miércoles, 21 de diciembre de 2011

Firewall propio con iptables

Dirección del generador original: http://easyfwgen.morizot.net/gen/
Dirección del generador utilizado abajo, adaptado para Slackware Linux: http://connie.slackware.com/~alien/efg/
#!/bin/sh
################################
# Local Settings

SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="90.175.215.80" 
################################
# Flush Any Existing Rules or Chains

echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

################################
# Set Policies 
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP 
################################
# User-Specified Chains

echo "Create and populate custom rule chains ..." 
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound 
################################
# Populate User Chains

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT

# Web Server
# HTTP & HTTPS
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 2200:2300 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

################################
# INPUT Chain

echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

################################
# OUTPUT Chain

echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

No hay comentarios:

Publicar un comentario en la entrada