Firewall com controle de acessos (firewall)
Firewall completo para você implantar em sua rede wireless ou provedor
Categoria: Init
Software: Firewall com controle de acessos
[ Hits: 12.366 ]
Por: Rodrigo Rodrigues de mattos
Bom, esta é a minha primeira contribuiçãoo de .conf, então decidi que seria para aumentar segurança do seu Linux.
Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar a segurança da minha rede de 20 computadores unidos por wireless encontrei.
Espero de seja proveitoso para todos que passam por aqui.
Observacao: O arquivo netfur.txt aqui usado possui a seguinte
nomenclatura
, ,
#!/bin/sh # # /etc/rc.d/init.d/firewall # chkconfig: - 60 95 # description: Este script controla o start/stop do servico de \ # firewall baseado no iptables. # # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Habilita ip forward echo 1 > /proc/sys/net/ipv4/ip_forward # Check that networking is up. if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/iptables ]; then exit 0 fi # Parametros case "$1" in start) echo "Starting Firewalling Services: " touch /var/lock/subsys/firewall # ----------------------------------------------------------------- # Define o default como DROP # ----------------------------------------------------------------- # Remove todas as regras iptables -F iptables -X iptables -F -t nat iptables -X -t nat # ----------------------------------------------------------------- # Definicao de variaveis # ----------------------------------------------------------------- EXTERNAL_IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | cut -dP -f1` # colocar a linha para buscar o ip da ppp0 EXTERNAL_INTERFACE="ppp0" # colocar aqui o dispositivo pppo EXTERNAL_NET="192.168.0.0/255.255.255.0" INTERNAL_IP="192.168.1.1" INTERNAL_INTERFACE="eth1" INTERNAL_NET="192.168.1.0/255.255.255.224" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # ----------------------------------------------------------------- # Define o default como DROP # ----------------------------------------------------------------- iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # ----------------------------------------------------------------- # Carrega modulos # ----------------------------------------------------------------- modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_REJECT modprobe ipt_LOG modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_mac modprobe ipt_mark modprobe ipt_MARK modprobe iptable_nat modprobe ipt_multiport modprobe ipt_owner modprobe ipt_state modprobe ipt_tos modprobe iptable_mangle # modprobe ipt_unclean echo 1 > /proc/sys/net/ipv4/ip_forward echo "5 4 1 7" > /proc/sys/kernel/printk # ----------------------------------------------------------------- # Habilita trafego loopback # ----------------------------------------------------------------- iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ----------------------------------------------------------------- # Anti-Spoofing # ----------------------------------------------------------------- echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter # ligando proteç para SYN flood. Deve ser feita em todos os servidores echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # ----------------------------------------------------------------- # Habilita trafego na rede interna # ----------------------------------------------------------------- # Libera tr�ego entre redes 192.168.1.0 # ##Abrindo trafego IPSEC # iptables -A INPUT -p udp --dport 5000 -s 0/0 -d 0/0 -j ACCEPT # iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT # iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT ##Permitir acesso a subrede # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT ## Bloquear Multiquest iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP ##Permitir trafego entre as redes #iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT # iptables -A FORWARD -s 192.168.1.3 -m mac --mac-source 00:0F:B0:3C:A6:6E -d 192.168.1.0/27 \ # -j ACCEPT # Portas Para Rede Windows!!!! OBS:. 192.168.1.0/27 e o mesmo que 192.168.1.0/255.255.255.224 iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 2121 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 2121 -j ACCEPT # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ # -p tcp --dport 5900 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ # -p tcp --sport 5900 -j ACCEPT # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/16 \ # -p tcp --dport 47151 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/16 \ # -p tcp --sport 47151 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 20 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 20 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 9920 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 9920 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 1863 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 1863 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 137 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 137 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 138 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 138 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 139 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 139 -j ACCEPT # Libera acesso ao proxy e DNS e icmp para todas as maquinas iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p icmp -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p icmp -j ACCEPT ############################################################## # LIBERA O PROXY INTERMO NA REDE ############################################################### # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ # -p tcp --dport 3128 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ # -p tcp --sport 3128 -j ACCEPT ############################################################## iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 53 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p udp -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p udp -j ACCEPT # Libera acesso total ao firewall para algumas (REDE LOCAL) iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.1 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.1 -j ACCEPT ####################################################################### # A REGRA ABAIXO SERVE PARA LIBERAR O ACESSO TOTAL PARA O IP APONTADO ####################################################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.2 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.2 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.3 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.3 -j ACCEPT ############Liberados para os Aps ##################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.29 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.29 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.30 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.30 -j ACCEPT ######################################################################## # Libera ping do firewall para a internet ######################################################################## iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 0 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 3 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 4 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 11 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 12 -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT ########################################################################### # Libera ping do firewall para a rede local ########################################################################## iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 0 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 3 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 4 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 11 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 12 -d $INTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT # ================================================================= # As linhas a seguir liberam o acesso de m�uinas da internet # a acessar recursos deste computador como servidor, as regras # servem para liberar as portas para o meio esterno. # ================================================================= # ----------------------------------------------------------------- # HTTP Server (porta 80 e 8080 para o Apache) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 80 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 80 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 8080 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 8080 