Feras do iptables...uma mãozinha aqui !!!

Question

Quem manja de iptables poderia me dar uma m&atilde;o, pois o script q est&aacute; colado aqui embaixo insiste em dar uns erros...acredito q sejam de sintaxe...alguem por favor poderia rodar esse firewall e dar uma conferida no q t&aacute; errado.

Obs: esse firewall foi tirado da revista PCMaster 49 e eu inclui algumas linhas, mas n&atilde;o s&atilde;o as minhas linhas q est&atilde;o erradas e sim as da revista (exatamente as q est&atilde;o #comentadas# e pra q o erro apareca, tem q descomenta-las...duhhh..&oacute;bvio).

FIREWALL:






#!/bin/sh
#/etc/init.d/rc.firewall
#Edite o arquivo /etc/syslog.conf e adicione a linha:
#kern.=alert -/var/log/firewall.log
#Os logs serao direcionados para /var/log/firewall.log
logger Instalando o firewall

#---Definicoes---#

EXT_IF=ppp0
INT_IF=eth0
LOOPBACK_IF=lo
ANYWHERE=0/0
IPADDR='ifconfig $EXT_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1'
NAMESERVERS='grep nameserver /etc/resolv.conf | cut -d \ -f 2'
LOOPBACK=127.0.0.0/8
CLASS_A=10.0.0.0/8
CLASS_B=172.16.0.0/12
CLASS_C=192.168.0.0/16
CLASS_D_MULTICAST=224.0.0.0/4
CLASS_E_RESERVED_NET=240.0.0.0/5
BROADCAST_SRC=0.0.0.0
BROADCAST_DEST=255.255.255.255
PRIVPORTS=0:1023
UNPRIVPORTS=1024:65535
SSH_PORTS=1020:1023
TRACEROUTE_SRC_PORTS=32769:65535
TRACEROUTE_DEST_PORTS=33434:33523
XWINDOW_PORTS=6000:6063
SOCKS_PORT=1080 # (TCP) socks
OPENWINDOWS_PORT=2000 # (TCP) openwindows
NFS_PORT=2049 # (TCP/UDP) NFS

#---Modulos---#

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe ipt_state
modprobe ipt_unclean
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe iptable_nat
modprobe ip_nat_ftp

#---Protecoes---#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

#---Limpa e apaga chains---#

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#---Chains do usuario---#

iptables -N log_drop
iptables -A log_drop -j LOG --log-level 1 --log-prefix DROPPED::
iptables -A log_drop -j DROP
iptables -N log_accept
iptables -A log_accept -m limit -j LOG --log-level 1 --log-prefix ACCEPTED::
iptables -A log_accept -j ACCEPT
iptables -N log_reject
iptables -A log_reject -j LOG --log-level 1 --log-prefix REJECTED::
iptables -A log_reject -j REJECT
iptables -N log_unclean
iptables -A log_unclean -j LOG --log-level 1 --log-prefix unclean::
iptables -A log_unclean -j DROP
iptables -N log_fragment
iptables -A log_fragment -j LOG --log-level 1 --log-prefix fragment::
iptables -A log_fragment -j DROP
iptables -N log_spoofed
iptables -A log_spoofed -j LOG --log-level 1 --log-prefix spoofed::
iptables -A log_spoofed -j DROP
iptables -N log_priv
iptables -A log_priv -j LOG --log-level 1 --log-prefix privport::
iptables -A log_priv -j DROP
iptables -N log_ass_unpriv
iptables -A log_ass_unpriv -j LOG --log-level 1 --log-prefix ass_unprivport::
iptables -A log_ass_unpriv -j DROP
iptables -N log_traceroute
iptables -A log_traceroute -j LOG --log-level 1 --log-prefix traceroute::
iptables -A log_traceroute -j DROP
iptables -N log_in_new
iptables -A log_in_new -j LOG --log-level 1 --log-prefix incoming_new::
iptables -A log_in_new -j DROP
iptables -N log_in_invalid
iptables -A log_in_invalid -j LOG --log-level 1 --log-prefix incoming_invalid::
iptables -A log_in_invalid -j DROP


#---Marcaramento do IP da maquina em standalone---#

iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

#---Loopback---#

iptables -A INPUT -i $LOOPBACK_IF -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_IF -j ACCEPT

#---Protecao contra SYN-Flood---#

iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT

#---Protecoes contra DDoS---#

iptables -A INPUT -i $EXT_IF -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#--Protecao contra ping da morte---#

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#--Protecao contra ataque Smurf---#

iptables -A INPUT -p icmp --icmp-type 8 -j REJECT

#---Pacotes suspeitos e fragmentados---#

iptables -A INPUT -i $EXT_IF -m unclean -j log_unclean
iptables -A INPUT -f -i $EXT_IF -j log_fragment

#---LOG de spoofing---#

iptables -A INPUT -i $EXT_IF -s $IPADDR -j log_spoofed
iptables -A INPUT -i $EXT_IF -s $CLASS_A -j log_spoofed
iptables -A INPUT -i $EXT_IF -s $CLASS_B -j log_spoofed
iptables -A INPUT -i $EXT_IF -s $CLASS_C -j log_spoofed #
iptables -A INPUT -i $EXT_IF -s $LOOPBACK -j log_spoofed
iptables -A INPUT -i $EXT_IF -s $BROADCAST_DEST -j log_spoofed
iptables -A INPUT -i $EXT_IF -s $CLASS_D_MULTICAST -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 0.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 1.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 2.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 3.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 4.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 5.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 6.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 7.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 23.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 27.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 31.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 36.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 37.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 39.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 41.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 42.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 49.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 50.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 58.0.0.0/7 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 60.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 67.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 68.0.0.0/6 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 72.0.0.0/5 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 80.0.0.0/4 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 96.0.0.0/3 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 192.0.0.0/24 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 197.0.0.0/8 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 218.0.0.0/7 -j log_spoofed #
iptables -A INPUT -i $EXT_IF -s 220.0.0.0/6 -j log_spoofed
iptables -A INPUT -i $EXT_IF -s 224.0.0.0/3 -j log_spoofed
iptables -A OUTPUT -o $EXT_IF -d $CLASS_A -j log_reject
iptables -A OUTPUT -o $EXT_IF -d $CLASS_B -j log_reject
iptables -A OUTPUT -o $EXT_IF -d $CLASS_C -j log_reject #
iptables -A OUTPUT -o $EXT_IF -d $BROADCAST_SRC -j log_reject
iptables -A OUTPUT -o $EXT_IF -d $CLASS_D_MULTICAST -j log_reject
iptables -A OUTPUT -o $EXT_IF -d $CLASS_E_RESERVED_NET -j log_reject

#---Permite os servicos abaixo---#

#for NSADDR in $NAMESERVERS
#do
#iptables -A OUTPUT -o $EXT_IF -p udp -s $IPADDR --sport $UNPRIVPORTS \ -d $NSADDR --dport 53 -j ACCEPT
#iptables -A INPUT -i $EXT_IF -p udp -s $NSADDR --sport 53 \ -d $NSADDR --dport $UNPRIVPORTS -j ACCEPT
#done

#---Abrindo FTP e APACHE--#

iptables -A INPUT -i $EXT_IF -p tcp --dport 21:80 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p tcp --sport 21:80 -j ACCEPT

#---Bloqueia todas as portas privilegiadas---#

iptables -A INPUT -i $EXT_IF -p tcp --dport $PRIVPORTS -j log_priv #
iptables -A OUTPUT -o $EXT_IF -p tcp --sport $PRIVPORTS -j log_reject #
iptables -A INPUT -i $EXT_IF -p udp --dport $PRIVPORTS -j log_priv
iptables -A OUTPUT -o $EXT_IF -p udp --sport $PRIVPORTS -j log_reject

#---Bloqueia portas nao-privilegiadas---#

iptables -A INPUT -i $EXT_IF -p tcp \--dport $XWINDOW_PORTS --syn -j log_ass_unpriv
iptables -A OUTPUT -o $EXT_IF -p tcp \--dport $XWINDOW_PORTS --syn -j log_reject
iptables -A INPUT -m multiport -i $EXT_IF -p tcp \--dport $SOCKS_PORT,$OPENWINDOWS_PORT,$NFS_PORT --syn -j log_ass_unpriv
iptables -A OUTPUT -m multiport -o $EXT_IF -p tcp \--dport $SOCKS_PORT,$OPENWINDOWS_PORT,$NFS_PORT --syn -j log_reject
iptables -A INPUT -i $EXT_IF -p udp --dport $NFS_PORT -j log_ass_unpriv
iptables -A OUTPUT -o $EXT_IF -p udp --dport $NFS_PORT -j log_reject

#---Bloqueio de traceroute UDP---#

iptables -A INPUT -i $EXT_IF -p udp --sport $TRACEROUTE_SRC_PORTS \--dport $TRACEROUTE_DEST_PORTS -j log_traceroute

#---Regras DSUST---#

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j log_in_new
iptables -A INPUT -m state --state INVALID -j log_in_invalid
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m limit -j LOG --log-level 1 \--log-prefix OUTPUT POLICY REJECT
#iptables -A INPUT -m limit -j LOG --log-level 1 \--log-prefix INPUT POLICY REJECT
#iptables -A FOWARD -m limit -j LOG --log-level 1 \--log-prefix FOWARD POLICY REJECT

#---fim---#

logger Firewall instalado!!!
exit 0



OBRIGADO GALERA!!!

Answer

No slackware nao tem init.d
O script fica no /etc/rc.d/

O syslog esta correto 'e so editar e acrescentar ele..
Voce roda servidor de dns ?BIND ? acho que nao, por isso deixa comentaado mesmo

Ferramentas

Mover Tópico