File "rc.firewall-info.sh"

Full path: /www/wwwroot/fabriciovc.eti.br/downloads/iptables/backups/rc.firewall-info.sh
File size: 8.66 KiB (8872 bytes)
MIME-type: text/x-shellscript
Charset: utf-8

Download   Open   Back

#!/bin/bash
#
# INFO - CONSULTORIA E INFORMATICA LTDA - (41) 3332-9844 - suporte@infoconsultoria.com.br
#
# Script para definicao de ambiente de seguranca e fluxo de pacotes - customizado para o cliente: "CORPO DE BOMBEIROS"
# 
# Atuacao: 
#    - Considere Ambiente arquitetura Dual Homed Host
#    - Estamos trabalhando com 2 interfaces reais
#    - Tabelas nat e filter como base
#    - Utilizacao de Cadeias Customizadas (nao padrao), nao faca alteracoes sem conhecer o ambiente e o funcionamento da rede.
#    - Politica de OUTPUT Aberta
#
# Autor:
#     Jocimar Soto de Gois em 01/05/2009  -  jocimar@infoconsultoria.com.br
#
# Alteracoes: 
#              # Registre toda e qualquer alteracao no cabecalho do script com data e motivo quando julgarmos 
#              # necessario limparemos as anotacoes antigas
########################################################################################################################################
. /lib/lsb/init-functions
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
dmesg -n 1

#$MODPROBE ip_conntrack_sip
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
$MODPROBE ip_conntrack
$MODPROBE ip_nat_ftp

# NET
NET_INT="10.47.7.0/24"
# IF
IF_EXT="eth0"
IF_INT="eth1"
IF_VPN="tun+"
IF_lo="lo"

# Portas TCP
JABBER="5222,5223"
TELNET="23"
FTP="20,21"
VNC="5900,5901,5902"
SMTP="25"
SSH="22213"
SSH2="22"
HTTP="80,8080"
CUPS="631"
MSN="1863"

# Portas UDP
VPN="1194,5001"


case "$1" in
    start)
	 $IPTABLES -P INPUT DROP
	 $IPTABLES -P FORWARD DROP
	 $IPTABLES -P OUTPUT ACCEPT
	 $IPTABLES -F
	 $IPTABLES -F -t nat
	 $IPTABLES -F -t mangle
	 $IPTABLES -X
	 $IPTABLES -N TRINOO
	 $IPTABLES -N TROJAN
	 $IPTABLES -N SCANNER
	
 	 #########################################
	 #  TRINOO                               # 
	 #########################################
	 $IPTABLES -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FW: trinoo: "
	 $IPTABLES -A TRINOO -j DROP
	
 	 #########################################
	 #  TROJAN                               # 
	 #########################################
	 $IPTABLES -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FWL: trojan: "
	 $IPTABLES -A TROJAN -j DROP
	
 	 #########################################
	 #  SCANNER                              # 
	 #########################################
	 $IPTABLES -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FWL: port scanner: "
	 $IPTABLES -A SCANNER -j DROP
	
