Iptables

#!
/bin/sh # # # ##Flush de reglas iptables -F iptables -X iptables -Z iptables -F -t nat iptables -X -t nat iptables -Z -t nat iptables -F -t mangle iptables -X -t mangle iptables -Z -t mangle iptables -F -t filter iptables -X -t filter iptables -Z -t filter echo "Limpieza de reglas OK" # /sbin/modprobe iptable_nat /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE echo "Activacion de modulos OK"
# ##Politicas por defecto iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT # #Bloqueo de p2p iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables -t mangle -A FORWARD -m ipp2p --ipp2p -j DROP iptables -t nat -A PREROUTING -p tcp -i eth1 -m ipp2p --ipp2p -j DROP iptables -t nat -A POSTROUTING -p tcp -o eth0 -m ipp2p --ipp2p -j DROP # #todo lo que venga por el exterior al puerto 80 lo redirigimos al servidor web # iptables -t nat -A PREROUTING -d 190.235.199.178 -j DNAT --to-destination 172.16 .5.9 iptables -t nat -A POSTROUTING -o eth0 -s 172.16.5.9 -j SNAT --to-source 190.235 .199.178 # # Redireccion de peticiones puerto 80 a SQUID # ---------------------------------------------------------------iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 31 28 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 3128 #Enmascarando los puertos de correo #iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE # ---------------------------------------------------------------# Enmascaramiento de IPs ( NAT ) # ---------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 172.16.5.0/16 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 198.12.50.0/24 -j MASQUERADE #vpn cisco # # ---------------------------------------------------------------# Proteccion contra ataques # ---------------------------------------------------------------echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Bloquear Trin00 iptables -A INPUT iptables -A INPUT iptables -A INPUT iptables -A INPUT -p -p -p -p tcp tcp udp udp -i -i -i -i eth0 eth0 eth0 eth0 --dport --dport --dport --dport 1524 -j DROP 27665 -j DROP 27444 -j DROP 31335 -j DROP # bloquea ping
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #Proteccion cont ra Syn-floods iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACC EPT # Protege contra los "Ping of Death" iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT # Protege contra los ataques del tipo "Syn-flood, DoS, etc" iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Protege contra 'port scanners'avanzados (Ej:nmap) # Proteccion puertos iptables -A INPUT -p iptables -A INPUT -p iptables -A INPUT -p iptables -A INPUT -p tcp tcp tcp tcp --dport --dport --dport --dport 21 -j LOG --log-prefix "Port FTP " 23 -j LOG --log-prefix "Port TELNET " 22 -j LOG --log-prefix "Port SSH " 137:139 -j LOG --log-prefix "Port NETBEUI "
# Protege contra BackDoors Wincrash y BackOrifice iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Port Wincrash " iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Port BackOrifice " # # Libera el loopback (Se permite que localhost haga todo) # ---------------------------------------------------------------iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT # # ---------------------------------------------------------------# Slo se permite conexin por ssh desde la red local # ---------------------------------------------------------------iptables -A INPUT -i eth0 -s 172.16.5.0/16 -p TCP --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -s 0.0.0.0/0 -p TCP --dport 22 -j DROP # ---------------------------------------------------------------# Acceso a Webmin, ntop a la misma maquina # ---------------------------------------------------------------iptables -A INPUT -i lo -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -i lo -p tcp --dport 3000 -j ACCEPT # # # ---------------------------------------------------------------# Conecciones de Afuera hacia Adentro # ---------------------------------------------------------------iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 563 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 563 -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -j ACCEPT iptables -A INPUT -p tcp --dport 587 -j ACCEPT iptables -A INPUT -p tcp --dport 12975 -j ACCEPT #Hamachi iptables -A INPUT -p tcp --dport 32976 -j ACCEPT #Hamachi iptables -A INPUT -p tcp --dport 2002 -j ACCEPT #Logmein iptables -A INPUT -p udp --dport 2002 -j ACCEPT #Logmein iptables -A INPUT -p 50 -j ACCEPT #cisco vpn iptables -A INPUT -p udp --dport 500 -j ACCEPT #cisco vpn iptables -A INPUT -p udp --dport 4500 -j ACCEPT #cisco vpn iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #cisco vpn iptables -A INPUT -p udp --dport 10000 -j ACCEPT #cisco vpn # ---------------------------------------------------------------# Conexiones de Adentro hacia Afuera # ---------------------------------------------------------------iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 86 -j DROP iptables -A OUTPUT -p tcp --dport 5190 -j DROP iptables -A OUTPUT -p tcp --dport 1863 -j DROP iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 563 -j DROP iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT iptables -A OUTPUT -p tcp --dport 12975 -j ACCEPT #Hamachi iptables -A OUTPUT -p tcp --dport 32976 -j ACCEPT #Hamachi iptables -A OUTPUT -p tcp --dport 2002 -j ACCEPT #Logmein iptables -A OUTPUT -p udp --dport 2002 -j ACCEPT #Logmein iptables -A OUTPUT -p 50 -j ACCEPT #cisco vpn iptables -A OUTPUT -p udp --dport 500 -j ACCEPT #cisco vpn iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT #cisco vpn iptables -A OUTPUT -p tcp --dport 10000 -j ACCEPT #cisco vpn iptables -A OUTPUT -p udp --dport 10000 -j ACCEPT #cisco vpn # ---------------------------------------------------------------# Abrir puertos para correo y Hamachi # ---------------------------------------------------------------iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A -A -A -A -A -A -A -A -A FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD -p -p -p -p -p -p -p -p -p -p -p -p -p -p -p -p tcp tcp udp udp tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp tcp -s 172.16.5.0/16 -d 0.0.0.0/0 --dport 53 -s 172.16.5.0/16 -d 0.0.0.0/0 --dport 53 -s 172.16.5.0/16 -d 0.0.0.0/0 --dport 53 -s 172.16.5.0/16 -d 0.0.0.0/0 --dport 53 -s 0.0.0.0/0 --sport 53 -d 172.16.5.0/16 -s 0.0.0.0/0 --sport 53 -d 172.16.5.0/16 -s 172.16.5.0/16 --dport 25 -j ACCEPT -s 172.16.5.0/16 --dport 110 -j ACCEPT --sport 25 -j ACCEPT --sport 110 -j ACCEPT --sport 995 -j ACCEPT --sport 993 -j ACCEPT --sport 587 -j ACCEPT --sport 12975 -j ACCEPT #Hamachi --sport 32976 -j ACCEPT #Hamachi --sport 2002 -j ACCEPT #Logmein -j -j -j -j -j -j ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT
iptables iptables iptables iptables iptables iptables
-A -A -A -A -A -A
FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD
-p -p -p -p -p -p
udp --sport 2002 -j ACCEPT #Logmein 50 -j ACCEPT #cisco vpn udp --sport 500 -j ACCEPT #cisco vpn udp --sport 4500 -j ACCEPT #cisco vpn tcp --sport 10000 -j ACCEPT #cisco vpn udp --sport 10000 -j ACCEPT #cisco vpn
# ---------------------------------------------------------------# Abre puertos HTTPS # ---------------------------------------------------------------iptables -A FORWARD -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -p tcp --dport 563 -j ACCEPT iptables -A FORWARD -p tcp --dport 2002 -j ACCEPT #Logmein iptables -A FORWARD -p udp --dport 2002 -j ACCEPT #Logmein

Iptables

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Iptables

Încărcat de

Drepturi de autor:

Formate disponibile

#!

iptables iptables iptables iptables iptables iptables

FORWARD FORWARD FORWARD FORWARD FORWARD FORWARD

S-ar putea să vă placă și