Loading…
jamenson
Translation changed |
|
None
String updated in the repository |
|
Source string description
type: Content of: <sect1><sect2><sect3><screen>Flags
no-wrap
<literal>#!/bin/sh
# Begin rc.iptables
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Log everything else.
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# End $rc_base/rc.iptables</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput>
<literal>#!/bin/sh
# Início do rc.iptables
# Insere módulos de rastreamento de conexão
# (não necessário se construído internamente ao kernel)
modprobe nf_conntrack
modprobe xt_LOG
# Habilita difusão echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Desabilita Pacotes Fonte Roteados
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
# Habilita a Proteção SYN Cookie do TCP
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Desabilita a Aceitação de Redireção de ICMP
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
# Não envia Mensagens de Redireção
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# Descarta Pacotes Falsificados entrantes em uma interface, onde as
# respostas resultariam na resposta indo para uma interface diferente.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Registra pacotes com endereços impossíveis.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
# Seja verboso a respeito de endereços de IP dinâmicos (não necessário
# no caso de IP estático)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# Desabilita a Notificação Explícita de Congestão
# roteadores demais ainda são ignorantes
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Configura um estado conhecido
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Estas linhas estão aqui no caso das regras já estiverem no lugar e o
# script for mesmo reexecutado em tempo real. Nós queremos remover
# todas as regras e cadeias preexistentes definidas por usuário(a)
# antes de implementarmos novas regras.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Permite conexões locais somente
iptables -A INPUT -i lo -j ACCEPT
# Libera a saída gerada em qualquer interface para qualquer IP para
# qualquer serviço (igual a -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# Permite respostas em conexões já estabelecidas e permite novas
# conexões relacionadas às estabelecidas (por exemplo, modo de porta
# ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Registra tudo o mais.
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# Fim do $rc_base/rc.iptables</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput>