Guest User

tf_INPUT.mod

a guest
Jan 16th, 2012
164
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # ----------------------------------------------------------------------------
  2. # TuxFrw 2.61
  3. # Copyright (C) 2001-2005 Marcelo Gondim (http://tuxfrw.sourceforge.net)
  4. # ----------------------------------------------------------------------------
  5. #
  6. # tf_INPUT.mod - TuxFrw main rules module
  7. #
  8. # ----------------------------------------------------------------------------
  9. #
  10. # This file is part of TuxFrw
  11. #
  12. # TuxFrw is free software; you can redistribute it and/or modify
  13. # it under the terms of the GNU General Public License as published by
  14. # the Free Software Foundation; either version 2 of the License, or
  15. # (at your option) any later version.
  16. #
  17. # This program is distributed in the hope that it will be useful,
  18. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. # GNU General Public License for more details.
  21. #
  22. # You should have received a copy of the GNU General Public License
  23. # along with this program; if not, write to the Free Software
  24. # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  25. #
  26. # ----------------------------------------------------------------------------
  27.  
  28. #
  29. # INPUT chains
  30. #
  31.  
  32. ############################## Insira aqui as suas regras ######################
  33.  
  34. # Zabbix agent
  35. $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 10050 -j $TARGET
  36.  
  37.  
  38. # Libera conexoes ao MSN proxy
  39. $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1863 -j $TARGET
  40. $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 25000:30000 -j $TARGET
  41.  
  42. # web interface do monit
  43. $IPTABLES -A INPUT -p tcp --dport 2008 -j $TARGET
  44. $IPTABLES -A INPUT -p tcp --dport 22 -j $TARGET
  45.  
  46.  
  47. # Libera acesso ao NTOP
  48. $IPTABLES -A INPUT -p tcp --dport 3000 -j $TARGET
  49.  
  50. # Libera acesso ao MySQL
  51. $IPTABLES -A INPUT -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 3306 -j $TARGET
  52.  
  53. # Libera acesso ao Webserver a partir da Internet
  54. $IPTABLES -A INPUT -p tcp -m multiport --dports 80,443,22,3389,3054 -j $TARGET
  55.  
  56. # Libera acesso ao Tomcat a partir da Internet
  57. $IPTABLES -A INPUT -p tcp --dport 8080 -j $TARGET
  58.  
  59.  
  60. # Libera acesso ao servidor de FTP local
  61. $IPTABLES -A INPUT -p tcp -m multiport --dports 20,21,22,3389 -j $TARGET
  62.  
  63. # Libera acesso ao cache de DNS
  64. $IPTABLES -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j $TARGET
  65. $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j $TARGET
  66.  
  67. # Libera acesso interno e externo ao SSH ( roda na porta 7521 e 22 )
  68. $IPTABLES -A INPUT -p tcp -m multiport --dports 22,7521 -j $TARGET
  69.  
  70. # Aceita conexoes ao proxy
  71. $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j $TARGET
  72.  
  73. # Aceita ping da rede internet
  74. $IPTABLES -A INPUT -p icmp -j $TARGET
  75.  
  76. # NFS para o servdados
  77. $IPTABLES -A INPUT -s 192.168.1.200 -j $TARGET
  78.  
  79. ################################################################################
  80.  
  81.  
  82. # accept input packets with allowed state
  83. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  84.  
  85. # accept input packets from LO_IFACE
  86. $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
  87.  
  88. # Drop invalid packets
  89. $IPTABLES -A INPUT -m state --state INVALID -j DROP
  90.  
  91. # deny input broadcast and improper address
  92. $IPTABLES -A INPUT -s $BRO_ADDR -j DROP
  93. $IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP
  94.  
  95. # SPOOF_CHECK input packets
  96. if [ "$EXT_IFACE" != "" -a "$EXT_IP" != "" ]; then $IPTABLES -A INPUT -s $EXT_IP -j DROP; fi
  97. if [ "$EXT_IFACE" != "" -a "$EXT_BRO" != "" ]; then $IPTABLES -A INPUT -s $EXT_BRO -j DROP; fi
  98. if [ "$EXT_IFACE" != "" -a "$EXT_NET" != "" ]; then $IPTABLES -A INPUT -s $EXT_NET -i ! $EXT_IFACE -j DROP; fi
  99. if [ "$INT_IFACE" != "" -a "$INT_IP" != "" ]; then $IPTABLES -A INPUT -s $INT_IP -j DROP; fi
  100. if [ "$INT_IFACE" != "" -a "$INT_BRO" != "" ]; then $IPTABLES -A INPUT -s $INT_BRO -j DROP; fi
  101. if [ "$INT_IFACE" != "" -a "$INT_NET" != "" ]; then $IPTABLES -A INPUT -s $INT_NET -i ! $INT_IFACE -j DROP; fi
  102. if [ "$DMZ_IFACE" != "" -a "$DMZ_IP" != "" ]; then $IPTABLES -A INPUT -s $DMZ_IP -j DROP; fi
  103. if [ "$DMZ_IFACE" != "" -a "$DMZ_BRO" != "" ]; then $IPTABLES -A INPUT -s $DMZ_BRO -j DROP; fi
  104. if [ "$DMZ_IFACE" != "" -a "$DMZ_NET" != "" ]; then $IPTABLES -A INPUT -s $DMZ_NET -i ! $DMZ_IFACE -j DROP; fi
  105. if [ "$EXT_IFACE" != "" ]; then
  106. # END_SPOOF packets that claims to be from IANA reserved nets
  107. for NET in $RESERVED_NET; do
  108. $IPTABLES -A INPUT -s $NET -i $EXT_IFACE -j DROP
  109. done
  110. fi
  111.  
  112. # block tcp synfloods
  113. $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  114. $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  115. $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  116. $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j DROP
  117. $IPTABLES -A INPUT -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
  118.  
  119. # Block broadcast and multicast packets
  120. $IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP
  121. $IPTABLES -A INPUT -m pkttype --pkt-type multicast -j DROP
  122.  
  123. # reset auth packets
  124. $IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  125.  
  126. # Drop windows or worm packets :)
  127. $IPTABLES -A INPUT -p udp -m multiport --dports 135,445 -j DROP
  128. $IPTABLES -A INPUT -p udp -m udp --dport 137:139 -j DROP
  129. $IPTABLES -A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
  130. $IPTABLES -A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
  131. $IPTABLES -A INPUT -p udp -m udp --dport 1900 -j DROP
  132.  
  133. # accept SSH (22/tcp) input from administrator IP
  134. if [ "$ADMIN_IP" != "" ]; then
  135. $IPTABLES -A INPUT -p tcp -s $ADMIN_IP --dport 22 -j ACCEPT
  136. fi
  137.  
  138. # accept SSH (22/tcp) input from remote administrator IP
  139. if [ "$RMT_ADMIN_IP" != "" ]; then
  140. $IPTABLES -A INPUT -p tcp -s $RMT_ADMIN_IP --dport 22 -j ACCEPT
  141. fi
  142.  
  143. # Accept icmp-type 3/4 and 11
  144. $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
  145. $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
  146.  
  147. # accept ICMP input packets from INT only
  148. # $IPTABLES -A INPUT -p icmp -s $INT_NET -i $INT_IFACE -j $TARGET
  149.  
  150. # accept ICMP Ping Requests
  151. # $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j $TARGET
  152.  
  153. # accept UNIX Traceroute Requests
  154. # $IPTABLES -A INPUT -p udp --dport 33434 -j $TARGET
  155.  
  156. # accept ICMP Timestamping Requests
  157. # $IPTABLES -A INPUT -p icmp --icmp-type timestamp-request -j $TARGET
  158.  
  159. # accept ICMP Address Masking
  160. # $IPTABLES -A INPUT -p icmp --icmp-type address-mask-request -j $TARGET
  161.  
  162. # accept ICMP Source Quench Requests
  163. # $IPTABLES -A INPUT -p icmp --icmp-type source-quench -j $TARGET
  164.  
  165. # Proxy access - authorization
  166. if [ "$PROXY_PORT" != "" -a "$INT_IFACE" != "" ]; then
  167. $IPTABLES -A INPUT -p tcp --dport $PROXY_PORT -i $INT_IFACE -j $TARGET
  168. fi
  169.  
  170. # accept OpenVPN between this firewall and another
  171. if [ "$OpenVPN_IP" != "" -a "$OpenVPN_PORT" != "" -a "$OpenVPN_PROTO" != "" ]; then
  172. $IPTABLES -A INPUT -p $OpenVPN_PROTO --dport $OpenVPN_PORT -s $OpenVPN_IP -j $TARGET
  173. fi
  174.  
  175. # accept VPN between this firewall and another (using PPTP)
  176. if [ "$PPTP_IP" != "" ]; then
  177. $IPTABLES -A INPUT -p 47 -s $PPTP_IP -j $TARGET
  178. $IPTABLES -A INPUT -p tcp -s $PPTP_IP --dport 1723 -j $TARGET
  179. fi
  180.  
  181. # reject all the unmatched packets
  182. $IPTABLES -A INPUT -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "tuxfrw: INPUT! "
RAW Paste Data