Regras de firewall de engenharia reversa do ufw

0

Estou tentando fazer engenharia reversa dos comandos ufw como ip(6)tables e, finalmente, resulta em uma versão slim para desktop e outra para servidor.

Até agora, estou neste momento:

################################################################################
## Firewall rules used by firewall command.                                   ##
#------------------------------------------------------------------------------#
# Copyright https://github.com/centurianii. All rights reserved.               #
################################################################################

# chain DROP for ip
#------------------
# Generic DROP
iptables -N LOG_AND_DROP
iptables -A LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IPtables dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A LOG_AND_DROP -j DROP
# INPUT DROP
iptables -N INPUT_LOG_AND_DROP
iptables -A INPUT_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IPtables INPUT dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A INPUT_LOG_AND_DROP -j DROP
# FORWARD DROP
iptables -N FORWARD_LOG_AND_DROP
iptables -A FORWARD_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IPtables FORWARD dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A FORWARD_LOG_AND_DROP -j DROP
# OUTPUT DROP
iptables -N OUTPUT_LOG_AND_DROP
iptables -A OUTPUT_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IPtables OUTPUT dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A OUTPUT_LOG_AND_DROP -j DROP

# chain DROP for ip6
#-------------------
# Generic DROP
ip6tables -N LOG6_AND_DROP
ip6tables -A LOG6_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IP6tables dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A LOG6_AND_DROP -j DROP
# INPUT DROP
ip6tables -N INPUT6_LOG_AND_DROP
ip6tables -A INPUT6_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IP6tables INPUT dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A INPUT6_LOG_AND_DROP -j DROP
# FORWARD DROP
ip6tables -N FORWARD6_LOG_AND_DROP
ip6tables -A FORWARD6_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IP6tables FORWARD dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A FORWARD6_LOG_AND_DROP -j DROP
# OUTPUT DROP
ip6tables -N OUTPUT6_LOG_AND_DROP
ip6tables -A OUTPUT6_LOG_AND_DROP -m limit --limit $limit_drop -j LOG --log-prefix "IP6tables OUTPUT dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A OUTPUT6_LOG_AND_DROP -j DROP

# chain REJECT for ip
#--------------------
# Generic REJECT
iptables -N LOG_AND_REJECT
iptables -A LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A LOG_AND_REJECT -j REJECT
# INPUT REJECT
iptables -N INPUT_LOG_AND_REJECT
iptables -A INPUT_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables INPUT dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A INPUT_LOG_AND_REJECT -j REJECT
# FORWARD REJECT
iptables -N FORWARD_LOG_AND_REJECT
iptables -A FORWARD_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables FORWARD dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A FORWARD_LOG_AND_REJECT -j REJECT
# OUTPUT REJECT
iptables -N OUTPUT_LOG_AND_REJECT
iptables -A OUTPUT_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables OUTPUT dropped: " --log-level ${inv_priority[$level_drop]}
iptables -A OUTPUT_LOG_AND_REJECT -j REJECT

# chain REJECT for ip6
#---------------------
# Generic REJECT
ip6tables -N LOG_AND_REJECT
ip6tables -A LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A LOG_AND_REJECT -j REJECT
# INPUT REJECT
ip6tables -N INPUT_LOG_AND_REJECT
ip6tables -A INPUT_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables INPUT dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A INPUT_LOG_AND_REJECT -j REJECT
# FORWARD REJECT
ip6tables -N FORWARD_LOG_AND_REJECT
ip6tables -A FORWARD_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables FORWARD dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A FORWARD_LOG_AND_REJECT -j REJECT
# OUTPUT REJECT
ip6tables -N OUTPUT_LOG_AND_REJECT
ip6tables -A OUTPUT_LOG_AND_REJECT -m limit --limit $limit_drop -j LOG --log-prefix "IPtables OUTPUT dropped: " --log-level ${inv_priority[$level_drop]}
ip6tables -A OUTPUT_LOG_AND_REJECT -j REJECT

