Iptables

Versão utilizada: Debian 8.6 + IPTables 1.4.21

Nota: Não sei com exatidão de qual kernel, no Debian 8.6 não precisa carregar os módulos para iniciar alguma regra, basta subir alguma rule iptables que o iptables se encarrega de carregar o modulo necessário.

SCRIPT BASE IPTABLES

* Abaixo segue script básico para o iptables:

#!/bin/sh

IPT=`which iptables`

MOD=`which modprobe`

RMMOD=`which rmmod`

IP_EXT=""

DNS1=""

NETINT="10.0.0.0/24"

ANY="0.0.0.0/0"

IFINT="eth0"

IFEXT="eth1"

CRIA(){

INPUT

OUTPUT

FORWARD

PREROUTING

POSTROUTING

IPV4

}

LIMPAFECHA(){

$IPT -F

$IPT -X

$IPT -t filter -F

$IPT -t filter -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

$IPT -t raw -F

$IPT -t raw -X

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

}

LIMPAABRE(){

$IPT -F

$IPT -X

$IPT -t filter -F

$IPT -t filter -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

$IPT -t raw -F

$IPT -t raw -X

$IPT -P INPUT ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD ACCEPT

echo 0 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp

}

INPUT(){

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -p icmp --icmp-type timestamp-request -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#PERMITE ENTRADA PING - REQUEST

$IPT -A INPUT -p icmp -s $NETINT -i $IFINT -j ACCEPT

#LIBERA TODA ACESSO PARA ENTRADA

#$IPT -A INPUT -p all -s $NETINT -i $IFINT -j ACCEPT

#REGRAS ADICIONAIS ABAIXO

$IPT -A INPUT -j DROP

}

OUTPUT(){

$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# PERMITE SAIDA PING - RESPONSE

$IPT -A OUTPUT -p icmp -d $NETINT -o $IFINT -j ACCEPT

#LIBERA TODO ACESSO PARA SAIDA

#$IPT -A OUTPUT -p all -d $ANY -o $IFINT -j ACCEPT

#$IPT -A OUTPUT -p all -d $NETINT -o $IFINT -j ACCEPT

#REGRAS ADICIONAIS ABAIXO

$IPT -A OUTPUT -j DROP

}

FORWARD(){

$IPT -A FORWARD -m state --state INVALID -j DROP

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#REGRAS ADICIONAIS ABAIXO

$IPT -A FORWARD -j DROP

}

PREROUTING(){

#REGRAS PARA PREROUTING

#REGRAS ADICIONAIS ABAIXO

echo ""

echo "No rules for prerouting"

}

POSTROUTING(){

#REGRAS PARA POSTGROUTING

#REGRAS ADICIONAIS ABAIXO

echo ""

echo "No rules for postrouting"

}

IPV4(){

echo 0 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp

}

#######################################################################

case "$1" in

start)

echo -n "Configurado regras do firewall: "

LIMPAFECHA && CRIA && \

echo ""

touch /var/lock/iptables

iptables -L

;;

stop)

echo -n "Removendo regras do firewall: "

LIMPAABRE && \

echo ""

rm -rf /var/lock/iptables

iptables -L

;;

restart)

$0 stop

$0 start

;;

status)

echo "Regras gerais. (Fiter table)"

echo "===================================="

$IPT -t filter --list -n

echo ""

echo "Regras de NAT. (NAT table)"

echo "===================================="

$IPT -t nat --list -n

echo ""

echo "Regras de tratamento. (Mangle table)"

echo "===================================="

$IPT -t mangle --list -n

echo ""

;;

echo "Use: $0 {start | stop | restart | status}"

esac

* Adicione a linha no arquivos rc.local para incializar o script quanto a maquina iniciar:

# vi /etc/rc.local

/home/firewall start

exit 0

INPUT

* Regras de entrada, usar -d $ANY ou -s $NETINT

# Drop tcp timestamps

$IPT -A INPUT -p icmp --icmp-type timestamp-request -j DROP

# Regra para liberar o SSH

$IPT -A INPUT -p tcp -s $NETINT --dport 22 -i $IFINT -j ACCEPT

# Regra para liberar o BIND

$IPT -A INPUT -p tcp -s $ANY --dport 53 -i $IFINT -j ACCEPT

$IPT -A INPUT -p udp -s $ANY --dport 53 -i $IFINT -j ACCEPT

$IPT -A INPUT -p tcp -s $ANY --dport 953 -i $IFINT -j ACCEPT

# Regra para liberar o WEBSERVER

$IPT -A INPUT -p tcp -s $NETINT --dport 80 -i $IFINT -j ACCEPT

# Regra para liberar o SAMBA

$IPT -A INPUT -p tcp -s $NETINT --dport 445 -i $IFINT -j ACCEPT

#Multiport limite 15

$IPT -A INPUT -p tcp -s $NETINT -m multiport --dport 22,445,3052,8080 -i $IFINT -j ACCEPT

$IPT -A INPUT -p udp -s $NETINT -m multiport --dport 3052 -i $IFINT -j ACCEPT

#Permitir traceroute

$IPT -A INPUT -p udp -m udp --dport 33434:33523 -i $IFEXT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable

# Liberar ip para acesso

iptables -I INPUT -p all -s `<ip-address>` -j ACCEPT

OUTPUT

* Regras de saída, usar -d $ANY ou -s $NETINT

# Drop tcp timestamps

$IPT -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

#Regra para liberar o BIND

$IPT -A OUTPUT -p tcp -d $ANY/$NETINT --dport 53 -o $IFINT/EXT -j ACCEPT

$IPT -A OUTPUT -p udp -d $ANY/$NETINT --dport 53 -o $IFINT/EXT -j ACCEPT

#Liberar acesso internet

$IPT -A OUTPUT -p udp -d $ANY --dport 53 -o $IFINT/EXT -j ACCEPT

$IPT -A OUTPUT -p tcp -d $ANY --dport 80,443 -o $IFINT/EXT -j ACCEPT

#Regra para liberar o NTP

$IPT -A OUTPUT -p udp -d $ANY/$NETINT --dport 123 -o $IFINT/EXT -j ACCEPT

#Regra para liberar o SAMBA

$IPT -A OUTPUT -p tcp -d $ANY/$NETINT --dport 445 -o $IFINT/EXT -j ACCEPT

#Regra para liberar o NFS - multiport limit 15

$IPT -A OUTPUT -p tcp -d $ANY/$NETINT -m multiport --dport 111,2049,4000:4005 -o $IFINT/EXT -j ACCEPT

#Regra para liberar acesso Internet e NTP - Multiport limit 15

$IPT -A OUTPUT -p tcp -d $ANY -m multiport --dport 80,443 -o $IFINT/EXT -j ACCEPT

$IPT -A OUTPUT -p udp -d $ANY -m multiport --dport 53,123 -o $IFINT/EXT -j ACCEPT

# Regra para liberar o acesso a INTERNET

$IPT -A OUTPUT -p tcp -d $ANY/$NETINT --dport 3128 -o $IFINT/EXT -j ACCEPT

$IPT -A OUTPUT -p tcp -d $ANY/$NETINT --dport 8080 -o $IFINT/EXT -j ACCEPT

FORWARD

* Regras de redirecionamento:

PREROUTING

* Regras de pré roteamento:

#Esta regra faz o roteamento dos pacotes tcp da porta 80 para 3128 (SQUID)

$IPT -t nat -A PREROUTING -p tcp -s $NET_INT -i $IF_INT --dport 80 -j REDIRECT --to-port 3128

#$IPT -t nat -A PREROUTING -p tcp -i $IF_INT --dport 80 -j REDIRECT --to-port 3128

#Redirecionar porta de entrada para outra interna

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 -m comment --comment "HTTP"

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443 -m comment --comment "HTTPS"

POSTROUTING

* Regras de pós roteamento:

#Regra usada conjunta com serviço de Proxy para acessar internet

#Esta regra se nao houver ip fixo

$IPT -t nat -A POSTROUTING -p all -s $NETINT -d $ANY -o $IFEXT -j MASQUERADE

#Esta regra e utilizada para ip fixo

$IPT -t nat -A POSTROUTING -p all -s $NETINT -d $ANY -o $IFEXT -j SNAT --to $IPEXT

Flood Ataques

* Para a regra de INPUT adicionar as linhas abixo:

# FLOOD protect tcp

$IPT -N syn-flood

$IPT -A INPUT -p tcp --syn -j syn-flood

$IPT -A syn-flood -m limit --limit 30/s --limit-burst 60 -j RETURN

$IPT -A syn-flood -j LOG --log-level 4 --log-prefix 'SYN-flood attempt: '

$IPT -A syn-flood -j DROP

# FLOOD protect ping

$IPT -N ping-flood

$IPT -A ping-flood -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

$IPT -A ping-flood -j DROP

* Para a regra de OUTPUT adicionar as linhas abixo:

# FLOOD protect udp

$IPT -N udp-flood

$IPT -A OUTPUT -p udp -j udp-flood

$IPT -A udp-flood -p udp -m limit --limit 50/s --limit-burst 100 -j RETURN

$IPT -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '

$IPT -A udp-flood -j DROP

Módulos (em desenvolvimento)

* Listar todos os modulos com o comando:

# lsmod|grep -E "nf_|xt_|ip"

* Os modulos para iptables:

ipt_REJECT

ipt_tos

ipt_limit

ipt_multiport

iptable_filter

iptable_mangle

ipt_TCPMSS

ipt_tcpmss

ipt_ttl

ipt_length

ipt_state

Layer 7 (em desenvolvimento)

1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9

Filtro User and Group (em desenvolvimento)

* Com a maquina no dominio é possivel capturar todos os usuarios e grupos do LDAP server

* Para o funcionamento deste existe um modulo ipt_owner.

* É valido para OUTPUT e POSTROUTING

iptables -A OUTPUT -o ethX -m owner --uid-owner {ID} ou {USERNAME} -j ACCEPT / DROP / REJECT

iptables -A OUTPUT -o ethX -m owner --gid-owner {ID} ou {GROUPNAME} -j ACCEPT / DROP / REJECT

1 / 2 / 3

Referencias

- Manual

[1] / 2 /

- Estatísticas Netfilter

[5] / [6] / [7] /

- Troubleshooting

[8]

MODULOS(){

$MOD ip_tables

$MOD iptable_filter

$MOD iptable_nat

$MOD ip_nat_ftp

$MOD ip_nat_irc

$MOD ip_conntrack

$MOD ip_conntrack_ftp

$MOD ip_conntrack_irc

$MOD ipt_state

$MOD ipt_MASQUERADE

$MOD ip_gre

}

LIMPAABRE(){

if [ "$REMOVE_MODULES" = "yes" ]; then

for module in \

ip_gre \

ipt_MASQUERADE \

ipt_state \

ip_conntrack_irc \

ip_conntrack_ftp \

ip_conntrack \

ip_nat_irc \

ip_nat_ftp \

iptable_nat \

iptable_filter \

`/sbin/lsmod | grep ^ipt | awk '{print $1}'` \

ip_tables;

$RMMOD $module 2>/dev/null

done

start)

echo -n "Configurado regras do firewall: "

LIMPAFECHA && MODULOS && CRIA && \

Page updated

Google Sites

Report abuse