I noticed that there is disagreement with regard to something not so
important. What really matters is that the rules are efficient. In any
case I will try many ways to validate the rules.
I thank all those interested shrift.
I am tested the rules of the ssh -m state -- state NEW, and really
worked. Thank you.
What we think of the firewall now?
Sincerely,
Yuri Rodrigues
#!/bin/sh
clear
# Firewall System
# Author - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# It is recognized that:
# Eth0 = Intranet
# Eth1 = Internet
intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo -e "\033[01;33m-----------------=======\033[01;32m
Firewall\033[01;33m =======------------------"
echo " By: Yuri Rodrigues "
echo -e "\033[01;37mLOGS: [ /var/log/kern.log ] "
echo ""
echo "Starting the script "
echo ""
#### Loading Modules ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos &&\
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo -e "\033[01;36mLoading Modules\033[01;37m
...................................\033[01;32m [ OK ]"
#### Policing ####
# Filter Table
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Nat Table
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
# Mangle Table
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
echo -e "\033[01;36mPolicing\033[01;37m
..........................................\033[01;32m [ OK ]"
#### Flush Rules ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo -e "\033[01;36mFlush Rules\033[01;37m
.......................................\033[01;32m [ OK ]"
echo "1" > /proc/sys/net/ipv4/ip_forward
#### Allowing already established connections ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
echo -e "\033[01;36mAllowing already established connections\033[01;37m
..........\033[01;32m [ OK ]"
#### LoopBack Traffic Accepted ####
$iptables -A INPUT -i lo -j ACCEPT
echo ""
echo -e "\033[01;33m>>>>>>>>>>>>>>>>>>\033[01;32m Regras para
usuarios\033[01;33m <<<<<<<<<<<<<<<<<<"
echo ""
#### Debugging ####
#$iptables -A INPUT -m limit --limit 3/minute -j LOG --log-prefix
"[IPTABLES] INPUT : "
#$iptables -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix
"[IPTABLES] OUTPUT : "
#$iptables -A FORWARD -j LOG --log-prefix "[IPTABLES] FORWARD : "
#### Remote Administrator ####
$iptables -A INPUT -p tcp --dport 4899 -j LOG --log-prefix "[IPTABLES]
RA : " --log-level 6 --log-tcp-options --log-ip-options
$iptables -A INPUT -i $internet -p tcp --dport 4899 -m state --state NEW
-j ACCEPT
$iptables -t nat -A PREROUTING -i $internet -p tcp --dport 4899 -j DNAT
--to 192.168.121.4:4899
$iptables -A FORWARD -i $internet -o $intranet -p tcp --dport 4899 -m
state --state NEW -j ACCEPT
$iptables -A FORWARD -i $intranet -o $internet -p tcp --sport 4899 -m
state --state NEW -j ACCEPT
echo -e "\033[01;36mRemote Administrator\033[01;37m
..............................\033[01;32m [ OK ]"
#### Transparent Proxy ####
#$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state new
-j ACCEPT
#$iptables -A INPUT -i $internet -p tcp --dport 443 -m state --state new
-j ACCEPT
#$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 80 -j
REDIRECT --to-port 3128
#$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 443 -j
REDIRECT --to-port 3128
#echo -e "\033[01;36mTransparent Proxy\033[01;37m
................................\033[01;32m [ OK ]"
#### SSH Access ####
## LAN 2 FIREWALL
$iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options
--log-ip-options
$iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state NEW -j LOG
--log-prefix "[IPTABLES] SSH : " --log-level 6 --log-tcp-options
--log-ip-options
$iptables -A INPUT -p tcp --dport 22 -i $intranet -m state --state NEW
-j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $intranet -m state --state NEW
-j ACCEPT
$iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
$iptables -A FORWARD -p tcp --sport 22 -m state --state NEW -j ACCEPT
## FIREWALL 2 INTERNET
$iptables -A INPUT -p tcp --sport 22 -i $internet -m state --state NEW
-j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW
-j ACCEPT
## INTERNET 2 FIREWALL
$iptables -A INPUT -p tcp --dport 22 -i $internet -m state --state NEW
-j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -m state --state NEW
-j ACCEPT
## FIREWALL 2 LAN
$iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW
-j ACCEPT
$iptables -A INPUT -p tcp --sport 22 -i $intranet -m state --state NEW
-j ACCEPT
echo -e "\033[01;36mSSH Access\033[01;37m
........................................\033[01;32m [ OK ]"
#### Internet Sharing ####
$iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT
$iptables -A INPUT -i $internet -p tcp --dport 80 -m state --state NEW
-j ACCEPT
$iptables -t nat -A POSTROUTING -j MASQUERADE
echo -e "\033[01;36mInternet Sharing\033[01;37m
..................................\033[01;32m [ OK ]"
echo ""
echo -e
"\033[01;33m<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
echo ""
#### SynFloods Protection ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo -e "\033[01;36mSynFloods Protection\033[01;37m
..............................\033[01;32m [ OK ]"
#### Locking fragmented packets ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "[IPTABLES]
Fragmentos: "
$iptables -A INPUT -f -i $internet -j REJECT
echo -e "\033[01;36mLocking fragmented packets\033[01;37m
........................\033[01;32m [ OK ]"
#### ICMP Limit ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo -e "\033[01;36mICMP Limit\033[01;37m
........................................\033[01;32m [ OK ]"
#### QOS Remote Admin ####
$iptables -t mangle -A OUTPUT -o $internet -p tcp --sport 4899 -j TOS
--set-tos 0x10
$iptables -t mangle -A INPUT -i $internet -p tcp --dport 4899 -j TOS
--set-tos 0x10
$iptables -t mangle -A FORWARD -o $internet -p tcp --sport 4899 -j TOS
--set-tos 0x10
echo -e "\033[01;36mQoS Remote Admin\033[01;37m
..................................\033[01;32m [ OK ]"
echo ""
echo -e "\033[01;33m-------------======\033[01;32m Firewall
Enabled\033[01;33m ======--------------"
echo -e "\033[01;37m"
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment