Tabela de conteúdos

Script Firewall Iptables

Intrudução

Este artigo contem um exemplo de script de firewall baseado em iptables que pode ser customizado de acordo com o tipo de serviço de um host.

Script Firewall de exemplo

### VARIAVEIS:
iptables=`/usr/bin/which iptables`
modprobe=`/usr/bin/which modprobe`
rmmod=`/usr/bin/which rmmod`
ifinterna=eth0
ifexterna=eth0
ipreal=192.168.56.7
ipvirtual=192.168.56.28
ipzabbix=192.168.56.24
redeinterna=192.0.0/16
redeexterna=200.199.225.128/26

ipMaquina01=192.168.10.6
ipMaquina02=192.168.10.7
ipMaquina03=192.168.10.8
ipMaquina04=192.168.10.9

### MODULOS:
$modprobe ip_tables
$modprobe iptable_filter
$modprobe ip_conntrack
$modprobe ip_conntrack_ftp
$modprobe iptable_nat
$modprobe ip_nat_ftp
$modprobe ipt_LOG
$modprobe ipt_state
$modprobe ipt_MASQUERADE

### POLITICA PADRAO:
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT

### RESETAR FIREWALL:
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F

### ROTEAMENTO:
echo "0" > /proc/sys/net/ipv4/ip_forward
 
#####################################################################
################Bloqueio contra ataques #############################
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j RETURN
$iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
$iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
$iptables -A FORWARD -m unclean -j DROP
 
# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

# Protecao contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Proteção contra port scanners
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP

# Dropa pacotes TCP indesejaveis
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Protecao contra worms
$iptables -A FORWARD -p tcp --dport 135 -j REJECT

# Proteção contra IP Spoofing
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $i
done

####################################################################  

### MANTER CONEXOES ESTABELECIDAS:
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

### INPUT PARA LOCALHOST:
$iptables -A INPUT -p all -s 127.0.0.1 -i lo -j ACCEPT

### ICMP:
## 0 ECHO REPLY
$iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## REDE INTERNA:
$iptables -A INPUT   -p icmp -s $redeinterna -j ACCEPT
$iptables -A FORWARD -p icmp -s $redeinterna -j ACCEPT
$iptables -A FORWARD -p icmp -d $redeinterna -j ACCEPT

### HTTP:
$iptables -A INPUT -p tcp -s $redeinterna -d $ipvirtual --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp -s $redeinterna -d $ipvirtual --dport 443 -j ACCEPT

### ZABBIX:
$iptables -A INPUT -p tcp -s $ipzabbix -d $ipreal --dport 10050 -j ACCEPT
$iptables -A INPUT -p udp -s $ipzabbix -d $ipreal --dport 3401 -j ACCEPT
$iptables -A INPUT -p tcp -s $ipzabbix -d $ipvirtual --dport 10050 -j ACCEPT
$iptables -A INPUT -p udp -s $ipzabbix -d $ipvirtual --dport 3401 -j ACCEPT

### SSH:
$iptables -A INPUT -p tcp -s $ipMaquina01 -d $ipreal --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp -s $ipMaquina02 -d $ipreal --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp -s $ipMaquina03 -d $ipreal --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp -s $ipMaquina04 -d $ipreal --dport 22 -j ACCEPT

Disponível em “https://wiki.tce.go.gov.br/index.php?title=Script_de_Firewall&oldid=566