#!/bin/firehol ########################################################################################## # # Firewall "FWSW" # configurado por *Hugo Martin* (2005) - HACKCRAFT # # (c) HACKCRAFT PERU, www.hackcraft.com - 2005 - All Rights Reserved ########################################################################################## # # # 1) NICs del FIREWALL: # # Este firewall tiene 3 tarjetas de red (NICs) # eth0 [172.16.0.1] <- Red de *usuarios* # eth1 [192.168.200.1] <- Red Remote CORP1 (ExtraNet) # eth2 [192.168.250.1] <- Red de *servidores* CORP1 # # # 2) DIAGRAMA DE LA RED *CORP1*: # [200.60.200.149] # +----------+ # | router | # +----------+ # | # | # [200.60.200.150] # +--------------------+ # [172.16.0.2] | fw hw | # ...+--------------------+ # .... . # ..... .. # usuarios-> [172.16.0.0/16] ..... ......................DMZ............ # +----------------+ ..... . . # | switch usrs |.. . website honeypots . # +----------------+ . [200.60.200.151] [200.60.200.x] . # .. ..................................... # .. # . ......... # .. .. . # .. .. . Serv Backups # [172.16.0.1] .... . [192.168.250.49] # +----@----+ . ....... # ... | eth0 | .. # .. . | | .. ......... # . .. | | ......... .. . Serv App # ..`. .......................@eth1 eth2@.....................`. ........ . Mensajeria Interna # .. . .. [192.168.200.1] | | [192.168.500.1] .. .. . [192.168.250.53] # .. .. | | . ........ # . ..... | | .. # remote CORP1 +---------+ .. ........ # fwsw ... . Serv BD oracle # [172.119.0.0/16] .. . [192.168.250.54] # [172.130.0.0/16] .. . # [192.168.200.0/24] ........ # ########################################################################################## # AQUI SE DEFINEN LAS VARIABLES QUE NO INCLUYE "FIREHOL" # 1) Puertos: server_msnmsgr_ports="tcp/1863" client_msnmsgr_ports="default" # 3) Listas de Hosts (por IPs o MACs) # [NOTA: El Bloqueo de Messenger es en el Router No 1.] # HM: Lista de IPs de Usuarios a los que se le permite usar MSN.Messenger msn_permitido_ips="195.97.5.192/28" # interface eth0 home src "${msn_permitido_ips}" # HM: Lista de MACs de Usuarios a los que se le permite usar MSN.Messenger msn_permitido_macs="00:04:75:BE:7F:11" # interface eth0 home mac "${msn_permitido_macs}" # HM: Lista de direcciones de Red del servicio MSN.Messenger red_msn_messenger="63.208.13.126 64.4.12.200 64.4.12.201 65.54.131.249 65.54.194.118 65.54.211.61 207.46.104.20 207.46.110.2 207.46.106.30 207.46.108.87" # Interface No 1. interface eth0 interface1 src "172.16.0.0/16" dst "172.16.0.1/32 172.16.0.2/32" policy reject server ICMP accept #HM: mi MAC server ssh accept mac "00:04:75:BE:7F:11" client all accept # Interface No 2. interface eth0 interface2 src not "${UNROUTABLE_IPS} 172.16.0.0/16" dst "172.16.0.1/32 172.16.0.2/32" policy reject server ICMP accept #HM: mi MAC server ssh accept mac "00:04:75:BE:7F:11" client all accept # Interface No 3. interface eth1 interface3 src "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" dst 192.168.200.1/32 policy reject server ICMP accept client all accept # Interface No 4. interface eth2 interface4 src "192.168.250.0/24" dst 192.168.250.1/32 policy reject server ICMP accept client all accept ################################################################################################## # # ROUTER CONFIGURATION # ################################################################################################## # Router No 1. router router1 inface eth0 outface eth0 src "172.16.0.0/16" dst not "${UNROUTABLE_IPS} 172.16.0.0/16" # 1) Permitir acceso a Msn.Messenger a usuarios autorizados: server all accept mac "${msn_permitido_macs}" dst 193.238.160.62 #(www.e-messenger.net) dns server all accept mac "${msn_permitido_macs}" dst 212.126.66.20 #(www.hopster.com) dns server msnmsgr accept mac "${msn_permitido_macs}" #--dport 1863 -j DROP server all accept mac "${msn_permitido_macs}" dst "${red_msn_messenger}" #Negar macs no permitidas a msn # 2) Negar acceso a Msn.Messenger a todo el resto: server all reject dst 193.238.160.62 #(www.e-messenger.net) dns server all reject dst 212.126.66.20 #(www.hopster.com) dns server msnmsgr reject #--dport 1863 -j DROP server all reject dst "${red_msn_messenger}" #Negar macs no permitidas a msn # HM: FIN BLOQUEO DE MSN.MESSENGER route all accept # Router No 2. router router2 inface eth0 outface eth1 src "172.16.0.0/16" dst "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" server all accept dst 172.119.0.13 ########### Salida por Remote CORP ############ server all accept dst 172.119.0.17 server all accept dst 172.119.0.18 server all reject dst 172.119.0.0/16 ### Negar red 172.119.0.0/16 server all accept dst 172.130.0.2 server all reject dst 172.130.0.0/16 ### Negar red 172.130.0.0/16 # To NAT client requests on the output of eth1, add this. masquerade ################ usr-2-remote ################ # Alternatively, you can SNAT them by placing this at the top of this config: # > snat to 192.168.11.3/32 outface eth1 src "172.16.0.0/16" dst "172.19.0.0/16 172.30.0.0/16 192.168.11.0/24" # SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc in order to # NAT only some specific traffic. # TODO: This will allow all traffic to pass. # If you remove it, no REQUEST will pass matching