File "rc.firewall-info.sh"
Full path: /www/wwwroot/fabriciovc.eti.br/downloads/iptables/backups/rc.firewall-info.sh
File size: 8.66 KiB (8872 bytes)
MIME-type: text/x-shellscript
Charset: utf-8
#!/bin/bash
#
# INFO - CONSULTORIA E INFORMATICA LTDA - (41) 3332-9844 - suporte@infoconsultoria.com.br
#
# Script para definicao de ambiente de seguranca e fluxo de pacotes - customizado para o cliente: "CORPO DE BOMBEIROS"
#
# Atuacao:
# - Considere Ambiente arquitetura Dual Homed Host
# - Estamos trabalhando com 2 interfaces reais
# - Tabelas nat e filter como base
# - Utilizacao de Cadeias Customizadas (nao padrao), nao faca alteracoes sem conhecer o ambiente e o funcionamento da rede.
# - Politica de OUTPUT Aberta
#
# Autor:
# Jocimar Soto de Gois em 01/05/2009 - jocimar@infoconsultoria.com.br
#
# Alteracoes:
# # Registre toda e qualquer alteracao no cabecalho do script com data e motivo quando julgarmos
# # necessario limparemos as anotacoes antigas
########################################################################################################################################
. /lib/lsb/init-functions
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
dmesg -n 1
#$MODPROBE ip_conntrack_sip
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ip_conntrack
$MODPROBE ip_nat_ftp
# NET
NET_INT="10.47.7.0/24"
# IF
IF_EXT="eth0"
IF_INT="eth1"
IF_VPN="tun+"
IF_lo="lo"
# Portas TCP
JABBER="5222,5223"
TELNET="23"
FTP="20,21"
VNC="5900,5901,5902"
SMTP="25"
SSH="22213"
SSH2="22"
HTTP="80,8080"
CUPS="631"
MSN="1863"
# Portas UDP
VPN="1194,5001"
case "$1" in
start)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -N TRINOO
$IPTABLES -N TROJAN
$IPTABLES -N SCANNER
#########################################
# TRINOO #
#########################################
$IPTABLES -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trinoo: "
$IPTABLES -A TRINOO -j DROP
#########################################
# TROJAN #
#########################################
$IPTABLES -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FWL: trojan: "
$IPTABLES -A TROJAN -j DROP
#########################################
# SCANNER #
#########################################
$IPTABLES -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FWL: port scanner: "
$IPTABLES -A SCANNER -j DROP
#########################################
# INPUT #
#########################################
$IPTABLES -A INPUT -i $IF_lo -j ACCEPT
$IPTABLES -A INPUT -i $IF_INT -j ACCEPT
# $IPTABLES -A INPUT -i $IF_VPN -p tcp -m multiport --dports $FTP,$TELNET,$JABBER,$SSH,$SSH2,$VNC,$HTTP,$CUPS -j ACCEPT
$IPTABLES -A INPUT -i $IF_EXT -p tcp -m multiport --dports $SSH,$VNC,$HTTP -j ACCEPT
$IPTABLES -A INPUT -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $IF_VPN -p icmp -m icmp -j ACCEPT
$IPTABLES -A INPUT -i $IF_EXT -p tcp --dport $SSH -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 27444 -j TRINOO
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 27665 -j TRINOO
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 31335 -j TRINOO
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 34555 -j TRINOO
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 35555 -j TRINOO
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 666 -j TROJAN
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 666 -j TROJAN
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 4000 -j TROJAN
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 6000 -j TROJAN
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 6006 -j TROJAN
$IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 16660 -j TROJAN
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXT -j SCANNER
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# tentativa de acesso indevido
$IPTABLES -A INPUT -p tcp --dport 23 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: telnet: "
$IPTABLES -A INPUT -p tcp --dport 25 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: smtp: "
$IPTABLES -A INPUT -p tcp --dport 110 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: pop3: "
$IPTABLES -A INPUT -p udp --dport 111 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: rpc: "
$IPTABLES -A INPUT -p tcp --dport 113 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: identd: "
$IPTABLES -A INPUT -p tcp --dport 137:139 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: samba: "
$IPTABLES -A INPUT -p udp --dport 137:139 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: samba: "
$IPTABLES -A INPUT -p tcp --dport 161:162 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: snmp: "
$IPTABLES -A INPUT -p tcp --dport 6667:6668 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: irc: "
$IPTABLES -A INPUT -p tcp --dport 3128 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: squid: "
##
#########################################
# FORWARD #
#########################################
$IPTABLES -A FORWARD -i $IF_INT -j ACCEPT
#$IPTABLES -A FORWARD -o $IF_VPN -p tcp -m multiport --dports 177,6000,$FTP,$TELNET,$JABBER,$SSH,$SSH2,$VNC,$CUPS -j ACCEPT
$IPTABLES -A FORWARD -i $IF_EXT -p tcp -m multiport --dports $VNC,$HTTP -j ACCEPT
# worms
$IPTABLES -A FORWARD -p tcp --dport 135 -i $IF_INT -j REJECT
# syn-flood
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# ping da morte
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FWL: NEW sem syn: "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 27444 -j TRINOO
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 27665 -j TRINOO
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 31335 -j TRINOO
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 34555 -j TRINOO
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 35555 -j TRINOO
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 666 -j TROJAN
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 666 -j TROJAN
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 4000 -j TROJAN
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 6000 -j TROJAN
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 6006 -j TROJAN
$IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 16660 -j TROJAN
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXT -j SCANNER
$IPTABLES -A FORWARD -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################################
# NAT #
#########################################
# PREROUTING
# for i in `cat hosts.txt`
# do
# $IPTABLES -t nat -I PREROUTING -i $IF_INT -m mac ! --mac-source -j ACCEPT
# done
# POSTROUTING
#$IPTABLES -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE
#########################################
# Roteamento para a rede interna #
#########################################
/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.47.4.1
;;
stop)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
;;
*) echo "Usage: /etc/init.d/firewall {start|stop|restart|reload|force-reload}"
exit 2
;;
esac
exit 0