Sunteți pe pagina 1din 42

IWorkshopdoPOPMG

FirewallIPTABLES
FernandoResendeCoelho
frcoelho@popmg.rnp.br

Sumrio
Conceitos Diagramadefluxo Sintaxe Passoapasso Referncias

IWorkshopdoPOPMG

FirewallIPTABLES

OqueumFirewall?
Umfirewallumabarreirainteligenteentreduas redes,atravsdoqualspassatrfegoautorizado. Estetrfegoexaminadopelofirewallemtempo realeaseleofeitadeacordocomapolticade seguranaestabelecida.

IWorkshopdoPOPMG

FirewallIPTABLES

StatefulFirewall
Semprequeumpacotechegaaofirewall,este inspecionaasualistadeconexesefazstate matchingconformealistadepolticas.

IWorkshopdoPOPMG

FirewallIPTABLES

Iptables
compostopor3tabelas: filter
tabeladefiltrosdepacotes. NAT(networkaddresstranslation) Conexodevriasmquinascomendereofalso internetatravsdepoucosendereosIP s vlidos.

mangle alteraocontedodospacotes.
IWorkshopdoPOPMG FirewallIPTABLES

IptablesFilterTable
Quandoumpacotechegaaumatableverificado sealgumaregraseaplicaaele.Casonohaja, aplicadaapolticadefaut. Constitudopor3chains:
INPUTPacotedestinadoamaquinadefirewall. OUTPUTPacoteoriginadodamaquinadefirewall. FORWARDPacotecomdestinoeorigem separadospelamaquinadefirewall.

IWorkshopdoPOPMG

FirewallIPTABLES

PolticaDefault
Polticadefaultdofirewallconsistenaregraque serutilizadacasoalgumpacotenoseencaixeem nenhumadasregrasestabelecidas. altamenterecomendadoqueapolticadefaultseja DROP,ouseja,tudooquenoforexpressamente permitidoserdescartado(proibido).

IWorkshopdoPOPMG

FirewallIPTABLES

IptablesFilterTable
DiagramadeFluxo Pacoteentranuminterfacederede
seopacoteparaamaquinaenviadoparao chainINPUT; seodestinonoestamaquinaeoserviode routingestactivo,opacotevaiparaochain FORWARD.

umprocessodamaquinaenviaumpacoteparaa rede pacotevaiparaochainOUTPUT.


IWorkshopdoPOPMG FirewallIPTABLES

IptablesFilterTable

IWorkshopdoPOPMG

FirewallIPTABLES

IptablesFilterTable
Comandosparamanipularchains Nchain
criaumauserchain

X[chain] apagaumauserchain Pchaintarget mudaapolticadefaultdeumachain L[chain] listaasregrasdeumachain F[chain] apagatodasasregrasdeumchain Z[chain] limpatodososcontadoresdebytesepacotedeuma chain
IWorkshopdoPOPMG

FirewallIPTABLES

IptablesFilterTable
Comandosparamanipularregrasdechains: Achain
acrescentaumaregraaumachain Ichain[rulenum] insereregranumaposiodachain

Rchainrulenum trocaposioderegranachain Dchain apagaregradeumachain


IWorkshopdoPOPMG FirewallIPTABLES

IptablesFilterTable
Opes s[!]address[/mask]
especificaoendereodeorigem

d[!]address[/mask] especificaoendereodedestino p[!]protocolo especificaoprotocolo(TCP,UDP,ICMP,ALL) i[!]input_name especificaainterfacedeentradadospacotes o[!]output_name especificaainterfacedesadadospacotes [!]f indicaquearegraseaplicasafragmentosapartirdo2 pacote
IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableExtensoTCP
Opes(ptcp) tcpflags[!]maskset
Amascaraindicaquaisasflagsavigiareoresultado esperado. Asflagspodemser: SYN,ACK,FIN,RST,URG,PSH,ALL,NONE.

[!]syn examinaaflagTCPSYN. sport[!]port[:port] indicaaportaTCPdaorigem dport[!]port[:port] indicaaportaTCPdedestino

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableExtensoUDP
Opes(pudp) sport[!]port[:port]
indicaaportaUDPdeorigem dport[!]port[:port] indicaaportaUDPdedestino

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableExtensoICMP
Opes(picmp) icmptype[!]typename
examinaostiposicmp.

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableExtensoMac
Opes(mmac) macsource[!]address
examinaoEthernetMACaddressdopacote

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTable ExtensoOwner
Estemdulousadopararestringirocriadordopacote. UsadoapenasnachainOUTPUT. Opes(mowner) uidowneruserid

aceitapacotequetenhasidocriadopelouseruid

gidownergroupid aceitapacotequetenhasidocriadopelogrupodeusers gid pidownerprocessid aceitapacotequetenhasidocriadopeloprocessopid

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableExtensoState
Estemdulousadoparainterpretarooutputdomdulo ip_conntrack(connectiontrackinganalysis) Opes(mstate) statestate[,state]

Osestadospossveisso:
NEW:indicapacotequecriaumanovaconexo ESTABLISHED:indicaumpacotequepertenceauma conexojexistente RELATED:indicaumpacoterelacionadocomumaconexoj existente INVALID:pacotequenofoiidentificado

IWorkshopdoPOPMG

FirewallIPTABLES

IPTablesFilterTableTargets
Todaregratemumtarget,queoqueocorrercomopacote cajohajaummatchcomaregra.Ostarget spossveisso: Opes(j) ACCEPT
DROP opacoteserdestrudo. REJECT Opacoteserrejeitadoeumamensagemicmpser enviadaorigem. USER_CHAIN Opacoteserenviadoparaumaoutrachain.
IWorkshopdoPOPMG FirewallIPTABLES

opacoteseraceito.

IPTablesFilterTableLog
Estemduloforneceloggingdepacotes. Opes jLOG
target loglevellvl logaopacoteparaonvelescolhidoconforme osyslog.conf Osnveis(lvl)podemser: debug,info,notice,warning,err,crit,alert,emerg

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
MY_IP= xxx.xxx.xxx.xxx #IPexternodamaquinadefirewall LOOPBACK="127.0.0.0/8 #Endereodainterfacedeloopback EXTERNAL_INT= eth0 #interfacedofirewallligadaainternet DMZ_INT= eth1 #interfacedofirewallligadaDMZ INTERNAL_INT= eth2 #interfacedofirewallligadaintranet CLASS_A="10.0.0.0/8"#classAprivatenetwork CLASS_B="172.16.0.0/12"#classBprivatenetwork CLASS_C="192.168.0.0/16"#classCprivatenetwork CLASS_D_MULTICAST="224.0.0.0/4"#classDmulticastaddress CLASS_E_RESERVED_NET="240.0.0.0/5"#classEreservedaddress INTERNAL_NET= xxx.xxx.xxx.xxx/xx DMZ_NET= xxx.xxx.xxx.xxx/xx

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Loadingappropriatemodules /sbin/modprobeip_conntrack /sbin/modprobeipt_LOG #TurningonIPforwarding

echo1>/proc/sys/net/ipv4/ip_forward #EnablebroadcastechoProtection echo1>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #EnableTCPSYNCookieProtection echo1>/proc/sys/net/ipv4/tcp_syncookies

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Flushanyexistingrulesfromallchains iptablesF #Deleteallchains iptablesX #Resetthepacketandbytecountersassociatedwithallchains iptablesZ

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Flushanyexistingrulesfromallchains iptablesF #Deleteallchains iptablesX #Resetthepacketandbytecountersassociatedwithallchains iptablesZ #Setupthedefaultpolicy iptablesPOUTPUTACCEPT iptablesPINPUTDROP iptablesPFORWARDDROP #Allowingunlimitedtrafficontheloopbackinterface iptablesAINPUTilojACCEPT iptablesAOUTPUTolojACCEPT

