Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # ----------------------------------------------------------------------------
- # TuxFrw 2.61
- # Copyright (C) 2001-2005 Marcelo Gondim (http://tuxfrw.sourceforge.net)
- # ----------------------------------------------------------------------------
- #
- # tf_INPUT.mod - TuxFrw main rules module
- #
- # ----------------------------------------------------------------------------
- #
- # This file is part of TuxFrw
- #
- # TuxFrw is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation; either version 2 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- #
- # ----------------------------------------------------------------------------
- #
- # INPUT chains
- #
- ############################## Insira aqui as suas regras ######################
- # Zabbix agent
- $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 10050 -j $TARGET
- # Libera conexoes ao MSN proxy
- $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1863 -j $TARGET
- $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 25000:30000 -j $TARGET
- # web interface do monit
- $IPTABLES -A INPUT -p tcp --dport 2008 -j $TARGET
- $IPTABLES -A INPUT -p tcp --dport 22 -j $TARGET
- # Libera acesso ao NTOP
- $IPTABLES -A INPUT -p tcp --dport 3000 -j $TARGET
- # Libera acesso ao MySQL
- $IPTABLES -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 3306 -j $TARGET
- # Libera acesso ao Webserver a partir da Internet
- $IPTABLES -A INPUT -p tcp -m multiport --dports 80,443,22,3389,3054 -j $TARGET
- # Libera acesso ao Tomcat a partir da Internet
- $IPTABLES -A INPUT -p tcp --dport 8080 -j $TARGET
- # Libera acesso ao servidor de FTP local
- $IPTABLES -A INPUT -p tcp -m multiport --dports 20,21,22,3389 -j $TARGET
- # Libera acesso ao cache de DNS
- $IPTABLES -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j $TARGET
- $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j $TARGET
- # Libera acesso interno e externo ao SSH ( roda na porta 7521 e 22 )
- $IPTABLES -A INPUT -p tcp -m multiport --dports 22,7521 -j $TARGET
- # Aceita conexoes ao proxy
- $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j $TARGET
- # Aceita ping da rede internet
- $IPTABLES -A INPUT -p icmp -j $TARGET
- # NFS para o servdados
- $IPTABLES -A INPUT -s 192.168.1.200 -j $TARGET
- ################################################################################
- # accept input packets with allowed state
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # accept input packets from LO_IFACE
- $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
- # Drop invalid packets
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
- # deny input broadcast and improper address
- $IPTABLES -A INPUT -s $BRO_ADDR -j DROP
- $IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP
- # SPOOF_CHECK input packets
- if [ "$EXT_IFACE" != "" -a "$EXT_IP" != "" ]; then $IPTABLES -A INPUT -s $EXT_IP -j DROP; fi
- if [ "$EXT_IFACE" != "" -a "$EXT_BRO" != "" ]; then $IPTABLES -A INPUT -s $EXT_BRO -j DROP; fi
- if [ "$EXT_IFACE" != "" -a "$EXT_NET" != "" ]; then $IPTABLES -A INPUT -s $EXT_NET -i ! $EXT_IFACE -j DROP; fi
- if [ "$INT_IFACE" != "" -a "$INT_IP" != "" ]; then $IPTABLES -A INPUT -s $INT_IP -j DROP; fi
- if [ "$INT_IFACE" != "" -a "$INT_BRO" != "" ]; then $IPTABLES -A INPUT -s $INT_BRO -j DROP; fi
- if [ "$INT_IFACE" != "" -a "$INT_NET" != "" ]; then $IPTABLES -A INPUT -s $INT_NET -i ! $INT_IFACE -j DROP; fi
- if [ "$DMZ_IFACE" != "" -a "$DMZ_IP" != "" ]; then $IPTABLES -A INPUT -s $DMZ_IP -j DROP; fi
- if [ "$DMZ_IFACE" != "" -a "$DMZ_BRO" != "" ]; then $IPTABLES -A INPUT -s $DMZ_BRO -j DROP; fi
- if [ "$DMZ_IFACE" != "" -a "$DMZ_NET" != "" ]; then $IPTABLES -A INPUT -s $DMZ_NET -i ! $DMZ_IFACE -j DROP; fi
- if [ "$EXT_IFACE" != "" ]; then
- # END_SPOOF packets that claims to be from IANA reserved nets
- for NET in $RESERVED_NET; do
- $IPTABLES -A INPUT -s $NET -i $EXT_IFACE -j DROP
- done
- fi
- # block tcp synfloods
- $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP
- $IPTABLES -A INPUT -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- # Block broadcast and multicast packets
- $IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
- $IPTABLES -A INPUT -m pkttype --pkt-type multicast -j DROP
- # reset auth packets
- $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
- # Drop windows or worm packets :)
- $IPTABLES -A INPUT -p udp -m multiport --dports 135,445 -j DROP
- $IPTABLES -A INPUT -p udp -m udp --dport 137:139 -j DROP
- $IPTABLES -A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
- $IPTABLES -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
- $IPTABLES -A INPUT -p udp -m udp --dport 1900 -j DROP
- # accept SSH (22/tcp) input from administrator IP
- if [ "$ADMIN_IP" != "" ]; then
- $IPTABLES -A INPUT -p tcp -s $ADMIN_IP --dport 22 -j ACCEPT
- fi
- # accept SSH (22/tcp) input from remote administrator IP
- if [ "$RMT_ADMIN_IP" != "" ]; then
- $IPTABLES -A INPUT -p tcp -s $RMT_ADMIN_IP --dport 22 -j ACCEPT
- fi
- # Accept icmp-type 3/4 and 11
- $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
- $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
- # accept ICMP input packets from INT only
- # $IPTABLES -A INPUT -p icmp -s $INT_NET -i $INT_IFACE -j $TARGET
- # accept ICMP Ping Requests
- # $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j $TARGET
- # accept UNIX Traceroute Requests
- # $IPTABLES -A INPUT -p udp --dport 33434 -j $TARGET
- # accept ICMP Timestamping Requests
- # $IPTABLES -A INPUT -p icmp --icmp-type timestamp-request -j $TARGET
- # accept ICMP Address Masking
- # $IPTABLES -A INPUT -p icmp --icmp-type address-mask-request -j $TARGET
- # accept ICMP Source Quench Requests
- # $IPTABLES -A INPUT -p icmp --icmp-type source-quench -j $TARGET
- # Proxy access - authorization
- if [ "$PROXY_PORT" != "" -a "$INT_IFACE" != "" ]; then
- $IPTABLES -A INPUT -p tcp --dport $PROXY_PORT -i $INT_IFACE -j $TARGET
- fi
- # accept OpenVPN between this firewall and another
- if [ "$OpenVPN_IP" != "" -a "$OpenVPN_PORT" != "" -a "$OpenVPN_PROTO" != "" ]; then
- $IPTABLES -A INPUT -p $OpenVPN_PROTO --dport $OpenVPN_PORT -s $OpenVPN_IP -j $TARGET
- fi
- # accept VPN between this firewall and another (using PPTP)
- if [ "$PPTP_IP" != "" ]; then
- $IPTABLES -A INPUT -p 47 -s $PPTP_IP -j $TARGET
- $IPTABLES -A INPUT -p tcp -s $PPTP_IP --dport 1723 -j $TARGET
- fi
- # reject all the unmatched packets
- $IPTABLES -A INPUT -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "tuxfrw: INPUT! "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
