<div dir="ltr">Mike<div><br></div><div>Eu utilizo este script, não uso ele pro Asterisk, você só tem que incluir as portas do Asterisk logo depois do "iptables -P OUTPUT DROP". É só incluir quantas linhas precisar com o ip de origem e a porta(iptables -A INPUT -p tcp -s 192.168.1.2 --dport 8080 -j ACCEPT):</div>
<div><br></div><div><br></div><div><div>#!/bin/bash</div><div>## FIREWALL ##</div><div><br></div><div>#IPS=`cat /opt/firewall/ips.txt`</div><div><br></div><div>### Bloquear ataque DDos</div><div>echo 1 > /proc/sys/net/ipv4/tcp_syncookies</div>
<div><br></div><div>### Habilita o reencaminhamento de pacotes TCP/UDP</div><div>#echo 1 > /proc/sys/net/ipv4/ip_forward</div><div><br></div><div>### Limpar tabelas iptables</div><div>iptables -F</div><div>iptables -X</div>
<div><br></div><div>##</div><div>iptables -P INPUT DROP</div><div>iptables -P OUTPUT DROP</div><div><br></div><div>### Aceita conexoes SSH na porta 22</div><div>iptables -A INPUT -p tcp -s 192.168.1.1 --dport 22 -j ACCEPT</div>
<div><br></div><div>### Aceita requisicoes HTTP na porta 8080</div><div>iptables -A INPUT -p tcp -s 192.168.1.2 --dport 8080 -j ACCEPT</div><div><br></div><div>### Aceita requisicoes em loopback</div><div>iptables -A INPUT -i lo -j ACCEPT</div>
<div><br></div><div>### Protecao contra port scanners ocultos</div><div>iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT</div><div><br></div><div>### Bloqueando tracertroute</div><div>
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP</div><div><br></div><div>### Aceita passagem de pacotes de conexoes ja estabelecidas ou secundarias</div><div>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</div>
<div><br></div><div>###OUTPUT</div><div>iptables -P OUTPUT ACCEPT</div><div>iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</div><div>###FIM</div><div><br></div><div><br></div><div><br></div><div><br></div>
</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br></div>Att,<div><b>Rafael dos Santos Saraiva</b></div><div><div>Tel: (51) 8174-7956</div><div><font color="#e69138"><b>Digium Certified Asterisk Administrator (dCCA)</b></font><br>
</div><div><a href="http://www.astdocs.com" target="_blank">http://www.astdocs.com</a> | <a href="http://br.linkedin.com/pub/rafael-saraiva/52/aab/230" target="_blank"><img src="http://www.linkedin.com/img/webpromo/btn_liprofile_blue_80x15_pt_BR.png"></a><br>
</div></div></div></div>
<br><br><div class="gmail_quote">Em 25 de julho de 2013 17:29, Mike <span dir="ltr"><<a href="mailto:mikeedede@hotmail.com" target="_blank">mikeedede@hotmail.com</a>></span> escreveu:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="PT-BR" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div><div><p class="MsoNormal">
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Senhores!<u></u><u></u></span></b></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Andei pesquisando no google e nos sites em que abriu.<u></u><u></u></span></p><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Não tive muito sucesso na instalação do fail2ban ainda mas sofro com várias tentativas de invasão.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Tenho uma central pabx com centos instalada nela e 2 filiais conectadas nela. Gostaria da ajuda para saber<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Como faço para bloquear no iptables todos e quaisquer outro acesso, liberando apenas os ips que tenho nas filiais.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Não tenho muitas habilidades, mas tentei bloquear tudo com o comando<u></u><u></u></span></p><p class="MsoNormal">
<i><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">iptables -P INPUT DROP<u></u><u></u></span></i></p><p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">iptables -P OUTPUT DROP<u></u><u></u></span></i></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">iptables -P FORWARD DROP</span></i><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Mas não consegui acesso mais das filiais na central.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Estou usando a seguinte regra no momento...<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""># Firewall configuration written by system-config-firewall<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""># Manual customization of this file is not recommended.<u></u><u></u></span></p><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">*filter<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">:INPUT ACCEPT [0:0]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">:FORWARD ACCEPT [0:0]<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">:OUTPUT ACCEPT [0:0]<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -p icmp -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -i lo -j ACCEPT<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 222.111.232.242 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 222.39.89.179 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 173.242.117.162 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 184.154.106.2 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 216.244.89.19 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 196.14.16.190 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 91.218.229.42 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 85.25.100.41 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 211.144.65.17 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 198.143.187.146 -j DROP <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 5.9.193.195 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 5.9.199.173 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 5.9.193.197 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 91.229.220.20 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 198.143.175.2 -j DROP<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -s 211.144.65.17 -j DROP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 25322 -j ACCEPT<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 25380 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m tcp -p tcp --dport 5038:5039 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal">
<span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -m state --state NEW -m udp -p udp --dport 1:65535 -j ACCEPT<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A INPUT -j REJECT --reject-with icmp-host-prohibited<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-A FORWARD -j REJECT --reject-with icmp-host-prohibited<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">COMMIT<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Agradeço se alguém puder ajudar.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Grato.<span><font color="#888888"><u></u><u></u></font></span></span></p><span><font color="#888888"><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Mike.<u></u><u></u></span></p>
</font></span></div></div></div></div><br>_______________________________________________<br>
KHOMP: completa linha de placas externas FXO, FXS, GSM e E1;<br>
Media Gateways de 1 a 64 E1s para SIP com R2, ISDN e SS7;<br>
Intercomunicadores para acesso remoto via rede IP. Conheça em <a href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.<br>
_______________________________________________<br>
ALIGERA – Fabricante nacional de Gateways SIP-E1 para R2, ISDN e SS7.<br>
Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI Express.<br>
Channel Bank – Appliance Asterisk - Acesse <a href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.<br>
_______________________________________________<br>
Para remover seu email desta lista, basta enviar um email em branco para <a href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org" target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br></blockquote>
</div>
<br></div></div>