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Refusepacketsclaimingtobefromyou. iptablesAINPUTi$EXTERNAL_INTs$MY_IPjDROP iptablesAINPUTi$EXTERNAL_INTs$DMZ_NETjDROP iptablesAINPUTi$RXTERNAL_INTs$INTERNAL_NETjDROP #RefusepacketsclaimingtobefromaClassA,B,Cprivatenetwork #andClassDmulticastandClassEreservedIPaddresses #orclaimingtobefromtheloopbackinterface. iptablesAINPUTieth1s$CLASS_AjDROP iptablesAINPUTieth1s$CLASS_BjDROP iptablesAINPUTieth1s$CLASS_CjDROP iptablesAINPUTieth1s$CLASS_D_MULTICASTjDROP iptablesAINPUTieth1s$CLASS_E_RESERVED_NETjDROP iptablesAINPUTieth1s$LOOPBACKjDROP

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#StealthScansandTCPstateflags #Allofthebitsarecleared iptablesAINPUTptcptcpflagsALLNONEjDROP #SYNandFINarebothset

iptablesAINPUTptcptcpflagsSYN,FINSYN,FINjDROP #SYNandRSTarebothset iptablesAINPUTptcptcpflagsSYN,RSTSYN,RSTjDROP #FINandRSTarebothset iptablesAINPUTptcptcpflagsFIN,RSTFIN,RSTjDROP

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
#FINistheonlybitset,withouttheexpectedaccompanyingACK iptablesAINPUTptcptcpflagsACK,FINFINjDROP #PSHistheonlybitset,withouttheexpectedaccompanyingACK iptablesAINPUTptcptcpflagsACK,PSHPSHjDROP

#URGistheonlybitset,withouttheexpectedaccompanyingACK iptablesAINPUTptcptcpflagsACK,URGURGjDROP

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Allowsalreadystablishedconnections iptablesAINPUTmstatestateESTABLISHED,RELATEDjACCEPT

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
Passoapasso: Definirvariveis; Carregarmdulos; Apagarerestauraraschains; Definirpolticasdefault; Aplicarregrascontraspoofings; Aplicarregrascontraflags; Aplicarregrasdeconexesestabelecidas; Adicionarregrasdesejadas.
IWorkshopdoPOPMG FirewallIPTABLES

Exemplo
#Allowsalreadystablishedconnections iptablesAINPUTmstatestateESTABLISHED,RELATEDjACCEPT #liberaracessosshvindodaIntranet iptablesAINPUTs$INTERNAL_NETptcpdportsshjACCEPT ou

iptablesAINPUTi$INTERNAL_INTptcpdportsshjACCEPT #liberarpingvindodaDMZ iptablesAINPUTs$DMZ_NETpicmpicmptypepingjACCEPT ou iptablesAINPUTi$DMZ_INTpicmpicmptypepingjACCEPT

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
#Liberatrfegodesadadetodaasuarede iptablesAFORWARDo$EXTERNAL_INTjACCEPT #LiberarconsultaaoservidorHTTPqueestanaDMZ iptablesAFORWARDptcpdip.do.servidordporthttpjACCEPT #Bloqueartrfegodaporta445paraaintranet IptablesAFORWARDd$INTERNAL_NETdport445jDROP IptablesAFORWARDs$INTERNAL_NETsport445jDROP

IWorkshopdoPOPMG

FirewallIPTABLES

Exemplo
#ConfigurandoaChainLOG_DROPparalogaredescartarospacotes iptablesNLOG_DROP iptablesALOG_DROPjLOGloglevelnoticelogprefix"DROPPED_FIREWALL" iptablesALOG_DROPjDROP

#Logaredescartaratentativasdeacessovindodoipxxx.xxx.xxx.xxx iptablesAFORWARDptcpsxxx.xxx.xxx.xxxjLOG_DROP #Liberartrfegodasportasaltasquenosejampedidosdeconexo iptablesAFORWARDptcpdport1024:5999!synjACCEPT

IWorkshopdoPOPMG

FirewallIPTABLES

Referncias
http://www.netfilter.org/ http://www.linuxguruz.com/iptables/ http://www.dicasl.unicamp.br/dicasl/20030705. shtml LinixFirewallsSecondEdition RobertL.Ziegler EditoraNewRiders

IWorkshopdoPOPMG

FirewallIPTABLES

S-ar putea să vă placă și