Sim, é nesse ponto que vc precisa mexer. Mas não basta comentar essas linhas, pq o valor default da política já é "ACCEPT", ou seja, firewall permissivo. Pra passar pro firewall restritivo, você tem que usar explicitamente a política DROP:
iptables -A INPUT DROP
iptables -A FORWARD DROP
iptables -A OUTPUT ACCEPT
Eu não recomendo mexer na política da cadeia OUTPUT (isso é só pra quem tenha muita experiência com firewall), nem das cadeias da tabela nat (PREROUTING, POSTROUTING, OUTPUT).
Boa noite meu caro...
Mudando a politica para DROP obtive este resultado.
[root@anonymous-host ~]# nmap -sS -sC -O -p- endereço_noip
Starting Nmap 6.01 (
http://nmap.org ) at 2012-10-05 01:03 BRT
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.01% done
Stats: 0:03:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 81.50% done; ETC: 01:07 (0:00:45 remaining)
Nmap scan report for endereço_noip (186.212.236.171)
Host is up (0.021s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
223/tcp open cdc
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: PBX|specialized|WAP|media device|general purpose
Running (JUST GUESSING): Vodavi embedded (90%), Crestron 2-Series (86%), Netgear embedded (86%), Western Digital embedded (86%), Linux 2.4.X (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/o:linux:kernel:2.4
Aggressive OS guesses: Vodavi XTS-IP PBX (90%), Crestron XPanel control system (86%), Netgear DG834G WAP or Western Digital WD TV media player (86%), Linux 2.4.18 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 258.43 seconds
Senhor tá no céu.
Amém!
O que não funcionou? Deu mensagem de erro, ou simplesmente não fez o que vc esperava?
Minha expectativa era de que este scan não encontrasse esta porta aberta. 223
o que eu estou encucado é:
porque está aparecendo como "filtered" e não "closed"
Not shown: 65534 filtered ports
um simples #nmap endereco_noip gera esta saida.
All 1000 scanned ports on (186.212.236.171) are filtered
Repetindo o nmap do primeiro post[root@anonymous-host ~]# nmap -sV -T4 -o -F --version-light endereço_noip
Starting Nmap 6.01 (
http://nmap.org ) at 2012-10-05 01:21 BRT
Nmap scan report for endereço_noip (186.212.236.171)
Host is up (0.024s latency).
All 1000 scanned ports on endereço_noip (186.212.236.171) are filtered
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.71 seconds
E por ultimo como ficou o firewall.sh agora#!/bin/sh
#############
# VARIABLES #
#############
#IP PPP0
#IPRESULT=`ifconfig | grep P-a-P | awk '{print $3}'`
EXT="ppp0"
INTLAB="eth2"
INTSEC="eth1"
IPLAB="192.168.1.0/24"
IPSEC="192.168.0.0/24"
SOURCE="192.168.0.0/255.255.255.0"
SOURCE2="192.168.1.0/255.255.255.0"
####################################
# DEFAULT OPTIONS FOR OPEN MACHINE #
####################################
#FLUSHING TABLES
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
#ACCEPTING EVERYTHING
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -t filter -A INPUT -j ACCEPT
#iptables -t filter -A OUTPUT -j ACCEPT
#iptables -t filter -A FORWARD -j ACCEPT
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -P OUTPUT ACCEPT
#LOAD MODULES
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ip_tables
modprobe ipt_state
modprobe iptable_mangle
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack ports=20,21,1024,3389,5900,5902
modprobe ip_conntrack_ftp ports=20,21,1024,3389,5900,5902
modprobe ip_nat_ftp ports=20,21,1024,3389,5900,5902
#FIREWALL DO LINUX2BUSINESS
# Disable IP Spoofing attack
sysctl -w net.ipv4.conf.all.rp_filter=2 > /dev/null 2>&1
# Enable IP Forward
sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
# Kill Timestamps
sysctl -w net.ipv4.tcp_timestamps=0 > /dev/null 2>&1
# Enable protection Cookie TCP syn
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null 2>&1
# Disable ICMP broadcast
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null 2>&1
# Enable protection to bad error message
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 > /dev/null 2>&1
# It certifys that packages routed in the origin had been discarded
sysctl -w net.ipv4.conf.all.accept_source_route=0 > /dev/null 2>&1
# Change TTL value
sysctl -w net.ipv4.ip_default_ttl=255 > /dev/null 2>&1
# Ratemask to ICMPs: 0 3 4 5 8 11 12
sysctl -w net.ipv4.icmp_ratemask=6457 > /dev/null 2>&1
