segunda-feira, 12 de outubro de 2009

iptables - script básico

# Generated by iptables-save v1.4.2 on Mon Oct 12 13:47:41 2009
*mangle
:PREROUTING ACCEPT [24987:9959134]
:INPUT ACCEPT [14010:2346272]
:FORWARD ACCEPT [10973:7611900]
:OUTPUT ACCEPT [13936:935526]
:POSTROUTING ACCEPT [24913:8548388]
COMMIT
# Completed on Mon Oct 12 13:47:41 2009
# Generated by iptables-save v1.4.2 on Mon Oct 12 13:47:41 2009
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:scanner - [0:0]
#
# Dropa pacotes TCP indesejáveis
#
-A FORWARD -p tcp -m state --state NEW -j LOG ! --syn --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
-A FORWARD -p tcp -m state --state NEW -j DROP ! --syn
#
# Proteção contra ping da morte
#
-A FORWARD -p icmp -m limit --icmp-type echo-request --limit 1/s -j ACCEPT
#
# Proteção contra ataque de loop-back
-A INPUT -m state --state INVALID -j DROP
#
# Protecao contra Ataque de Port Scanner
#
-A INPUT -p tcp -m tcp -i eth1 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN,ACK,FIN,RST,URG,PSH -j scanner
-A scanner -m limit --limit 15/minute -j LOG
-A scanner -j DROP
#
# Permite Sites
#
-A INPUT -p tcp -m tcp -i eth1 --dport 8001 -j ACCEPT
#
# Permite Webmin
#
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
#
# Permite SSH
#
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 -j DROP
COMMIT
# Completed on Mon Oct 12 13:47:41 2009
# Generated by iptables-save v1.4.2 on Mon Oct 12 13:47:41 2009
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
#
# DNAT para Sites
#
-A PREROUTING -p tcp -m tcp -i eth1 --dport 8001 -j DNAT --to-destination 192.168.0.77
COMMIT
# Completed on Mon Oct 12 13:47:41 2009



Colocar essas seguintes linhas no rc.local


#
# Desativa o ping broadcasts
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Desativa o recurso Source Route
#
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Previne Ataques de Syn Cookies
#
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Previne que o Firewall Responda Flags provindos da mesma interfaces
#
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#
#
Postado por às

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)