ATUALMENTE É RECOMENDADO UTILIZAR O SOFTWARE UFW PARA GERENCIAR O IPTABLES NOS DEBIAN 6 E 7. NO DEBIAN 8 É RECOMENDADO UTILIZAR O FIREWALLD. ESTÁ PÁGINA SERÁ MANTIDA PARA FINS EDUCACIONAIS.
UFW: https://help.ubuntu.com/community/UFW
firewalld: https://wiki.tic.ufrj.br/doku.php?id=linux:firewalld
1) Criar o arquivo /etc/iptables/iptables.conf
:
#!/bin/bash # Firewall configuration. PATH=/bin:/sbin:/usr/bin:/usr/sbin declare -A BACULA_FD BACULA_FD[PORT]="9102" BACULA_FD[NET]="146.164.150.171/32" declare -A HTTP HTTP[PORT]="80" declare -A HTTPS HTTPS[PORT]="443" # Services that the system will offer to the network TCP_SERVICES=("BACULA_FD" "HTTP" "HTTPS") UDP_SERVICES=("") # Networks or IPs valid for services # VALID_NETWORKS="" # Reject services for output REJECT_REMOTE_TCP_SERVICES=("") REJECT_REMOTE_UDP_SERVICES=("") # Network that will be used for remote mgmt # (if undefined, no rules will be setup) # NETWORK_MGMT=192.168.0.0/24 # Port used for the SSH service, define this is you have setup a # management network but remove it from TCP_SERVICES SSH_PORT="22022"
2) Criar um arquivo para o init.d em /etc/init.d/iptables
:
#!/bin/bash ### BEGIN INIT INFO # Provides: iptables # Required-Start: $local_fs $remote_fs $network $syslog $named # Required-Stop: $local_fs $remote_fs $network $syslog $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Start/stop iptables rules ### END INIT INFO # Caveats: # - This configuration applies to all network interfaces # if you want to restrict this to only a given interface use # '-i INTERFACE' in the iptables calls. # - Remote access for TCP/UDP services is granted to any host, # you probably will want to restrict this using '--source'. # # chkconfig: 2345 9 91 # description: Activates/Deactivates the firewall at boot time # # You can test this script before applying with the following shell # snippet, if you do not type anything in 10 seconds the firewall # rules will be cleared. #--------------------------------------------------------------- # while true; do test=""; read -t 20 -p "OK? " test ; \ # [ -z "$test" ] && /etc/init.d/iptables clear ; done #--------------------------------------------------------------- source /etc/iptables/iptables.conf if ! [ -x /sbin/iptables ]; then exit 0 fi fw_start () { # Input traffic: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Services if [ -n "$TCP_SERVICES" ] ; then for SERVICE in ${TCP_SERVICES[@]}; do SERVICE_PORT="$SERVICE[PORT]"; SERVICE_NET="$SERVICE[NET]"; if [ -n "$VALID_NETWORKS" ] ; then for NET in $VALID_NETWORKS; do /sbin/iptables -A INPUT -p tcp --src ${NET} --dport ${!SERVICE_PORT} -j ACCEPT done else if [ "${!SERVICE_NET}" == "" ]; then /sbin/iptables -A INPUT -p tcp --dport ${!SERVICE_PORT} -j ACCEPT else /sbin/iptables -A INPUT -p tcp --src ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j ACCEPT fi fi done fi if [ -n "$UDP_SERVICES" ] ; then for SERVICE in ${UDP_SERVICES[@]}; do SERVICE_PORT="$SERVICE[PORT]"; SERVICE_NET="$SERVICE[NET]"; if [ -n "$VALID_NETWORKS" ] ; then for NET in $VALID_NETWORKS; do /sbin/iptables -A INPUT -p udp --src ${NET} --dport ${!SERVICE_PORT} -j ACCEPT done else if [ "${!SERVICE_NET}" == "" ]; then /sbin/iptables -A INPUT -p udp --dport ${!SERVICE_PORT} -j ACCEPT else /sbin/iptables -A INPUT -p udp --src ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j ACCEPT fi fi done fi # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi # Remote testing /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -j LOG # Output: /sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP is permitted: /sbin/iptables -A OUTPUT -p icmp -j ACCEPT # As well as the services we have defined: if [ -n "$REJECT_REMOTE_TCP_SERVICES" ] ; then for SERVICE in ${REJECT_REMOTE_TCP_SERVICES[@]}; do SERVICE_PORT="$SERVICE[PORT]"; SERVICE_NET="$SERVICE[NET]"; if [ "${!SERVICE_NET}" == "" ]; then /sbin/iptables -A OUTPUT -p tcp --dport ${!SERVICE_PORT} -j REJECT else /sbin/iptables -A OUTPUT -p tcp -d ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j REJECT fi done fi if [ -n "$REJECT_REMOTE_UDP_SERVICES" ] ; then for SERVICE in ${REJECT_REMOTE_UDP_SERVICES[@]}; do SERVICE_PORT="$SERVICE[PORT]"; SERVICE_NET="$SERVICE[NET]"; if [ "${!SERVICE_NET}" == "" ]; then /sbin/iptables -A OUTPUT -p udp --dport ${!SERVICE_PORT} -j REJECT else /sbin/iptables -A OUTPUT -p udp -d ${!SERVICE_NET} --dport ${!SERVICE_PORT} -j REJECT fi done fi # All other connections are registered in syslog /sbin/iptables -A OUTPUT -j LOG /sbin/iptables -P OUTPUT ACCEPT # Other network protections # (some will only work with some kernel versions) echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route } fw_stop () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT } fw_clear () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT } case "$1" in start|restart) echo -n "Starting firewall.." fw_stop fw_start echo "done." ;; stop) echo -n "Stopping firewall.." fw_stop echo "done." ;; clear) echo -n "Clearing firewall rules.." fw_clear echo "done." ;; *) echo "Usage: $0 {start|stop|restart|clear}" exit 1 ;; esac exit 0
Depois rodar o comando de configuração do init.d:
# chmod +x /etc/init.d/iptables # update-rc.d iptables defaults
Para iniciar:
# service iptables start
Fonte : http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup