[gitec] Ajuda com Firewall

celso magela de almeida celso em camarapocos.mg.gov.br
Sexta Setembro 3 10:52:59 BRT 2010


O meu ainda tem muita coisa para implementar, mas o básico funciona bem!
está anexo.

tem algumas coisas bem específicas, que na dúvida é só perguntar...

Celso Magela de Almeida
Assessor TI
Câmara Municipal de Poços de Caldas - MG
3729-3840



Em 3 de setembro de 2010 10:06, <herbert em camaralencois.sp.gov.br> escreveu:

> Galera to preciso de uma ajuda para meu firewall aqui vc's que tem mais
> experiencia no assunto tem como postar umas linhas ai pra eu começar a
> montar meu firewall ?  preciso fazer isto com o iptables
>
> 1 - limpar todas a regras
> 2 - bloquear tudo que entra e que sai
> 3 - liberar somente as portas necessarias de entrada e de saida.
>
> Somente isso KKK  to ficando doido aqui cada tutorial que eu leio fala
> algo diferente não sei qual usar ...
>
> Poderião me dar um norte
>
> Obrigado a todos ...
> --
> Site da Comunidade GITEC:
> http://colab.interlegis.gov.br/wiki
>
> Regras de participação:
> http://colab.interlegis.gov.br/wiki/ComoParticiparComunidade
>
> Para pesquisar o histórico da lista visite:
> http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
> http://listas.interlegis.gov.br/mailman/listinfo/gitec
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.interlegis.gov.br/pipermail/gitec/attachments/20100903/38a7eaab/attachment.htm 
-------------- Próxima Parte ----------
?#!/bin/bash
# interface on-board  eth1-redeinterna- 
# interface off-board eth0-velox
#
EXTERNA=etth0
INTERNA=etth1
MODEM=ptp0


#carrega modulos

modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE


  echo -n "limpando regras..."


#limpar tabelas
   iptables -F 
   iptables -F INPUT
   iptables -F OUTPUT
   iptables -F FORWARD
 
   iptables -t filter -F 
   iptables -t nat -F
   iptables -t mangle -F
   
#limpar chains criadas
   iptables -t filter -X
   iptables -t nat -X 
   iptables -t mangle -X

#zerar  contador
   iptables -t filter -Z
   iptables -t nat -Z 
   iptables -t mangle -Z

  echo   "regras limpas!"

  echo -n "dropando tudo..."

#estabelece politica de ignorar tudo que nao for *explicitamente* permitido
  iptables -P INPUT DROP
#  iptables -P FORWARD DROP 
#  iptables -P OUTPUT DROP 

  echo  "Ok!"

#ativa roteamento no kernel
  echo  "1" > /proc/sys/net/ipv4/ip_forward

#ativa protecao contra IP spoofing
  echo  "1" > /proc/sys/net/ipv4/conf/all/rp_filter 

 echo -n "liberando acessos fora do proxy..."
#*********************************************************

#libera acesso sem proxy para Taritron
  iptables -t nat -A PREROUTING -p tcp -d 200.76.47.224 -j ACCEPT
  iptables -A FORWARD -p tcp -d 200.76.47.224 -j ACCEPT

#libera acesso sem proxy para site da Escal-Toninho
  iptables -t nat -A PREROUTING -p tcp -d 200.150.13.11 -j ACCEPT
  iptables -A FORWARD -p tcp -d 200.150.13.11 -j ACCEPT

#libera acesso sem proxy para transmitir reuniao ao vivo
#mms:/stream1.interrogacaodigital.net
  iptables -t nat -A PREROUTING -p tcp -d 67.19.172.194 -j ACCEPT
  iptables -A FORWARD -p tcp -d 67.19.172.194 -j ACCEPT

echo   "regras aplicadas..."
################################ativando o proxy ##############################


echo  -n "ativando o proxy e mascaramento..."
#direciona o pedidos da porta 80 para a porta 3128 do squid
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#mascarando pacotes para a internet
   iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 
   iptables -A INPUT -i eth0 -p tcp -j ACCEPT 

echo  "... ativado!"  

#liberando a internet para mac especifico
#iptables -A FORWARD -m mac --mac-source ! 00-13-D4-57-85-F8 -j DENY

################################## faz o NAT  ##############################

echo  -n "Faz o NAT..."

#faz Nat para acesso externo ao servidor ASP/PHP
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.65:81
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8081 -j DNAT --to 192.168.0.116
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5800 -j DNAT --to 192.168.0.22:5800
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5900 -j DNAT --to 192.168.0.22:5900
#  iptables -t nat -I PREROUTING -i 192.168.0.65 -d camarapocos.no-ip.org -p tcp -m multiport --dports 80,443 -j REDIRECT
#  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.66:8081
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2800 -j DNAT --to 192.168.0.69:2500


   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.65:81
   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 81 -j DNAT --to 192.168.0.65:80
   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3306 -j DNAT --to 192.168.0.65:3306

echo "OK! "
#################### outros filtros  ##############################

echo  "aplica filtros de entrada..." 

################ignora pacotes mal-formados
   iptables -A INPUT -i ppp0 -m state --state INVALID -j DROP
   iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn:"
   iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

echo  "Ok(fase1)"

############permitir a entrada as nossas ligacoes
   iptables -A INPUT -i eth1 -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#libera portas para acesso ao ftp (20-dados 21-comandos)
  # iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 20 -j ACCEPT
  # iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
  # iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
  # iptables -A FORWARD -p tcp --sport 21 -j ACCEPT

#permitir o acesso externo ao servidor de SSH (porta 22-login remoto)
#  iptables -A INPUT -i eth0 -p tcp --dport ssh -j LOG --log-level 6 --log-prefix "acesso ssh"
#  iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -i eth0 -p tcp --sport ssh -j ACCEPT
#  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -p tcp --sport ssh -j ACCEPT

# rejeita o acesso e log de acesso BruteForce para ssh

iptables -N REJECT-SSH   
iptables -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10
iptables -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce:
iptables -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset
iptables -A REJECT-SSH -j REJECT

# kill SSH brute-force attacks Allow three connections per minute from any source
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

#liberar acesso ao ssh para um Ip especifico.


#libera portas do DNS
   iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
   iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT

#libera portas para recebimento de e-mails
   iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
   iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
   iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
   iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

#libera portas somente para a rede local
#21-ftp, 22-ssh 53-DNS, 80-http, 137:139-samba, 445-DNS, 10000-Webmin
  #iptables -A INPUT -p tcp -i eth0 -m multiport --dports 21,22,53,80,137,138,139,445 -j ACCEPT
  #iptables -A INPUT -p udp -i eth0 -m multiport --dports 21,22,53,80,137,138,139,445 -j ACCEPT

#permitir o acesso externo aos servidores de HTTP e HTTPS (servidores web)
   iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport http -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --sport https -j ACCEPT

#libera portas par o samba   (preciso liberar apenas para a eth0?)**************
iptables -A INPUT  -p tcp -i eth0 --dport 137:139 -j ACCEPT
iptables -A INPUT  -p tcp -i eth0 --sport 137:139 -j ACCEPT
iptables -A INPUT  -p udp -i eth0 --dport 137:139 -j ACCEPT
iptables -A INPUT  -p udp -i eth0 --sport 137:139 -j ACCEPT

#libera porta de acesso ao webmin
#iptables -A OUTPUT  -p udp --dport 10000 -j ACCEPT
#iptables -A OUTPUT  -p udp --sport 10000 -j ACCEPT
#iptables -A INPUT  -p udp --dport 10000 -j ACCEPT
#iptables -A INPUT  -p udp --sport 10000 -j ACCEPT

#protecao contra Syn-floods
   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
   iptables -A FORWARD -p tcp --syn -j DROP 

#port scanners ocultos  ataque XMAS arvote de natal
   iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#limita o ping da morte
   iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#limita o ping para a rede interna

   iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#protecao Contra IP Spoofing
   iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
   iptables -A INPUT -s 172.16.0.0/16 -i ppp0 -j DROP
   iptables -A INPUT -s 192.168.0.0/24 -i ppp0 -j DROP

#bloqueios inseridos em 10/07/06
#File Sharing (p2p) 

#criar :RECONHECER SKYPE E FAZER LOG
#       fazer log dos bloqueios abaixo

#Bloquear Napster com IPTables:
iptables -A FORWARD -d 64.124.41.0/24 -j LOG --log-level 6 --log-prefix "Imput:Negado - Napster"
iptables -A FORWARD -d 64.124.41.0/24 -j REJECT
  
#Bloquear IMesh com IPTables:
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
    
#Bloquear Bearshare com IPTables:
iptables -A FORWARD -p tcp --dport 6348 -j REJECT
      
#Bloquear ToadNode com IPTables:
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
        
#Bloquear WinMX com IPTables:
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT 

#Bloquear Napigator com IPTables:
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT

#Bloquear Morpheus com IPTables:
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT

#Bloquear KaZaA com IPTables:
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT
          
#Bloquear Limewire com IPTables:
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
           
#Bloquear Audiogalaxy com IPTables:
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
            
echo  "Ok(fase2)"
#Messaging 
#Bloquear AIM com IPTables:
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.oscar.aol.com -j REJECT


#Bloquear ICQ com IPTables:
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
                
#Bloquear MSN Messenger com IPTables:
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
                 
#Bloquear Yahoo Messenger com IPTables:
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
iptables -A FORWARD -d scsa.yahoo.com -j REJECT

# Porta 4662 : aMule (e correlatos) - INPUT tcp
# Porta 4665 : aMule (e correlatos) - OUTPUT udp
# Porta 4672 : aMule (e correlatos) - Porta Auxiliar
iptables -A INPUT -p tcp --destination-port 4562 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 4662 -j REJECT
iptables -A OUTPUT -p udp --destination-port 4665 -j REJECT
iptables -A OUTPUT -p udp --destination-port 4672 -j REJECT
iptables -A INPUT -p tcp --destination-port 4672 -j REJECT
iptables -A OUTPUT -p udp --destination-port 18878 -j ACCEPT

#
# Porta 6881 : Bittorrent
iptables -A INPUT -p tcp --destination-port 6881 -j REJECT 
iptables -A OUTPUT -p udp --destination-port 6881 -j REJECT
#iptables -A INPUT -p udp --destination-port 6881 -j REJECT
#iptables -A OUTPUT -p tcp --destination-port 6881 -j REJECT


# Define a prioridade ao servico especificado 80=http e 53=DNS 
######## alterar as prioridades para nao-iguais####
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos 0x10

#bloqueia os forwards??????? - precisa bloquear no final???????????
#iptables -A FORWARD -s 192.168.0.0/24 -j DROP
#iptables -A FORWARD -i eth0 -j DROP

echo  "...aplicado!"


#limpar tabelas
   iptables -F 
   iptables -F INPUT
   iptables -F OUTPUT
   iptables -F FORWARD
 
   iptables -t filter -F 
   iptables -t nat -F
   iptables -t mangle -F
   
#limpar chains criadas
   iptables -t filter -X
   iptables -t nat -X 
   iptables -t mangle -X

#zerar  contador
   iptables -t filter -Z
   iptables -t nat -Z 
   iptables -t mangle -Z

  echo   "regras limpas!"

  echo -n "dropando tudo..."

#estabelece politica de ignorar tudo que nao for *explicitamente* permitido
  iptables -P INPUT DROP
#  iptables -P FORWARD DROP 
#  iptables -P OUTPUT DROP 

  echo  "Ok!"

#ativa roteamento no kernel
  echo  "1" > /proc/sys/net/ipv4/ip_forward

#ativa protecao contra IP spoofing
  echo  "1" > /proc/sys/net/ipv4/conf/all/rp_filter 

 echo -n "liberando acessos fora do proxy..."
#*********************************************************

#libera acesso sem proxy para Taritron
  iptables -t nat -A PREROUTING -p tcp -d 200.76.47.224 -j ACCEPT
  iptables -A FORWARD -p tcp -d 200.76.47.224 -j ACCEPT

#libera acesso sem proxy para site da Escal-Toninho
  iptables -t nat -A PREROUTING -p tcp -d 200.150.13.11 -j ACCEPT
  iptables -A FORWARD -p tcp -d 200.150.13.11 -j ACCEPT

#libera acesso sem proxy para transmitir reuniao ao vivo
#mms:/stream1.interrogacaodigital.net
  iptables -t nat -A PREROUTING -p tcp -d 67.19.172.194 -j ACCEPT
  iptables -A FORWARD -p tcp -d 67.19.172.194 -j ACCEPT

echo   "regras aplicadas..."
################################ativando o proxy ##############################

echo  -n "ativando o proxy e mascaramento..."

#direciona o pedidos da porta 80 para a porta 3128 do squid
  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#mascarando pacotes para a internet
   iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 
   iptables -A INPUT -i eth0 -p tcp -j ACCEPT 

echo  "... ativado!"  

#liberando a internet para mac especifico
#iptables -A FORWARD -m mac --mac-source ! 00-13-D4-57-85-F8 -j DENY

################################## faz o NAT  ##############################

echo  -n "Faz o NAT..."

#faz Nat para acesso externo ao servidor ASP/PHP
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.65:81
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8081 -j DNAT --to 192.168.0.116
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5800 -j DNAT --to 192.168.0.22:5800
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5900 -j DNAT --to 192.168.0.22:5900
#  iptables -t nat -I PREROUTING -i 192.168.0.65 -d camarapocos.no-ip.org -p tcp -m multiport --dports 80,443 -j REDIRECT
#  iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.66:8081
#  iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2800 -j DNAT --to 192.168.0.69:2500


   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.65:81
   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 81 -j DNAT --to 192.168.0.65:80
   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3306 -j DNAT --to 192.168.0.65:3306

echo "OK! "
#################### outros filtros  ##############################

echo  "aplica filtros de entrada..." 

################ignora pacotes mal-formados
   iptables -A INPUT -i ppp0 -m state --state INVALID -j DROP
   iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn:"
   iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

echo  "Ok(fase1)"

############permitir a entrada as nossas ligacoes
   iptables -A INPUT -i eth1 -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
   iptables -A OUT ppp0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#libera portas para acesso ao ftp (20-dados 21-comandos)
  # iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 20 -j ACCEPT
  # iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
  # iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
  # iptables -A FORWARD -p tcp --sport 21 -j ACCEPT

#permitir o acesso externo ao servidor de SSH (porta 22-login remoto)
#  iptables -A INPUT -i eth0 -p tcp --dport ssh -j LOG --log-level 6 --log-prefix "acesso ssh"
#  iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -i eth0 -p tcp --sport ssh -j ACCEPT
#  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#  iptables -A INPUT -p tcp --sport ssh -j ACCEPT

# rejeita o acesso e log de acesso BruteForce para ssh

iptables -N REJECT-SSH   
iptables -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 --hitcount 10
iptables -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce:
iptables -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset
iptables -A REJECT-SSH -j REJECT

# kill SSH brute-force attacks Allow three connections per minute from any source
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

#liberar acesso ao ssh para um Ip especifico.


#libera portas do DNS
   iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
   iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT

#libera portas para recebimento de e-mails
   iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
   iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
   iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
   iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

#libera portas somente para a rede local
#21-ftp, 22-ssh 53-DNS, 80-http, 137:139-samba, 445-DNS, 10000-Webmin
  #iptables -A INPUT -p tcp -i eth0 -m multiport --dports 21,22,53,80,137,138,139,445 -j ACCEPT
  #iptables -A INPUT -p udp -i eth0 -m multiport --dports 21,22,53,80,137,138,139,445 -j ACCEPT

#permitir o acesso externo aos servidores de HTTP e HTTPS (servidores web)
   iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport http -j ACCEPT
   iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --sport https -j ACCEPT

