API tools faq
paste
Advertisement
zejeske

Untitled

zejeske
Apr 30th, 2018
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.28 KB | None | 0 0
raw download clone embed print report
  1. #! /bin/bash
  2. ###############################################################################
  3. # Autor: Tácio de Jesus Andrade
  4. # Criação: 11/04/2011 por - Tacio de Jesus Andrade
  5. # Modificação: 27/04/2018 por - José Carlos Jeske
  6. #
  7. # Função: Arquivo de Configuração Padrão do Firewall IpTables
  8. # Utilização: Mova-o para o diretório /etc/init.d/ (em distros Debian-Like)
  9. # e adicione o serviço para iniciar com o Sistema (pode-se utilizar
  10. # o rcconf ou o comando de carregamento do serviço de sua distro)
  11. #
  12. # Material disponibilizado no link :
  13. # https://www.vivaolinux.com.br/etc/Firewall.sh-3/
  14. # https://www.vivaolinux.com.br/topico/Squid-Iptables/Liberar-Maquina-do-proxy-e-firewall
  15. # https://www.vivaolinux.com.br/topico/Squid-Iptables/Liberar-Porta-VOIP
  16. # https://sempreupdate.com.br/como-funciona-os-logs-no-linux/
  17. # https://www.vivaolinux.com.br/topico/Servidores-Linux-para-iniciantes/Identificacao-de-ataque-ao-servidor
  18. # https://www.security.unicamp.br/blog/log-o-aliado-do-administrador/
  19. # http://memoria.rnp.br/newsgen/9905/logs.html
  20. # https://forum.gamemods.com.br/threads/detectando-invasao-pelo-log-do-apache.33810/
  21. # http://bvserver.com/como-posso-viewificair-se-a-porta-5060-est-aberta-em-centos.html
  22. #
  23. ###############################################################################
  24. # Você deve colocar em um local conveniente no seu sistema, por exemplo:
  25. # - Dentro do diretório /etc/init.d/
  26. # - Dar permissão de execução chmod +x firewall.sh
  27. # - Colocar para rodar na inicialização do sistema. coloca assim dentro do arquivo /etc/rc.local: bash /etc/init.d/firewall.sh
  28. # - Para Rodar ele digite bash /etc/init.d/firewall.sh
  29. #
  30. # ou
  31. # Gerando boot do firewall na inicialização
  32. # digita isso aqui no prompt: echo "/etc/init.d/firewall.sh" >> /etc/rc.d/rc.local
  33. #
  34. ###############################################################################
  35.  
  36.  
  37. function IniciaFirewall(){
  38.  
  39.  
  40. ###############
  41. # TITULO ABRE #
  42. ###############
  43. echo "Iniciando a Configuração do Firewall"
  44.  
  45. echo "Carregando Módulos..."
  46. # carrega modulos
  47. /sbin/modprobe iptable_nat
  48. /sbin/modprobe ip_conntrack
  49. /sbin/modprobe ip_conntrack_ftp
  50. /sbin/modprobe ip_nat_ftp
  51. /sbin/modprobe ipt_LOG
  52. /sbin/modprobe ipt_REJECT
  53. /sbin/modprobe ipt_MASQUERADE
  54.  
  55.  
  56. ########################################
  57. # Habilita o Roteamento do Kernel Zera #
  58. ########################################
  59. echo "Habilitando Roteamento do Kernel"
  60. echo 1 >/proc/sys/net/ipv4/ip_forward
  61.  
  62.  
  63. #########################################
  64. # Habilita a Proteção contra spoofing 2 #
  65. #########################################
  66. echo "Habilitando Proteção contra spoofing 2"
  67. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  68. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  69. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  70. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  71.  
  72.  
  73.  
  74. ########################
  75. # Zera todas as Regras #
  76. ########################
  77. echo "Regras Zeradas"
  78. iptables -F
  79. iptables -t mangle -F
  80. iptables -t nat -F
  81. iptables -X
  82.  
  83.  
  84. ################################################
  85. # Definindo a Politica Padrao - fechando tudo #
  86. ################################################
  87. echo "Fechando tudo"
  88. iptables -P INPUT DROP
  89. iptables -P FORWARD DROP
  90. # Aceitando todas as saidas
  91. iptables -P OUTPUT ACCEPT
  92.  
  93.  
  94. ############################################################################
  95. # Impede ataques DoS a maquina limitando a quantidade de respostas do ping #
  96. ############################################################################
  97. #echo "Previne ataques DoS"
  98. # iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  99.  
  100. #################################
  101. # Bloqieia completamente o ping #
  102. #################################
  103. echo "Bloqueia o pings"
  104. iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
  105.  
  106. ##########################
  107. # Politicas de segurança #
  108. ##########################
  109. echo "Implementação de politicas de segurança"
  110. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Impede falsear pacote
  111. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Perigo de descobrimento de rotas de roteamento (desativar em roteador)
  112. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Risco de DoS
  113. echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Só inicia a conexão quando recebe a confirmação, diminuindo a banda gasta
  114. echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Faz o firewall responder apenas a placa de rede que recebeu o pacote
  115. iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes invalidos
  116.  
  117.  
  118. #################################
  119. # Libera conexoes estabelecidas #
  120. #################################
  121. echo "Liberando conexões estabelecidas"
  122. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  123. iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
  124. iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
  125.  
  126.  
  127. #################################
  128. # Libera interface loopback #
  129. #################################
  130. echo "Liberando interface loopback "
  131. iptables -A INPUT -i lo -j ACCEPT
  132.  
  133.  
  134. #################################
  135. # Registro de Logs #
  136. #################################
  137. echo "Registrando Logs "
  138. iptables -A FORWARD -m multiport -p tcp --dport 5800,5900,6000 -j LOG --log-prefix="[ACESSO VNC]"
  139. iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix="[TENTATIVA ACESSO SSH]"
  140. iptables -A INPUT -p tcp --dport 2222 --syn -j LOG --log-prefix="[TENTATIVA ACESSO SSH]"
  141. iptables -A INPUT -p tcp --dport 21 --syn -j LOG --log-prefix="[TENTATIVA ACESSO FTP]"
  142. iptables -A INPUT -p tcp --dport 10000 --syn -j LOG --log-prefix="[TENTATIVA ACESSO WEBMIN]"
  143.  
  144.  
  145.  
  146. #######################################################################################
  147. # GERANDO REGRAS DE SEGURANÇA #
  148. #######################################################################################
  149.  
  150. echo "Protegendo contra Port Scanners "
  151. iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 5/s -j ACCEPT
  152.  
  153. # proteção contra traceroute
  154. echo "Proteção contra traceroute"
  155. iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j REJECT
  156.  
  157. # Protecoes contra pacotes invalidos
  158. echo "Proteção contra pacotes invalidos "
  159. iptables -A INPUT -m state --state INVALID -j REJECT
  160.  
  161.  
  162.  
  163. ###############################################################################
  164. # REGRAS PARA INPUT - ENTRADA #
  165. ###############################################################################
  166.  
  167.  
  168. # libera ping para rede do piso 1
  169. # iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type 8 -j ACCEPT
  170.  
  171.  
  172.  
  173. ###############################################################################
  174. # Liberação do TRONCO #
  175. ###############################################################################
  176. echo "Liberando entrada e saida do Tronco
  177. iptables -I INPUT -s 200.184.77.169 -j ACCEPT
  178. iptables -I OUTPUT -d 200.184.77.169 -j ACCEPT
  179.  
  180. #######################################################################################
  181. # Libera o acesso via SSH e Limita o número de tentativas de acesso a 4 a cada minuto #
  182. # Nas placas de rede eth0 e eth1 #
  183. #######################################################################################
  184. echo "Liberando o SSH"
  185. iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
  186. iptables -I INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
  187. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  188. iptables -A INPUT -p udp --dport 22 -j ACCEPT
  189.  
  190.  
  191. #######################################################################################
  192. # Regras para o HTTP E WEB e WEBADMIN
  193. #######################################################################################
  194. echo "Liberando as portas para acesso HTTP e WEB "
  195. # Aqui consegui liberar para navegação no browse no servidor 192.168.1.111
  196. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  197. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  198. iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
  199.  
  200. ##################################################################################################
  201. # Regras para o Acesso do Asterisk / Issabel = portas SIP (5060:5062 E 10000:20000 )( 4569 AIX ) #
  202. ##################################################################################################
  203. echo "Liberando as portas para o Asterisk "
  204. iptables -A INPUT -d 192.168.1.0/24 -p tcp --dport 5060:5062 -j ACCEPT
  205. iptables -A INPUT -d 192.168.1.0/24 -p udp --dport 5060:5062 -j ACCEPT
  206. iptables -A INPUT -d 192.168.1.0/24 -p tcp --dport 10000:20000 -j ACCEPT
  207. iptables -A INPUT -d 192.168.1.0/24 -p udp --dport 10000:20000 -j ACCEPT
  208.  
  209.  
  210. #######################################################################################
  211. # Priorizando paoctes da Rede #
  212. #######################################################################################
  213. echo "Priorizando pacotes da Rede"
  214. iptables -t mangle -A PREROUTING -p tcp --dport 5060:5062 -j TOS --set-tos 16
  215. iptables -t mangle -A PREROUTING -p udp --dport 1000:20000 -j TOS --set-tos 8
  216. iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
  217. iptables -t mangle -A PREROUTING -p udp --dport 80 -j TOS --set-tos 8
  218. iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 5060:5062 -j TOS --set-tos 16
  219. iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 10000:20000 -j TOS --set-tos 8
  220. iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j TOS --set-tos 8
  221. iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 80 -j TOS --set-tos 8
  222.  
  223.  
  224.  
  225. ##################
  226. # Libera o Samba #
  227. ##################
  228. #echo "Liberando o Samba"
  229. # iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
  230. # iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
  231.  
  232. ###################
  233. # Libera o Apache #
  234. ###################
  235. #echo "Liberando o Apache"
  236. # iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  237.  
  238. ################
  239. # TITULO FECHA #
  240. ################
  241. echo "Configuração do Firewall Concluida."
  242. }
  243.  
  244.  
  245. function LiberaFirewall(){
  246. echo "Finalizando o Firewall"
  247. rm -rf /var/lock/subsys/firewall
  248.  
  249. # -----------------------------------------------------------------
  250. # Remove todas as regras existentes
  251. # -----------------------------------------------------------------
  252. iptables -F
  253. iptables -X
  254. iptables -t mangle -F
  255. # -----------------------------------------------------------------
  256. # Reseta as politicas padrões, aceitar tudo
  257. # -----------------------------------------------------------------
  258. iptables -P INPUT ACCEPT
  259. iptables -P OUTPUT ACCEPT
  260. iptables -P FORWARD ACCEPT
  261.  
  262. }
  263.  
  264. case $1 in
  265. start)
  266. IniciaFirewall
  267. exit 0
  268. ;;
  269. stop)
  270. LiberaFirewall
  271. exit 1
  272. ;;
  273. restart)
  274. LiberaFirewall;IniciaFirewall
  275. exit 2
  276. ;;
  277. *)
  278. echo
  279. echo "Use ||start|| para iniciar as regras desse Firewall, ||restart|| para reiniciar e ||stop|| para descartar todas as politicas de seguranca, NAO FACA ISSO!"
  280. echo
  281. exit 3
  282. ;;
  283. esac
  284.  
  285. # FIM: tudo que não for explicitamente permitido será negado!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!