DROP
  67. iptables -A INPUT -i ext_face -s 192.0.2.0/24 -j DROP
  68. iptables -A INPUT -i ext_face -s 197.0.0.0/8 -j DROP
  69. iptables -A INPUT -i ext_face -s 198.18.0.0/15 -j DROP
  70. iptables -A INPUT -i ext_face -s 223.0.0.0/8 -j DROP
  71. iptables -A INPUT -i ext_face -s 224.0.0.0/3 -j DROP
  72.  
  73. #Protecao contra "ping of death"
  74. iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  75.  
  76. #Protecao contra syn-flood brute force
  77. iptables -N syn-flood
  78. iptables -A INPUT -p tcp --syn -j syn-flood
  79. iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
  80. iptables -A syn-flood -j LOG --log-level 4 --log-prefix 'SYN-flood attempt: '
  81. iptables -A syn-flood -j DROP
  82.  
  83. #Protecao contra IP Spoofing
  84. iptables -A INPUT -i ext-int -s 10.0.0.0/8 -j DROP
  85. iptables -A INPUT -i ext-int -s 127.0.0.0/8 -j DROP
  86. iptables -A INPUT -i ext-int -s 172.16.0.0/16 -j DROP
  87. iptables -A INPUT -i ext-int -s 192.168.0.0/24 -j DROP
  88. iptables -A INPUT -s 0.0.0.0/7 -j DROP
  89. iptables -A INPUT -s 2.0.0.0/8 -j DROP
  90. iptables -A INPUT -s 5.0.0.0/8 -j DROP
  91. iptables -A INPUT -s 7.0.0.0/8 -j DROP
  92. iptables -A INPUT -s 10.0.0.0/8 -j DROP
  93. iptables -A INPUT -s 23.0.0.0/8 -j DROP
  94. iptables -A INPUT -s 27.0.0.0/8 -j DROP
  95. iptables -A INPUT -s 31.0.0.0/8 -j DROP
  96. iptables -A INPUT -s 36.0.0.0/7 -j DROP
  97. iptables -A INPUT -s 39.0.0.0/8 -j DROP
  98. iptables -A INPUT -s 42.0.0.0/8 -j DROP
  99. iptables -A INPUT -s 49.0.0.0/8 -j DROP
  100. iptables -A INPUT -s 50.0.0.0/8 -j DROP
  101. iptables -A INPUT -s 77.0.0.0/8 -j DROP
  102. iptables -A INPUT -s 78.0.0.0/7 -j DROP
  103. iptables -A INPUT -s 92.0.0.0/6 -j DROP
  104. iptables -A INPUT -s 96.0.0.0/4 -j DROP
  105. iptables -A INPUT -s 112.0.0.0/5 -j DROP
  106. iptables -A INPUT -s 120.0.0.0/8 -j DROP
  107. iptables -A INPUT -s 169.254.0.0/16 -j DROP
  108. iptables -A INPUT -s 172.16.0.0/12 -j DROP
  109. iptables -A INPUT -s 173.0.0.0/8 -j DROP
  110. iptables -A INPUT -s 174.0.0.0/7 -j DROP
  111. iptables -A INPUT -s 176.0.0.0/5 -j DROP
  112. iptables -A INPUT -s 184.0.0.0/6 -j DROP
  113. iptables -A INPUT -s 192.0.2.0/24 -j DROP
  114. iptables -A INPUT -s 197.0.0.0/8 -j DROP
  115. iptables -A INPUT -s 198.18.0.0/15 -j DROP
  116. iptables -A INPUT -s 223.0.0.0/8 -j DROP
  117. iptables -A INPUT -s 224.0.0.0/3 -j DROP
  118. iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 7 -j REJECT
  119.  
  120. #Protecao contra port scanners ocultos
  121. iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  122. iptables -A INPUT -s 0.0.0.0/0 -p icmp -j DROP
  123.  
  124. #Bloqueando tracertroute
  125. iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
  126.  
  127. #Bloqueando Ataques Nivel Medio
  128. iptables -A INPUT -m state --state INVALID -j DROP
  129.  
  130. #Regra simples de bloqueiar
  131. iptables -N conn-flood
  132. iptables -I INPUT 1 -p tcp --syn -j conn-flood
  133. iptables -A conn-flood -m limit --limit 7/s --limit-burst 20 -j RETURN
  134. iptables -A conn-flood -j DROP
  135. iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
  136. iptables -A INPUT -p icmp -j DROP
  137.  
  138. #Bloqueando ataques UDP
  139. iptables -N udp-flood
  140. iptables -A INPUT -p UDP -f -j DROP
  141. iptables -A INPUT -p UDP --dport 7 -j DROP
  142. iptables -A INPUT -p UDP --dport 19 -j DROP
  143. iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
  144. iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
  145. iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
  146. iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
  147. iptables -A OUTPUT -p udp -j DROP
  148. iptables -A OUTPUT -p udp -j udp-flood
  149. iptables -A udp-flood -p udp -m limit --limit 200/s -j RETURN
  150. iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
  151. iptables -A udp-flood -j DROP
  152.  
  153. #Bloqueando traceroute
  154. iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
  155.  
  156. #Bloqueia toda entrada com excessao das regras acima
  157. iptables -A INPUT -j DROP
  158.  
  159. #Limita a rate do SSH
  160. iptables -A INPUT -p tcp --dport 2743 -m state --state NEW -m recent --set --name SSH-LIMIT
  161. iptables -A INPUT -p tcp --dport 2743 -m state --state NEW -m recent --update --rttl --seconds 60 --hitcount 20 -j REJECT --reject-with tcp-reset --name SSH-LIMIT
  162.  
  163. #Anulando resposta ICMP
  164. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  165.  
  166. #Bloqueia conexoes nas demais portas
  167. iptables -A INPUT -p tcp --syn -j DROP
  168.  
  169. #Regras IPFilter
  170. iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  171. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  172. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  173. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  174. echo 0 > /proc/sys/net/ipv4/ip_forward
  175. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  176. echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
  177. iptables -A INPUT -m state --state INVALID -j DROP
  178.  
  179. #Cria log dos bloqueios - Ativar somente se necessario
  180. #iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  181.  
  182. echo "Firewall ativado!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!