Netfilter: Roteador WiFi hostapd Linux (parte 2)

O Firewall da rede

São necessárias duas placas de rede, geralmente a eth0 (placa de rede onboard) e wlan0, que é a placa de rede wireless destinada a rede WiFi.

A rede cabeada eth0, pode estar configurada com ip fixo (da sua rede local) ou receber um ip via DHCP (do modem ligado à internet, por exemplo). O arquivo de configuração de rede no debian é:

/etc/network/interfaces

Configure, conforme o IP da sua rede.

Para criar o Firewall de rede:

Acesse o diretório /root

# cd /root

Crie o arquivo firewall.sh

#touch firewall.sh

Torne-o executável

#chmod +x firewall.sh

Depois é só colocar o script no arquivo firewall.sh

#nano firewall.sh

Para torna-lo executável no boot do sistema

#nano /etc/rc.local

inserir

/root/firewall.sh

Agora vamos ao script do firewall:

#!/bin/sh
#Firewall desenvolvido por HenriqueKbs
#Habilitando os modulos
modprobe ipt_multiport
modprobe ipt_limit
modprobe iptable_nat
#Alias da rede
IPT="/sbin/iptables"
AP="ACCEPT"
DP="DROP"
RJ="REJECT"
REDE1="172.1.1.0/24"
REDE2="192.168.254.0/29"
SERVER="172.1.1.142"
SERVER2="192.168.254.1"
HOST2="192.168.254.2"
HOST3="192.168.254.3"
HOST4="192.168.254.4"
DNS1="189.38.95.96"
DNS2="189.38.95.95"
DNS3="200.221.11.98"
DNS4="200.147.225.105"
WAN="wlan0"
#Regras do Firewall
#Limpa as cadeias existentes
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
#Criando novas cadeia
$IPT -N C_SSH
$IPT -N C_DNS
$IPT -N C_ZXY
#regras de Bloqueio
$IPT -A INPUT -p tcp --dport 23 -j DROP
$IPT -A FORWARD -i $WAN -m iprange --src-range 192.168.254.5-192.168.254.6 -j DROP
#Criacao de regras para as cadeias novas
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j C_SSH
iptables -A FORWARD -p udp -s $DNS1 --sport 53 --dport 1024:65535 -j C_DNS
iptables -A FORWARD -p udp -s $DNS2 --sport 53 --dport 1024:65535 -j C_DNS
iptables -A FORWARD -p udp -s $DNS3 --sport 53 --dport 1024:65535 -j C_DNS
iptables -A FORWARD -p udp -s $DNS4 --sport 53 --dport 1024:65535 -j C_DNS
1024:65535 -j C_DNS
iptables -A FORWARD -p udp -m udp --sport 1024:65535 --dport 53 -j C_DNS
iptables -A FORWARD -p udp -m udp --sport 53 --dport 1024:65535 -j $AP
iptables -A INPUT -p udp -s 0/0 -d $SERVER --sport 53 -j C_DNS
iptables -A INPUT -p udp -s 0/0 -d $SERVER2 --sport 53 -j C_DNS
$IPT -A INPUT -i eth0 -j C_ZXY
#Chhain SSH
iptables -A C_SSH -s $REDE1 -d $SERVER -j $AP
iptables -A C_SSH -p tcp --dport 22 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "FW_SSH_log:"
iptables -A C_SSH -j $DP
#chain DNS
iptables -A C_DNS -d $REDE1 -j $AP
iptables -A C_DNS -s $REDE1 -j $AP
iptables -A C_DNS -d $HOST2 -j $AP
iptables -A C_DNS -s $HOST2 -j $AP
iptables -A C_DNS -d $HOST3 -m limit --limit 2/s --limit-burst 1 -j $AP
iptables -A C_DNS -s $HOST3 -m limit --limit 2/s --limit-burst 1 -j $AP
iptables -A C_DNS -s $HOST4 -j $AP
iptables -A C_DNS -d $HOST4 -j $AP
iptables -A C_DNS -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "FW_DNS_log:"
iptables -A C_DNS -j $DP
#Chain ZXY
$IPT -A C_ZXY -i lo -s 127.0.0.1 -j $AP
$IPT -A C_ZXY -i $WAN -p udp -m udp -s $REDE2 --sport 68 --dport 67 -j $AP
#iptables -A C_ZXY -i eth0 -p tcp -m tcp --dport 6346 -j REJECT
#Regras para cadeia OUTPUT
iptables -A OUTPUT -o lo -j $AP
iptables -A OUTPUT -o $WAN -p udp -s $SERVER2 -d $HOST2 --sport 67 --dport 68 -j $AP
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j $AP
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -j $AP
iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j $AP
iptables -A OUTPUT -p udp -m udp --sport 67 --dport 68 -j $AP
iptables -A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -j $AP
iptables -A OUTPUT -p icmp ! --icmp-type 0 -m limit --limit 2/s -j $AP
iptables -A OUTPUT -p udp --dport 1024:65535 -m limit --limit 5/s --limit-burst 10 -j $AP
iptables -A OUTPUT -p tcp -m state --state NEW -m limit --limit 3/s --limit-burst 10 -j $AP
iptables -A OUTPUT -p tcp -m state --state RELATED -m limit --limit 4/s --limit-burst 10 -j $AP
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -m limit --limit 2/s --limit-burst 10 -j $AP
#Regras para cadeia Input
iptables -A C_ZXY -d 172.1.1.255 -m limit --limit 3/s -j $AP
#Regras para tabela Nat
iptables -t nat -A POSTROUTING -p tcp -m tcp -j MASQUERADE --to-ports 1024-10240 -s 172.1.1.0/24
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A OUTPUT -o lo -j $AP
# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP ! --icmp-type 8 -m limit --limit 2/s -j ACCEPT
#Regras na Forward
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD DROP
$IPT -A FORWARD -i $WAN -p tcp -s $SERVER2 -d 0/0 --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -p tcp -m tcp -s 0/0 -d $SERVER2 --sport 443 --dport 1024:65535 -j $AP
$IPT -A FORWARD -p tcp -s $REDE2 -m multiport --dports 80,443,809,8080 -j $AP
$IPT -A FORWARD -p tcp -d $REDE2 -m multiport --sports 80,443,809,8080 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -i eth0 -p tcp -s $REDE1 -d 0/0 --sport 1024:65535 --dport 80 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -i eth0 -p tcp -s 0/0 -d $REDE1 --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -p tcp -s $REDE2 -m multiport --dports 80,443,809,8080 -j $AP
$IPT -A FORWARD -p tcp -d $REDE2 -m multiport --sports 80,443,809,8080 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -i eth0 -p tcp -s $REDE1 -m multiport --dports 443,809,995,993,587 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -i eth0 -p tcp -d $REDE1 -m multiport --sports 443,809,995,993,587 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -i $WAN -p udp -s $REDE2 -d 0/0 --sport 1024:65535 --dport 123 -j $AP
$IPT -A FORWARD -i eth0 -o $WAN -p tcp -m tcp -s 0/0 -d $HOST2 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -i $WAN -o eth0 -p tcp -m tcp -s $HOST2 -d 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -i eth0 -o $WAN -p tcp -m tcp -s 0/0 -d $HOST3 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j $AP
$IPT -A FORWARD -i $WAN -o eth0 -p tcp -m tcp -s $HOST3 -d 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -p tcp -m tcp -d 0/0 --sport 5999:65535 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j $AP
$IPT -A FORWARD -p tcp -m tcp -s 0/0 --dport 5999:65535 --sport 1024:65535 -j $AP
#Regras para bloqueio e Logs
iptables -A C_ZXY -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "FW_ZXY_log:"
iptables -A FORWARD -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "FW_FORWARD_log:"
iptables -A OUTPUT -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "FW_OUTPUT_log:"
iptables -A C_ZXY -p tcp -m tcp --syn -j DROP
iptables -A FORWARD -i eth0 -p tcp -m tcp --syn -j DROP
iptables -A FORWARD -i $WAN -p tcp -m tcp --syn -j DROP
iptables -A FORWARD -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "FW_UDP_FOR_log:"
iptables -A FORWARD -p udp -m udp --dport 1:1024 -j DROP
#Tabela Mangle
$IPT -t mangle -I PREROUTING 1 -p tcp -s $REDE1 -m string --algo bm --string "batepapo" -j DROP
$IPT -t mangle -I PREROUTING 2 -p tcp -s $REDE1 -m string --algo bm --string "facebook" -j DROP
$IPT -t mangle -I PREROUTING 4 -p tcp -s $REDE1 -m string --algo bm --string ".mp3" -j DROP
$IPT -t mangle -I PREROUTING 5 -p tcp -s $REDE1 -m string --algo bm --string ".flv" -j DROP
iptables -t mangle -A INPUT -i $WAN -p tcp -m tcp -s $REDE2 --dport 1024:65535 --sport 443 -j TOS --set-tos 16
iptables -t mangle -A INPUT -i eth0 -p tcp -m tcp -s $REDE2 --dport 1024:65535 --sport 80 -j TOS --set-tos 16

iptables-save

echo "======================="
echo "== Regras de Firewall Ativadas... =="
echo "======================="

# EOF

Mudem conforme a configuração de rede apropriada.

Para executar o Firewall:

#./firewall.sh

#apt-cache search comments

Netfilter

quarta-feira, 20 de maio de 2015

Roteador WiFi hostapd Linux (parte 2)

Nenhum comentário:

Postar um comentário