# Recommended values of datagram TCP thinking about DOS and DRDOS attack
sysctl -w net.ipv4.tcp_fin_timeout=30 > /dev/null 2>&1
sysctl -w net.ipv4.tcp_keepalive_time=1800 > /dev/null 2>&1
sysctl -w net.ipv4.tcp_window_scaling=0 > /dev/null 2>&1
sysctl -w net.ipv4.tcp_sack=0 > /dev/null 2>&1
iptables -A INPUT -p tcp --dport 223 -j ACCEPT
# Compartilha a conexão
# echo 1 > /proc/sys/net/ipv4/ip_forward ############################################## L2B
#tentativa de bloqueio squid externo não funciona
#iptables -A INPUT -i $EXT -p tcp --dport 3128 -j DROP
#iptables -A OUTPUT -o $EXT -p tcp --dport 3128 -j DROP
#iptables -A FORWARD -i $EXT -p tcp --dport 3128 -j DROP
iptables -t nat -A POSTROUTING -s $SOURCE -o $EXT -j MASQUERADE
iptables -t nat -A POSTROUTING -s $SOURCE2 -o $EXT -j MASQUERADE
# Bloqueia pings e protege contra IP spoofing e pacotes inválidos
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter ############################### L2B
iptables -A INPUT -m state --state INVALID -j DROP
# Abre para a interface de loopback e para a interface de rede local
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTLAB -j ACCEPT
iptables -A INPUT -i $INTSEC -j ACCEPT
# Abre para as portas especificadas
iptables -A INPUT -p tcp --dport 223 -j ACCEPT
# Bloqueia as demais conexões, deixando passar apenas pacotes de resposta
iptables -A INPUT -p tcp --syn -j DROP
#reverse path filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
#no smurf amplifier
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ##########L2B
#Syn-flood Schutz
# echo "1" > /proc/sys/net/ipv4/tcp_syncookies #################### L2B
# Bloqueando tracertroute
#iptables -A INPUT -p udp -s 0/0 -i ppp0 --dport 33435:33525 -j DROP
#Bloqueia msn
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 198.164.1.0/24 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -s 198.164.1.0/24 -d messenger.hotmail.com -j REJECT
#iptables -A FORWARD -s 198.164.1.0/24 -d webmessenger.msn.com -j REJECT
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1080 -j REJECT
iptables -A FORWARD -i $INTLAB -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -i $INTLAB -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -i $INTLAB -d messenger.hotmail.com -j REJECT
#iptables -A FORWARD -i $INTLAB -d webmessenger.msn.com -j REJECT
iptables -A FORWARD -p tcp --dport 1080 -j DROP
iptables -A FORWARD -i $INTLAB -p tcp --dport 1080 -j REJECT
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#receber e retornar pacotes fragmentados
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $EXT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#tenta bloquear entradas pelo mundo
iptables -A INPUT -i ppp0 -j DROP
iptables -A FORWARD -i ppp0 -j DROP
iptables -A OUTPUT -j ACCEPT
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Performance - Setando acesso a web com delay minimo
iptables -t mangle -A OUTPUT -o $EXT -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $EXT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
#LAB BLOCK
iptables -I FORWARD -p tcp -s $IPSEC -d $IPLAB -j DROP
iptables -I FORWARD -p tcp -s $IPLAB -d $IPSEC -j DROP
iptables -I FORWARD -p icmp -s $IPSEC -d $IPLAB -j DROP
iptables -I FORWARD -p icmp -s $IPLAB -d $IPSEC -j DROP
#squid
iptables -t nat -A PREROUTING -p tcp -m multiport -s $SOURCE --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s $SOURCE2 --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $INTLAB -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $INTSEC -p tcp --dport 80 -j REDIRECT --to-port 3128
#segurança ssh super boa: Alterei a porta do ssh para 223
#http://www.vivaolinux.com.br/artigo/Jogando-pesado-na-seguranca-de-seu-SSH?pagina=3
iptables -A INPUT -p tcp -m tcp --dport 223 -m state --state NEW -m recent --rcheck --name SSH --rsource --seconds 60 --hitcount 3 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 224 -m state --state NEW -m recent --name SSH --remove -j DROP
iptables -A INPUT -p tcp -m tcp --dport 225 -m state --state NEW -m recent --set --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 226 -m state --state NEW -m recent --name SSH --remove -j DROP
#iptables -A INPUT -i ppp0 -j DROP
######## Fim do Firewall ######
Encontrei a porta: 123/udp aberta.
referencia-se ao serviço ntp.
tem problemas de segurança nesta porta?
O que mais podemos adicionar neste firewall para evitar ataques??
Abraços