 	 #########################################
	 #  INPUT                                # 
	 #########################################
	 $IPTABLES -A INPUT -i $IF_lo -j ACCEPT
	 $IPTABLES -A INPUT -i $IF_INT -j ACCEPT
#	 $IPTABLES -A INPUT -i $IF_VPN -p tcp -m multiport --dports $FTP,$TELNET,$JABBER,$SSH,$SSH2,$VNC,$HTTP,$CUPS -j ACCEPT
	 $IPTABLES -A INPUT -i $IF_EXT -p tcp -m multiport --dports $SSH,$VNC,$HTTP -j ACCEPT
	 $IPTABLES -A INPUT -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
	 $IPTABLES -A INPUT -i $IF_VPN -p icmp -m icmp -j ACCEPT
	 $IPTABLES -A INPUT -i $IF_EXT -p tcp --dport $SSH -j ACCEPT
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 27444 -j TRINOO
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 27665 -j TRINOO
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 31335 -j TRINOO
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 34555 -j TRINOO
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 35555 -j TRINOO
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 666 -j TROJAN
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 666 -j TROJAN
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 4000 -j TROJAN
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 6000 -j TROJAN
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 6006 -j TROJAN
	 $IPTABLES -A INPUT -p TCP -i $IF_EXT --dport 16660 -j TROJAN
	 $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXT -j SCANNER
	 $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
	 # tentativa de acesso indevido  
	 $IPTABLES -A INPUT -p tcp --dport 23 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: telnet: "
	 $IPTABLES -A INPUT -p tcp --dport 25 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: smtp: "
	 $IPTABLES -A INPUT -p tcp --dport 110 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: pop3: "
	 $IPTABLES -A INPUT -p udp --dport 111 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: rpc: "
	 $IPTABLES -A INPUT -p tcp --dport 113 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: identd: "
	 $IPTABLES -A INPUT -p tcp --dport 137:139 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: samba: "
	 $IPTABLES -A INPUT -p udp --dport 137:139 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: samba: "
	 $IPTABLES -A INPUT -p tcp --dport 161:162 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: snmp: "
	 $IPTABLES -A INPUT -p tcp --dport 6667:6668 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: irc: "
         $IPTABLES -A INPUT -p tcp --dport 3128 -i $IF_EXT -j LOG --log-level 6 --log-prefix "FWL: squid: "
	 ##
	
 	
	 #########################################
	 #  FORWARD                              # 
	 #########################################
	 $IPTABLES -A FORWARD -i $IF_INT -j ACCEPT
	 #$IPTABLES -A FORWARD -o $IF_VPN -p tcp -m multiport --dports 177,6000,$FTP,$TELNET,$JABBER,$SSH,$SSH2,$VNC,$CUPS -j ACCEPT
	 $IPTABLES -A FORWARD -i $IF_EXT -p tcp -m multiport --dports $VNC,$HTTP -j ACCEPT
	 # worms
	 $IPTABLES -A FORWARD -p tcp --dport 135 -i $IF_INT -j REJECT
	 # syn-flood
	 $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
	 # ping da morte
	 $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
	
 	 $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FWL: NEW sem syn: "
	 $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
	
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 27444 -j TRINOO
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 27665 -j TRINOO
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 31335 -j TRINOO
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 34555 -j TRINOO
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 35555 -j TRINOO
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 666 -j TROJAN
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 666 -j TROJAN
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 4000 -j TROJAN
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 6000 -j TROJAN
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 6006 -j TROJAN
	 $IPTABLES -A FORWARD -p TCP -i $IF_EXT --dport 16660 -j TROJAN
	 $IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXT -j SCANNER
	 $IPTABLES -A FORWARD -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
	
 	
	
 	 #########################################
	 #  NAT                                  # 
	 #########################################
	 # PREROUTING
#	 for i in `cat hosts.txt`
#         do
#	     $IPTABLES -t nat -I PREROUTING -i $IF_INT -m mac ! --mac-source  -j ACCEPT
#         done

	 # POSTROUTING
	 #$IPTABLES -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j MASQUERADE
	 $IPTABLES -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE

 	 #########################################
	 #  Roteamento para a rede interna       # 
	 #########################################
	/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.47.4.1
	;;	

	stop)
	    $IPTABLES -P INPUT ACCEPT
            $IPTABLES -P FORWARD ACCEPT
            $IPTABLES -P OUTPUT ACCEPT
            $IPTABLES -F
            $IPTABLES -F -t nat
            $IPTABLES -F -t mangle
            $IPTABLES -X
	;;	

	*)  echo "Usage: /etc/init.d/firewall {start|stop|restart|reload|force-reload}"
	    exit 2
	;;
	esac
	exit 0

PHP File Manager