# chain NOT_LOCAL
#----------------
iptables -N NOT_LOCAL
iptables -A NOT_LOCAL -m addrtype --dst-type LOCAL -j RETURN
iptables -A NOT_LOCAL -m addrtype --dst-type MULTICAST -j RETURN
iptables -A NOT_LOCAL -m addrtype --dst-type BROADCAST -j RETURN
iptables -A NOT_LOCAL -j INPUT_LOG_AND_DROP

# default policies for ip
#------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# default policies for ip6
#-------------------------
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# INPUT for ip
#-------------
# loopback
iptables -A INPUT -i lo -j ACCEPT
# already connected
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# invalid
iptables -A INPUT -m conntrack --ctstate INVALID -j INPUT_LOG_AND_DROP
# icmp
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# udp: dhcp client
iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
# address types not local
iptables -A INPUT -j NOT_LOCAL
# udp: MULTICAST mDNS for service discovery
iptables -A -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# udp: MULTICAST UPnP for service discovery
iptables -A -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# SSH, HTTP, HTTPS, Rsync
iptables -A INPUT -p tcp -m multiport --dports 22,80,443,873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i vboxnet0 -p tcp -s 192.168.56.0/8 -m multiport --dports 22,80,443,873,2222 -m state --state NEW,ESTABLISHED -j ACCEPT
# log

# INPUT for ip6
#--------------
# loopback
ip6tables -A INPUT -i lo -j ACCEPT
# RH0 headers
ip6tables -A INPUT -m rt --rt-type 0 -j INPUT6_LOG_AND_DROP
# already connected
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# invalid
ip6tables -A INPUT -m conntrack --ctstate INVALID -j INPUT6_LOG_AND_DROP
# icmp
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# Home Agent Address Discovery Reques
ip6tables -A INPUT -p icmpv6 --icmpv6-type 144 -j ACCEPT
# Home Agent Address Discovery Reply
ip6tables -A INPUT -p icmpv6 --icmpv6-type 145 -j ACCEPT
# Mobile Prefix Solicitation
ip6tables -A INPUT -p icmpv6 --icmpv6-type 146 -j ACCEPT
# Mobile Prefix Advertisement
ip6tables -A INPUT -p icmpv6 --icmpv6-type 147 -j ACCEPT
# udp: dhcp client
ip6tables -A INPUT -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
# udp: MULTICAST mDNS for service discovery
ip6tables -A INPUT -p udp -d ff02::fb --dport 5353 -j ACCEPT
# udp: MULTICAST UPnP for service discovery
ip6tables -A INPUT -p udp -d ff02::f --dport 1900 -j ACCEPT
# log

# OUTPUT for ip
#--------------
# loopback
iptables -A OUTPUT -o lo -j ACCEPT
# already connected
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport telnet -j OUTPUT_LOG_AND_REJECT
# log

# OUTPUT for ip6
#---------------
# loopback
ip6tables -A OUTPUT -o lo -j ACCEPT
# RH0 headers
ip6tables -A OUTPUT -m rt --rt-type 0 -j OUTPUT6_LOG_AND_DROP
# already connected
ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# icmp
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# log

# FORWARD for ip
#---------------
# already connected
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# icmp
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
# log

# FORWARD for ip6
#----------------
# RH0 headers
ip6tables -A FORWARD -m rt --rt-type 0 -j FORWARD6_LOG_AND_DROP
# already connected
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# icmp
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# log

apenas ignore as cadeias iniciais, pois tudo é analisado em um script bash (é por isso que você pode ver algumas variáveis bash começando com $ sign) até a udp line

# INPUT for ip
#-------------
..................
# udp: dhcp client
iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEP

com erro:

[2016-11-04 16:08:11]
ERROR(1): Error during iptables rule (re)setting. Firewall opened in session. On startup files /etc/network/iptables.v4 and /etc/network/iptables.v6 will be loaded. [source:][firewall][line:][54][error:][
Bad argument 'udp'
Try 'iptables -h' or 'iptables --help' for more information.
][exit:][2]

a formação é causada pelo meu script personalizado pelo caminho.

Alguma ideia do que está causando esse comportamento?

    
por centurian 04.11.2016 / 15:35

0 respostas