terça-feira, 28 de fevereiro de 2017

Regras para reforçar a segurança no Firewall Stateful


Segurança no Firewall.

Regras para reforçar a segurança no Firewall Stateful, or a bit Less

#Regras Anti-spoofing (clonagem do ip de origem), exemplos:

 iptables -A FORWARD -s 192.168.1.14 -m mac ! --mac-source 00:11:22:33:67:fa -j DROP

#Regra na table raw anti-spoofing

iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP

ou

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter


Alias
WAN="eth1"

#Regras para bloquear ICMP (ping)

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

ou

iptables -A INPUT -i $WAN -p icmp --icmp-type 8 -j DROP        #echo request

iptables -A INPUT -i $WAN -p icmp --icmp-type 0 -j DROP        #echo reply


#Regras para Limitar a comunicação ICMP

iptables -A INPUT -i $WAN -p icmp --icmp-type 8 -m limit --limit 1/s --limit-burst 1 -j ACCEPT

iptables -A INPUT -i $WAN -p icmp --icmp-type 0 -m limit --limit 2/s --limit-burst 1 -j ACCEPT


#Regras para prevenir o Traceroute

iptables -A INPUT -i $WAN -p udp -m conntrack --ctstate NEW --dport 33435:33525 -j DROP 


#Regras para descarte de pacotes inválidos (mal formado)

iptables -I INPUT -i $WAN -m conntrack --ctstate INVALID -j DROP

ou

iptables -I INPUT -i $WAN -m state --state INVALID -j DROP


#Ataques DDoS (SYN Flood)

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

ou

iptables -A INPUT -i $WAN -p tcp -m conntrack --ctstate NEW -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -i $WAN -p tcp -m state --state NEW -m limit --limit 1/s -j ACCEPT


#Regras para UDP Flood (para udp flood é mais complicado)

iptables -t mangle -I PREROUTING -i $WAN -p udp -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT


#Ataques externos de Ips, tentando simular o Servidor de DHCP (conexões com IP dinâmico)

#Primeiro é preciso saber o IP address, que vai te fornecer o ip por DHCP na interface WAN:

ip neigh sh | grep eth1 | cut -d " " -f1

WAN=eth1

#Colocar esse Alias no começo de seu script Firewall

IPGTW="`ip neigh sh | grep eth1 | cut -d " " -f1`"

#Regra de proteção

iptables -I INPUT -i eth1 -p udp -m udp ! -s $IPGTW -d 255.255.255.255 --sport 67:68 --dport 67:68 -j DROP
































   

Postado por às Nenhum comentário:

quarta-feira, 22 de fevereiro de 2017

Active Firewall blocking by mac addresses


This Firewall script is interesting for use on WiFi networks, for blocking devices that to try access something inappropriate.

Insert this log rule in initial for your script Firewall: 

 #iptables -I FORWARD -m string --algo bm --string "facebook" -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "FW_FACEBLOCK_log"

 And create a new bit script:

 #touch /root/blockmac.sh

 #chmod 550 /root/blockmac.sh

 #vim /root/blockmac.sh

 #!/bin/sh
#Script desenvolvido para bloquear Mac Addresses
tail -100 /var/log/messages | grep "FW_FACEBLOCK_log" | grep -Po 'MAC=\K.*$' | cut -d ":" -f7-12 | sort | uniq -d > /root/maclist
#
maclist=/root/maclist
for i in `cat $maclist`; do
mac=`echo $i | cut -d ';' -f 1`
#
iptables -t mangle -A PREROUTING -i eth0 -m mac --mac-source $mac -j DROP
#eth0=Wlan
echo "MAC - Bloqueado - $mac"
done #Fim do FOR

















This will add the mac addresses that have accessed facebook in the macblock list and
add drop rule in table mangle, chain prerouting, this is the first iptables entry, quit funcional.


To be more effective, add the script to the crontab:

0 0-23/1 * * * /root/blockmac.sh







Postado por às Nenhum comentário:

terça-feira, 21 de fevereiro de 2017

How to block multiple IPs


How to block multiple IPs with Iptables

 Add in your script Firewall

 #For block denny IPs
lista=/root/lista
for i in `cat $lista`; do
ip=`echo $i | cut -d ';' -f 1`
#
iptables -t filter -I FORWARD -s $ip -j REJECT
#
echo "IP - Bloqueado - $ip"
done #Fim do FOR
#

 #touch /root/lista

 #echo "denny IP" >> /root/lista






#vim /root/lista












#./dennyips.sh














Blocked ips in chain FORWARD.



















Postado por às Nenhum comentário:

segunda-feira, 20 de fevereiro de 2017

Ebtables Firewall (Layer 2 & 3)


Basic network firewall with Ebtables. It acts in layers 2 and 3.

In an internal network, what transits most are frames or packages, so the importance of Ebtables.

Install (Debian ad derivatives)

#apt-get install ebtables

#cd /root

#touch ebtables.sh

#chmod 550 ebtables.sh

 #vim ebtables.sh


















#!/bin/sh
#Ebtables firewall Layer 2 & 3
EBT="/sbin/ebtables"
#Clean Rules
$EBT -F
$EBT -t nat -F
#Paths
MACETH0="`cat /sys/class/net/eth0/address`"
MACWLAN0="`cat /sys/class/net/wlan0/address`"
#For VMs or Docker Containers
MACLAST="`ifconfig -a | grep -Po 'HWaddr \K.*$' - | tail -1`"
MACPENULT="`ifconfig -a | grep -Po 'HWaddr \K.*$' - | tail -2 | head -n 1`"
#Lans
LAN1="192.168.1.0/24"
LAN2="172.17.0.0/16"
LAN3="172.16.1.0/24"
WLAN="10.10.10.0/26"
#Filter Rules
$EBT -A INPUT -p IPv4 --ip-src $LAN1 -d $MACETH0 -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $LAN2 -d $MACPENULT -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $LAN3 -d $MACLAST -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $WLAN -d $MACWLAN0 -j ACCEPT
$EBT -A INPUT -p ARP --arp-htype 1 --arp-opcode 1 -j ACCEPT             #arp request
$EBT -A INPUT -p ARP --arp-htype 1 --arp-opcode 2 -j ACCEPT             #atp reply
#NAT Rules
$EBT -t nat -A POSTROUTING -o eth0 -j snat --to-src $MACETH0 --snat-arp --snat-target ACCEPT
$EBT -t nat -A POSTROUTING -o wlan0 -j snat --to-src $MACWLAN0 --snat-arp --snat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN1 -j dnat --to-dst $MACETH0 --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $WLAN -j dnat --to-dst $MACWLAN0 --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN2 -j dnat --to-dst $MACPENULT --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN3 -j dnat --to-dst $MACLAST --dnat-target ACCEPT
echo "*Ebtables Firewall Upstart*"




Examples of random networks

Change to real addresses

View all mac addresses:
 
# ifconfig -a | grep -Po 'HWaddr \K.*$'

 #arp -a

 #ip neighbor show










Postado por às Nenhum comentário:

domingo, 19 de fevereiro de 2017

It's a very simple Firewall Netfilter script

#vim firewall.sh
#!/bin/sh
#Simple Netfilter Firewall
IPT="/sbin/iptables"
#Clean Iptables rules
$IPT --flush
$IPT --delete-chain
$IPT -t nat -F
$IPT -t mangle -F
#Paths
IPEXT="`wget http://ipinfo.io/ip -qO -`"
WAN="eth1"
LAN="eth0"
#INPUT Rules
$IPT -A INPUT -i $WAN -p tcp -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -i $WAN -p udp -m udp -s 0/0 -d $IPEXT --sport 53 --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp -m tcp -s 0/0 -d $IPEXT --sport 80:443 --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $LAN -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $WAN -m conntrack --ctstate NEW -m limit --limit 1/m --j LOG --log-prefix "FW_SYN_WAN_log:"
$IPT -A INPUT -p tcp -m tcp --syn -j DROP
$IPT -A INPUT -p udp -m udp --dport 0:1024 -j DROP
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Nat Rules
$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPT -t nat -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#Mangle Rules
$IPT -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $WAN -j TCPMSS --set-mss 1492
$IPT -t mangle -I PREROUTING -p tcp --tcp-flags ACK,FIN,SYN SYN  -i $WAN -j TCPMSS --set-mss 1492
#Auto-add deny.hosts
tail -12 /var/log/messages | grep "FW_SYN_WAN_log:" | cut -d '=' -f5-5 | cut -d ' ' -f 1  > lista1
awk '{print  "ALL: " $1 }' lista1  >> /etc/hosts.deny
echo "%#%Firewall Netfilter Iptables Upstart%#%"



















#Add rules to suit your needs.









Postado por às Nenhum comentário:

quinta-feira, 16 de fevereiro de 2017

Netfilter Server

Postado por às Nenhum comentário:
Assinar: Postagens (Atom)