this traffic. route all accept # Router No 3. router router3 inface eth0 outface eth2 src "172.16.0.0/16" dst "192.168.250.0/24" protection strong ############### [ Serv de Backups [ ################################################ server icmp accept dst 192.168.250.49 # permitir ping de todos #server ftp accept mac 00:04:75:be:7f:11 dst 192.168.250.49 # permitir ftp de Hugo_mac (temp) server ftp accept # permitir ftp de todos (software install) server "ssh http" accept mac 00:04:75:be:7f:11 dst 192.168.250.49 # permitir ssh,http de HugoMartin_mac server "ssh http" accept mac 00:04:75:BE:84:22 dst 192.168.250.49 # permitir ssh,http de Admin2_mac server "ssh http" accept mac 00:04:75:B1:A3:33 dst 192.168.250.49 # permitir ssh,http de Admin3_mac server all reject dst 192.168.250.49 # rechazar todo el resto ############### ] Serv de Backups ] ################################################ ############### [ Serv App [ ################################### server "ssh" accept mac 00:04:75:be:7f:11 dst 192.168.250.53 # permitir ssh,http de HugoMartin_mac server "ssh" accept mac 00:04:75:BE:84:22 dst 192.168.250.53 # permitir ssh,http de Admin2_mac server "ssh" accept mac 00:04:75:B1:A3:33 dst 192.168.250.53 # permitir ssh,http de Admin3_ma server "samba ftp" accept dst 192.168.250.53 # permitir SMB,FTP a todos server "http https" accept dst 192.168.250.53 # permitir WEBMAIL a todos server "imap ssh" reject dst 192.168.250.53 # negar imap,ssh a todos ############### [ Serv App [ ################################### ############### [ Serv BD oracle [ ############################################## server "ssh" accept mac 00:04:75:be:7f:11 dst 192.168.250.54 # permitir ssh,http de HugoMartin_mac server "ssh" accept mac 00:04:75:BE:84:22 dst 192.168.250.54 # permitir ssh,http de Admin2_mac server "ssh" accept mac 00:04:75:B1:A3:33 dst 192.168.250.54 # permitir ssh,http de Admin3_ma server "oracle icmp webcache" accept dst 192.168.250.54 # permitir oracle,ping,8080 de todos server all reject dst 192.168.250.54 # rechazar todo el resto ############### [ Serv BD oracle [ ############################################## # Denegar el resto #server all reject # To NAT client requests on the output of eth2, add this. masquerade route all accept # Router No 4. router router4 inface eth0 outface eth0 src not "${UNROUTABLE_IPS} 172.16.0.0/16" dst "172.16.0.0/16" route all accept # Router No 5. router router5 inface eth0 outface eth1 src not "${UNROUTABLE_IPS} 172.16.0.0/16" dst "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" masquerade ######### check ######### route all accept # Router No 6. router router6 inface eth0 outface eth2 src not "${UNROUTABLE_IPS} 172.16.0.0/16" dst "192.168.250.0/24" protection strong server all reject ######## Negar acceso a Servidores route all accept # Router No 7. router router7 inface eth1 outface eth0 src "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" dst "172.16.0.0/16" protection strong route all accept # Router No 8. router router8 inface eth1 outface eth0 src "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" dst not "${UNROUTABLE_IPS} 172.16.0.0/16" protection strong route all accept # Router No 9. router router9 inface eth1 outface eth2 src "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" dst "192.168.250.0/24" protection strong server all reject ################### NO ENTREN remoteCORP-2-bdnet ###################### route all accept # Router No 10. router router10 inface eth2 outface eth0 src "192.168.250.0/24" dst "172.16.0.0/16" masquerade #### HM para q no lo detecte el FW-HW como IP Spoof route all accept # Router No 11. router router11 inface eth2 outface eth0 src "192.168.250.0/24" dst not "${UNROUTABLE_IPS} 172.16.0.0/16" route all accept # Router No 12. router router12 inface eth2 outface eth1 src "192.168.250.0/24" dst "172.119.0.0/16 172.130.0.0/16 192.168.200.0/24" route all accept # Router No 13 router router13 inface eth0 outface eth0 src "172.16.0.0/16" dst "200.60.200.148/28" ############### [ Web Server [ ######################################################### server "http https icmp" accept dst 200.60.200.151 # Permitir http,https,icmp de todos server ssh accept mac 00:04:75:be:7f:11 dst 200.60.200.151 # Permitir ssh de HugoMartin_mac server ssh accept mac 00:04:75:BE:84:22 dst 200.60.200.151 # Permitir ssh de Admin2_mac server ssh accept mac 00:04:75:B1:A3:33 dst 200.60.200.151 # Permitir ssh de Admin3_mac ############### ] Web Server ] ######################################################### ############### [ ROUTER [ ############################################################# server all accept dst 200.60.200.149 # Permitir todo de todos #server all accept mac 00:04:75:be:7f:11 # Permitir TODO a Hugo_mac ############### ] ROUTER ] ############################################################# server all accept dst 200.60.200.150 # Permitir todo al FW-HW # Denegar el resto server all reject # > masquerade route all accept # # HM: Esta interface se cumple para todo lo que no este incluido en las reglas anteriores # interface any world policy reject server icmp accept client all accept ####[EOF]####################################################################[2005]#####[www.hackcraft.com]########