Firewall

1. ## Criado por: Igor Pereira
2.  
3. echo "Carregando o firewall..."
4.  
5. #!/bin/bash
6. #
7. #Desabilitando o tráfego entre as placas
8. #################################
9. echo 0 > /proc/sys/net/ipv4/ip_forward
10. #
11. ##Definindo variáveis
12. # Utilizar variáveis é uma boa opção quando o script é muito complexo,
13. # senão, não tem necessidade.
14. #########################
15. #IP="192.168.1.1"
16. #LOOPBACK="127.0.0.0/8"
17. #INTERNET="eth0"
18. #INTRANET="eth1"
19. #DMZ="eth2"
20. #
21. #CA="10.0.0.0/8"
22. #CB="172.16.0.0/12"
23. #CC="192.168.0.0/16"
24. #D_MULTICAST="224.0.0.0/4"
25. #E_RESERVED="240.0.0.0/5"
26. #LOCAL="172.16.1.0/24"
27. #
28. ##Apagando e restaurando as chains e tabelas
29. ######################################
30. iptables -Z
31. iptables -F
32. iptables -X
33. iptables -t nat -Z
34. iptables -t nat -F
35. iptables -t nat -X
36. iptables -t mangle -Z
37. iptables -t mangle -F
38. iptables -t mangle -X
39. #
40. ##Proteção contra ping, SYN Cookies, IP Spoofing e proteções do kernel
41. ##########################################################
42. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
43. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
44. echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
45. for i in /proc/sys/net/ipv4/conf/*; do
46. echo 0 > $i/accept_redirects
47. echo 0 > $i/accept_source_route
48. echo 1 > $i/log_martians
49. echo 1 > $i/rp_filter
50. echo 1 > $i/secure_redirects; done
51. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
52. #Bloqueia traceroute
53. iptables -A INPUT -p udp --dport 33435:33525 -j DROP
54. #
55. ##Carregando os módulos – Não é necessário todos os módulos,
56. #somente aqueles que você irá utilizar.
57. #O iptables, por padrão, carrega os módulos principais automaticamente.
58. # Leia o manual abaixo.
59. #Para identificar qual módulo adicional carregar, você deve elaborar todo o script
60. #e depois de acordo com o nome do alvo utilizado, você carrega o mesmo módulo.
61. #Por exemplo, se você utilizar a seguinte regra:
62. # iptables -A FORWARD -p udp -m multiport --dport 80,1024:65535 -j DROP
63. #o módulo “ipt_multiport” deve ser carregado.
64. #Abaixo estão quase todos os módulos.
65. ################################
66. modprobe ip_tables
67. modprobe iptable_nat
68. modprobe iptable_filter
69. modprobe iptable_mangle
70.  
71. modprobe ip_conntrack
72. modprobe ip_conntrack_ftp
73. modprobe ip_nat_ftp
74. modprobe ip_queue
75. modprobe ip_gre
76.  
77. modprobe ipt_LOG
78. modprobe ipt_MARK
79. modprobe ipt_REDIRECT
80. modprobe ipt_REJECT
81. modprobe ipt_MASQUERADE
82. modprobe ipt_TCPMSS
83. modprobe ipt_TOS
84. modprobe ipt_NETMAP
85.  
86. modprobe ipt_limit
87. modprobe ipt_mac
88. modprobe ipt_multiport
89. modprobe ipt_owner
90. modprobe ipt_state
91. modprobe ipt_tos
92. modprobe ipt_mark
93. modprobe ipt_tcpmss
94. modprobe ipt_string
95. modprobe ipt_statistic
96.  
97. modprobe nf_nat_pptp
98. modprobe nf_nat_proto_gre
99.  
100. ##Definindo políticas padrões
101.  
102. iptables -P INPUT DROP
103. iptables -P FORWARD DROP
104. iptables -P OUTPUT ACCEPT
105.  
106. ##Liberando a Loopback
107.  
108. iptables -A INPUT -i lo -j ACCEPT
109.  
110. ##Regras de segurança na internet e acessos
111. #####################################
112. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
113. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
114. iptables -A INPUT -m state --state NEW ! -i eth0 -j DROP # Interface de entrada da internet
115. iptables -A FORWARD -m state --state NEW ! -i eth0 -j DROP
116. iptables -A INPUT -m state --state INVALID -j DROP
117. iptables -A FORWARD -m state --state INVALID -j DROP
118.  
119. #Libera conexoes de fora para dentro
120. iptables -A INPUT -p tcp -i eth0 --dport 2743 -j ACCEPT #SSH
121. iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT #WEB
122.  
