Tabela de conteúdos

Configurando Iptables no Debian 6 e 7

AVISO

ATUALMENTE É RECOMENDADO UTILIZAR O SOFTWARE UFW PARA GERENCIAR O IPTABLES NOS DEBIAN 6 E 7. NO DEBIAN 8 É RECOMENDADO UTILIZAR O FIREWALLD. ESTÁ PÁGINA SERÁ MANTIDA PARA FINS EDUCACIONAIS.

UFW: https://help.ubuntu.com/community/UFW

firewalld: https://wiki.tic.ufrj.br/doku.php?id=linux:firewalld

Configuração

1) Criar o arquivo /etc/iptables/iptables.conf:

#!/bin/bash
# Firewall configuration.
 
PATH=/bin:/sbin:/usr/bin:/usr/sbin
 
declare -A BACULA_FD
BACULA_FD[PORT]="9102"
BACULA_FD[NET]="146.164.150.171/32"
 
declare -A HTTP
HTTP[PORT]="80"
 
declare -A HTTPS
HTTPS[PORT]="443"
 
# Services that the system will offer to the network
TCP_SERVICES=("BACULA_FD" "HTTP" "HTTPS")
UDP_SERVICES=("")
 
# Networks or IPs valid for services
# VALID_NETWORKS=""
 
# Reject services for output
REJECT_REMOTE_TCP_SERVICES=("")
REJECT_REMOTE_UDP_SERVICES=("")
 
# Network that will be used for remote mgmt
# (if undefined, no rules will be setup)
# NETWORK_MGMT=192.168.0.0/24
 
# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
SSH_PORT="22022"

2) Criar um arquivo para o init.d em /etc/init.d/iptables:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $local_fs $remote_fs $network $syslog $named
# Required-Stop:     $local_fs $remote_fs $network $syslog $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive:     true
# Short-Description: Start/stop iptables rules
### END INIT INFO
 
# Caveats:
# - This configuration applies to all network interfaces
#   if you want to restrict this to only a given interface use
#   '-i INTERFACE' in the iptables calls.
# - Remote access for TCP/UDP services is granted to any host, 
#   you probably will want to restrict this using '--source'.
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#
# You can test this script before applying with the following shell
# snippet, if you do not type anything in 10 seconds the firewall
# rules will be cleared.
#---------------------------------------------------------------
#  while true; do test=""; read  -t 20 -p "OK? " test ; \
#  [ -z "$test" ] && /etc/init.d/iptables clear ; done
#---------------------------------------------------------------
 
source /etc/iptables/iptables.conf
 
if ! [ -x /sbin/iptables ]; then  
    exit 0
fi
 
fw_start () {
    # Input traffic:
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
    # Services
    if [ -n "$TCP_SERVICES" ] ; then
        for SERVICE in ${TCP_SERVICES[@]}; do
            SERVICE_PORT="$SERVICE[PORT]";
            SERVICE_NET="$SERVICE[NET]";
 
            if [ -n "$VALID_NETWORKS" ] ; then
                for NET in $VALID_NETWORKS; do
                    /sbin/iptables -A INPUT -p tcp --src ${NET} --dport ${!SERVICE_PORT} -j ACCEPT
                done
            else
                if [ "${!SERVICE_NET}" == "" ]; then
                    /sbin/iptables -A INPUT -p tcp --dport ${!SERVICE_PORT} -j ACCEPT
                else
                    /sbin/iptables -A INPUT -p tcp --src ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j ACCEPT
                fi
            fi
        done
    fi
    if [ -n "$UDP_SERVICES" ] ; then
        for SERVICE in ${UDP_SERVICES[@]}; do
            SERVICE_PORT="$SERVICE[PORT]";
            SERVICE_NET="$SERVICE[NET]";
 
            if [ -n "$VALID_NETWORKS" ] ; then
                for NET in $VALID_NETWORKS; do
                    /sbin/iptables -A INPUT -p udp --src ${NET} --dport ${!SERVICE_PORT} -j ACCEPT
                done
            else
                if [ "${!SERVICE_NET}" == "" ]; then
                    /sbin/iptables -A INPUT -p udp --dport ${!SERVICE_PORT} -j ACCEPT
                else
                    /sbin/iptables -A INPUT -p udp --src ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j ACCEPT
                fi
            fi
        done
    fi
 
    # Remote management
    if [ -n "$NETWORK_MGMT" ] ; then
        /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
    else 
        /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
    fi
 
    # Remote testing
    /sbin/iptables -A INPUT -p icmp -j ACCEPT
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -j LOG
 
    # Output:
    /sbin/iptables -A OUTPUT -j ACCEPT -o lo 
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
    # ICMP is permitted:
    /sbin/iptables -A OUTPUT -p icmp -j ACCEPT
 
    # As well as the services we have defined:
    if [ -n "$REJECT_REMOTE_TCP_SERVICES" ] ; then
        for SERVICE in ${REJECT_REMOTE_TCP_SERVICES[@]}; do
            SERVICE_PORT="$SERVICE[PORT]";
            SERVICE_NET="$SERVICE[NET]";
 
            if [ "${!SERVICE_NET}" == "" ]; then
                /sbin/iptables -A OUTPUT -p tcp --dport ${!SERVICE_PORT} -j REJECT
            else
                /sbin/iptables -A OUTPUT -p tcp -d ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j REJECT
            fi
        done
    fi
    if [ -n "$REJECT_REMOTE_UDP_SERVICES" ] ; then
	    for SERVICE in ${REJECT_REMOTE_UDP_SERVICES[@]}; do
            SERVICE_PORT="$SERVICE[PORT]";
            SERVICE_NET="$SERVICE[NET]";
 
            if [ "${!SERVICE_NET}" == "" ]; then
                /sbin/iptables -A OUTPUT -p udp --dport ${!SERVICE_PORT} -j REJECT
            else
                /sbin/iptables -A OUTPUT -p udp -d ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j REJECT
            fi
	    done
    fi
 
    # All other connections are registered in syslog
    /sbin/iptables -A OUTPUT -j LOG
    /sbin/iptables -P OUTPUT ACCEPT
 
    # Other network protections
    # (some will only work with some kernel versions)
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 0 > /proc/sys/net/ipv4/ip_forward 
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
}
 
fw_stop () {
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -t mangle -F
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -P OUTPUT ACCEPT
}
 
fw_clear () {
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -t mangle -F
    /sbin/iptables -P INPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    /sbin/iptables -P OUTPUT ACCEPT
}
 
case "$1" in
    start|restart)
        echo -n "Starting firewall.."
        fw_stop 
        fw_start
        echo "done."
    ;;
    stop)
        echo -n "Stopping firewall.."
        fw_stop
        echo "done."
    ;;
    clear)
        echo -n "Clearing firewall rules.."
        fw_clear
        echo "done."
    ;;
    *)
        echo "Usage: $0 {start|stop|restart|clear}"
        exit 1
    ;;
esac
 
exit 0

Depois rodar o comando de configuração do init.d:

# chmod +x /etc/init.d/iptables
# update-rc.d iptables defaults

Para iniciar:

# service iptables start

Fonte : http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup