Configuração Firewall

De MediaWiki do Campus São José
Ir para: navegação, pesquisa

Banner.gif

Projeto equipe Full Tilt

Criando um arquivo para conter o firewall:

   touch /etc/firewall.sh

Editando-o:

   #!/bin/bash
   fw_start(){
   # NAT
   modprobe iptable_nat
   # para acesso FTP
   modprobe ip_conntrack
   modprobe ip_conntrack_ftp
   # ativando o encaminhamendo
   echo 1 > /proc/sys/net/ipv4/ip_forward
   iptables -t nat -F
   iptables -F
   iptables -P FORWARD ACCEPT
   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -P INPUT DROP
   #portas a serem liberadas
   iptables -A INPUT -s 0/0 -p tcp --dport 21 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 25 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 110 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 10000 -j ACCEPT
   iptables -A INPUT -s 0/0 -p tcp --dport 20000 -j ACCEPT
   #controles de acesso e segurança
   iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s
   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
   iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit  1/s -j ACCEPT 
   iptables -A INPUT -s 10.0.0.0/8 -i Interface da NET -j DROP 
   iptables -A INPUT -s 172.16.0.0/16 -i Interface da NET -j DROP 
   iptables -A INPUT -s 192.168.0.0/24 -i Interface da NET -j DROP 
   iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
   }
   fw_usage(){
   echo
   echo "$0 (start | stop | restart )"
   echo
   echo "start   - Ativa o firewall"
   echo "stop    - Desativa o firewall"
   echo "restart - Reativa o firewall"
   }
   fw_stop(){
   iptables -t nat -F
   iptables -F
   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24   -j ACCEPT
   iptables -A FORWARD -s 192.168.2.0/24 -d 200.135.37.0/26  -j ACCEPT
   iptables -A FORWARD -s 192.168.2.0/24 -d 172.16.0.0/16    -j ACCEPT
   iptables -A FORWARD -s 192.168.2.0/24 -d 172.18.0.0/16    -j ACCEPT
   iptables -P FORWARD DROP
   }
   case $1 in
   start)
   fw_start;
   ;;
   stop)
   fw_stop;
   ;;
   restart)
   fw_stop;
   fw_start;
   ;;
   *)
   fw_usage;
   exit;
   ;;
   esac

O arquivo firewall.sh será inicializado juntamento com o sistema operacional, visto que será adicionado ao rc.local