123. #Libera conexoes de dentro para fora
124. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #WEB
125. iptables -A OUTPUT -p tcp --dport 7171 -j ACCEPT #TIBIA
126. iptables -A OUTPUT -p tcp --dport 7172 -j ACCEPT #TIBIA2
127.  
128. #Protecao Contra SynFlood
129. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
130. iptables -A INPUT -f -j DROP
131. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
132. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
133. iptables -A FORWARD -p tcp --syn -j DROP
134. iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 7 -j REJECT
135.  
136. #Protecao contra IP Spoof Syn
137. iptables -A INPUT -i ext_face -s 0.0.0.0/8 -j DROP
138. iptables -A INPUT -i ext_face -s 127.0.0.0/8 -j DROP
139. iptables -A INPUT -i ext_face -s 10.0.0.0/8 -j DROP
140. iptables -A INPUT -i ext_face -s 172.16.0.0/12 -j DROP
141. iptables -A INPUT -i ext_face -s 192.168.0.0/16 -j DROP
142. iptables -A INPUT -i ext_face -s 224.0.0.0/3 -j DROP
143. iptables -A INPUT -i ext_face -s 0.0.0.0/7 -j DROP
144. iptables -A INPUT -i ext_face -s 2.0.0.0/8 -j DROP
145. iptables -A INPUT -i ext_face -s 5.0.0.0/8 -j DROP
146. iptables -A INPUT -i ext_face -s 7.0.0.0/8 -j DROP
147. iptables -A INPUT -i ext_face -s 10.0.0.0/8 -j DROP
148. iptables -A INPUT -i ext_face -s 23.0.0.0/8 -j DROP
149. iptables -A INPUT -i ext_face -s 27.0.0.0/8 -j DROP
150. iptables -A INPUT -i ext_face -s 31.0.0.0/8 -j DROP
151. iptables -A INPUT -i ext_face -s 36.0.0.0/7 -j DROP
152. iptables -A INPUT -i ext_face -s 39.0.0.0/8 -j DROP
153. iptables -A INPUT -i ext_face -s 42.0.0.0/8 -j DROP
154. iptables -A INPUT -i ext_face -s 49.0.0.0/8 -j DROP
155. iptables -A INPUT -i ext_face -s 50.0.0.0/8 -j DROP
156. iptables -A INPUT -i ext_face -s 77.0.0.0/8 -j DROP
157. iptables -A INPUT -i ext_face -s 78.0.0.0/7 -j DROP
158. iptables -A INPUT -i ext_face -s 92.0.0.0/6 -j DROP
159. iptables -A INPUT -i ext_face -s 96.0.0.0/4 -j DROP
160. iptables -A INPUT -i ext_face -s 112.0.0.0/5 -j DROP
161. iptables -A INPUT -i ext_face -s 120.0.0.0/8 -j DROP
162. iptables -A INPUT -i ext_face -s 169.254.0.0/16 -j DROP
163. iptables -A INPUT -i ext_face -s 172.16.0.0/12 -j DROP
164. iptables -A INPUT -i ext_face -s 173.0.0.0/8 -j DROP
165. iptables -A INPUT -i ext_face -s 174.0.0.0/7 -j DROP
166. iptables -A INPUT -i ext_face -s 176.0.0.0/5 -j DROP
167. iptables -A INPUT -i ext_face -s 184.0.0.0/6 -j DROP
168. iptables -A INPUT -i ext_face -s 192.0.2.0/24 -j DROP
169. iptables -A INPUT -i ext_face -s 197.0.0.0/8 -j DROP
170. iptables -A INPUT -i ext_face -s 198.18.0.0/15 -j DROP
171. iptables -A INPUT -i ext_face -s 223.0.0.0/8 -j DROP
172. iptables -A INPUT -i ext_face -s 224.0.0.0/3 -j DROP
173.  
174. #Protecao contra "ping of death"
175. iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
176.  
177. #Protecao contra syn-flood brute force
178. iptables -N syn-flood
179. iptables -A INPUT -p tcp --syn -j syn-flood
180. iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
181. iptables -A syn-flood -j LOG --log-level 4 --log-prefix 'SYN-flood attempt: '
182. iptables -A syn-flood -j DROP
183.  
184. #Protecao contra IP Spoofing
185. iptables -A INPUT -i ext-int -s 10.0.0.0/8 -j DROP
186. iptables -A INPUT -i ext-int -s 127.0.0.0/8 -j DROP
187. iptables -A INPUT -i ext-int -s 172.16.0.0/16 -j DROP
188. iptables -A INPUT -i ext-int -s 192.168.0.0/24 -j DROP
189. iptables -A INPUT -s 0.0.0.0/7 -j DROP
190. iptables -A INPUT -s 2.0.0.0/8 -j DROP
191. iptables -A INPUT -s 5.0.0.0/8 -j DROP
192. iptables -A INPUT -s 7.0.0.0/8 -j DROP
193. iptables -A INPUT -s 10.0.0.0/8 -j DROP
194. iptables -A INPUT -s 23.0.0.0/8 -j DROP
195. iptables -A INPUT -s 27.0.0.0/8 -j DROP
196. iptables -A INPUT -s 31.0.0.0/8 -j DROP
197. iptables -A INPUT -s 36.0.0.0/7 -j DROP
198. iptables -A INPUT -s 39.0.0.0/8 -j DROP
199. iptables -A INPUT -s 42.0.0.0/8 -j DROP
200. iptables -A INPUT -s 49.0.0.0/8 -j DROP
201. iptables -A INPUT -s 50.0.0.0/8 -j DROP
202. iptables -A INPUT -s 77.0.0.0/8 -j DROP
203. iptables -A INPUT -s 78.0.0.0/7 -j DROP
204. iptables -A INPUT -s 92.0.0.0/6 -j DROP
205. iptables -A INPUT -s 96.0.0.0/4 -j DROP
206. iptables -A INPUT -s 112.0.0.0/5 -j DROP
207. iptables -A INPUT -s 120.0.0.0/8 -j DROP
208. iptables -A INPUT -s 169.254.0.0/16 -j DROP
209. iptables -A INPUT -s 172.16.0.0/12 -j DROP
210. iptables -A INPUT -s 173.0.0.0/8 -j DROP
211. iptables -A INPUT -s 174.0.0.0/7 -j DROP
212. iptables -A INPUT -s 176.0.0.0/5 -j DROP
213. iptables -A INPUT -s 184.0.0.0/6 -j DROP
214. iptables -A INPUT -s 192.0.2.0/24 -j DROP
215. iptables -A INPUT -s 197.0.0.0/8 -j DROP
216. iptables -A INPUT -s 198.18.0.0/15 -j DROP
217. iptables -A INPUT -s 223.0.0.0/8 -j DROP
218. iptables -A INPUT -s 224.0.0.0/3 -j DROP
219. iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 7 -j REJECT
220.  
221. #Protecao contra port scanners ocultos
222. iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
223. iptables -A INPUT -s 0.0.0.0/0 -p icmp -j DROP
224.  
225. #Bloqueando tracertroute
226. iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
227.  
228. #Bloqueando Ataques Nivel Medio
229. iptables -A INPUT -m state --state INVALID -j DROP
230.  
231. #Regra simples de bloqueiar
232. iptables -N conn-flood
233. iptables -I INPUT 1 -p tcp --syn -j conn-flood
234. iptables -A conn-flood -m limit --limit 7/s --limit-burst 20 -j RETURN
235. iptables -A conn-flood -j DROP
236. iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
237. iptables -A INPUT -p icmp -j DROP
238.  
239. #Bloqueando ataques UDP
240. iptables -N udp-flood
241. iptables -A INPUT -p UDP -f -j DROP
242. iptables -A INPUT -p UDP --dport 7 -j DROP
243. iptables -A INPUT -p UDP --dport 19 -j DROP
244. iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
245. iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
246. iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
247. iptables -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
248. iptables -A OUTPUT -p udp -j DROP
249. iptables -A OUTPUT -p udp -j udp-flood
250. iptables -A udp-flood -p udp -m limit --limit 200/s -j RETURN
251. iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
252. iptables -A udp-flood -j DROP
253.  
254. #Bloqueando traceroute
255. iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
256.  
257. #Bloqueia toda entrada com excessao das regras acima
258. iptables -A INPUT -j DROP
259.  
260. #Limita a rate do SSH
261. iptables -A INPUT -p tcp --dport 2743 -m state --state NEW -m recent --set --name SSH-LIMIT
262. iptables -A INPUT -p tcp --dport 2743 -m state --state NEW -m recent --update --rttl --seconds 60 --hitcount 20 -j REJECT --reject-with tcp-reset --name SSH-LIMIT
263.  
264. #Anulando resposta ICMP
265. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
266.  
267. #Bloqueia conexoes nas demais portas
268. iptables -A INPUT -p tcp --syn -j DROP
269.  
270. #Regras IPFilter
271. iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
272. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
273. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
274. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
275. echo 0 > /proc/sys/net/ipv4/ip_forward
276. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
277. echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
278. iptables -A INPUT -m state --state INVALID -j DROP
279.  
280. #Cria log dos bloqueios - Ativar somente se necessario
281. #iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
282.  
283. echo "Firewall ativado!"