#libera portas par o samba   (preciso liberar apenas para a eth0?)**************
iptables -A INPUT  -p tcp -i eth0 --dport 137:139 -j ACCEPT
iptables -A INPUT  -p tcp -i eth0 --sport 137:139 -j ACCEPT
iptables -A INPUT  -p udp -i eth0 --dport 137:139 -j ACCEPT
iptables -A INPUT  -p udp -i eth0 --sport 137:139 -j ACCEPT

#libera porta de acesso ao webmin
#iptables -A OUTPUT  -p udp --dport 10000 -j ACCEPT
#iptables -A OUTPUT  -p udp --sport 10000 -j ACCEPT
#iptables -A INPUT  -p udp --dport 10000 -j ACCEPT
#iptables -A INPUT  -p udp --sport 10000 -j ACCEPT

#protecao contra Syn-floods
   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
   iptables -A FORWARD -p tcp --syn -j DROP 

#port scanners ocultos  ataque XMAS arvote de natal
   iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#limita o ping da morte
   iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#limita o ping para a rede interna

   iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#protecao Contra IP Spoofing
   iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
   iptables -A INPUT -s 172.16.0.0/16 -i ppp0 -j DROP
   iptables -A INPUT -s 192.168.0.0/24 -i ppp0 -j DROP

#bloqueios inseridos em 10/07/06
#File Sharing (p2p) 

#criar :RECONHECER SKYPE E FAZER LOG
#       fazer log dos bloqueios abaixo

#Bloquear Napster com IPTables:
iptables -A FORWARD -d 64.124.41.0/24 -j LOG --log-level 6 --log-prefix "Imput:Negado - Napster"
iptables -A FORWARD -d 64.124.41.0/24 -j REJECT
  
#Bloquear IMesh com IPTables:
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
    
#Bloquear Bearshare com IPTables:
iptables -A FORWARD -p tcp --dport 6348 -j REJECT
      
#Bloquear ToadNode com IPTables:
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
        
#Bloquear WinMX com IPTables:
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT 

#Bloquear Napigator com IPTables:
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT

#Bloquear Morpheus com IPTables:
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT

#Bloquear KaZaA com IPTables:
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT
          
#Bloquear Limewire com IPTables:
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
           
#Bloquear Audiogalaxy com IPTables:
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
            
echo  "Ok(fase2)"
#Messaging 
#Bloquear AIM com IPTables:
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.oscar.aol.com -j REJECT


#Bloquear ICQ com IPTables:
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
                
#Bloquear MSN Messenger com IPTables:
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
                 
#Bloquear Yahoo Messenger com IPTables:
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
iptables -A FORWARD -d scsa.yahoo.com -j REJECT

# Porta 4662 : aMule (e correlatos) - INPUT tcp
# Porta 4665 : aMule (e correlatos) - OUTPUT udp
# Porta 4672 : aMule (e correlatos) - Porta Auxiliar
iptables -A INPUT -p tcp --destination-port 4562 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 4662 -j REJECT
iptables -A OUTPUT -p udp --destination-port 4665 -j REJECT
iptables -A OUTPUT -p udp --destination-port 4672 -j REJECT
iptables -A INPUT -p tcp --destination-port 4672 -j REJECT
iptables -A OUTPUT -p udp --destination-port 18878 -j ACCEPT

#
# Porta 6881 : Bittorrent
iptables -A INPUT -p tcp --destination-port 6881 -j REJECT 
iptables -A OUTPUT -p udp --destination-port 6881 -j REJECT
#iptables -A INPUT -p udp --destination-port 6881 -j REJECT
#iptables -A OUTPUT -p tcp --destination-port 6881 -j REJECT


# Define a prioridade ao servico especificado 80=http e 53=DNS 
######## alterar as prioridades para nao-iguais####
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos 0x10

#bloqueia os forwards??????? - precisa bloquear no final???????????
#iptables -A FORWARD -s 192.168.0.0/24 -j DROP
#iptables -A FORWARD -i eth0 -j DROP

echo  "...aplicado!"


Mais detalhes sobre a lista de discussão GITEC