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT ################################################################## # Libera SSH >>>>>>>>>>>>>>3420 ################################################################## iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 3420 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 3420 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT ################################################################# # FECHANDO A PORTA 3128 PARA O MUNDO EXTERNO ################################################################# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 3128 -j DROP ################################################################# # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport $UNPRIVPORTS \ # -d $EXTERNAL_IP --dport 22 -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport 22 \ # -d 0/0 --dport $UNPRIVPORTS -j ACCEPT # # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport $UNPRIVPORTS \ # -d $EXTERNAL_IP --dport 5000:5200 -j ACCEPT ################################################################# # HTTTPS :443 Acesso EXTERNO # ################################################################# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 443 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 443 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT #################################################################################### # Regras para Impedir ataques do Tipo DoS, NetBus,Ping, Port Scaner, Back Orifice #################################################################################### # >>>>>> Back Orifice iptables -A INPUT -p tcp --dport 31337 -j DROP iptables -A INPUT -p udp --dport 31337 -j DROP # >>>>>>>> NetBus iptables -A INPUT -p tcp --dport 12345:12346 -j DROP iptables -A INPUT -p udp --dport 12345:12346 -j DROP # >>>>>>> Bloqueando tracertroute iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL_INTERFACE --dport 33435:33525 -j DROP #>>>>>>>> Proteç contra Syn-floods #iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #>>>>>>> Proteç contra ping da morte iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #>>>>>>> Proteç contra port scanners ocultos iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT ##################################################################################### # ----------------------------------------------------------------- # AUTH Server (porta 113) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 113 -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 113 \ -d 0/0 --dport $UNPRIVPORTS -j REJECT #################################################################### # Esta linha esta liberando o acesso para o servidor PROftpd ################################################################### iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 2121 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 2121 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP --sport 20 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 20 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 40000:65535 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 40000:65535 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT # ================================================================ # iptables -A INPUT -j ACCEPT -p tcp --dport 2121 # iptables -A OUTPUT -j ACCEPT -p tcp --dport 2121 # ================================================================= # As linhas a seguir liberam o acesso desta m�uina para recur- # na internet. # ================================================================= # Permite que esta maquina acesse qualquer servidor na internet # Linhas obrigatorias ter para o funcionamento do firewall ################################################################### iptables -A INPUT -m state --state ESTABLISHED,RELATED \ -i $EXTERNAL_INTERFACE -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \ -o $EXTERNAL_INTERFACE -j ACCEPT # ----------------------------------------------------------------- # DNS Client (porta 53) Usado para servidor de DNS # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s 0/0 --sport 53 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 53 -j REJECT # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 53 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 53 -j ACCEPT # ----------------------------------------------------------------- # Finger Client (porta 79) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 79 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 79 -j ACCEPT # ----------------------------------------------------------------- # AUTH Client (porta 113) # ----------------------------------------------------------------- # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 113 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 113 -j ACCEPT #>>>porta para os radios # # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 772 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 772 -j ACCEPT # ----------------------------------------------------------------- # WHOIS Client (porta 43) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 43 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 43 -j ACCEPT ##################################################################################### # >>> Libera Acesso livre externo para alguem da minha rede interna SEM PROXY <<< ##################################################################################### #>>>>> list=`cat /etc/netfuture/firewall/netfur.txt` for rede in `echo $list`;do #laco Capturando dados do netfur.txt ip_cliente=`echo $rede | cut -d , -f1` mac_cliente=`echo $rede | cut -d , -f2` mark_cliente=`echo $ip_cliente | cut -d. -f4` # Pega o mark pre definido em netfur.txt #>>> linha contendo a regra de iptables iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s $ip_cliente -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s $ip_cliente -m mac --mac-source $mac_cliente -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d $ip_cliente -j ACCEPT ######## Marca os pacotes com 10 que vem da ppp0 ######################## iptables -t mangle -A FORWARD -s $ip_cliente -j MARK --set-mark $mark_cliente iptables -t mangle -A FORWARD -s $ip_cliente -j ACCEPT iptables -t mangle -A FORWARD -d $ip_cliente -j MARK --set-mark $mark_cliente iptables -t mangle -A FORWARD -d $ip_cliente -j ACCEPT # iptables -t mangle -A POSTROUTING -j RETURN # iptables -t mangle -A PREROUTING -s $ip_cliente -j MARK --set-mark $mark_cliente # iptables -t mangle -A PREROUTING -j RETURN ################################# Marcas nos pacotes ############################## # iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ # -d $ip_cliente -j MARK --set-mark $mark_cliente ############################################################### # LIBERA O PROXY INTERMO NA REDE ############################################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j ACCEPT # iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j MARK --set-mark $mark_cliente iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 3128 -j ACCEPT ################################################################# #>>> Proxy Trasparente para rede ################################################################# iptables -t nat -A PREROUTING -p tcp -s $ip_cliente -m mac --mac-source $mac_cliente --dport 80 -j REDIRECT --to-port 3128 done # fim do loop # ================================================================= # Source NAT (POSTROUTING) e FORWARD # # Tratamento de casos espec�icos, onde m�uinas precisam de portas # liberadas ou acesso direto a internet. # ================================================================= # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE : 8089 iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ --dport 8029 -j DNAT --to 192.168.1.29:80 iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s 192.168.1.29 -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s 192.168.1.29 -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d 192.168.1.29 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ================================================================= # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE_1 ; 8088 iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ --dport 8030 -j DNAT --to 192.168.1.30:80 iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s 192.168.1.30 -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s 192.168.1.30 -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d 192.168.1.30 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ================================================================= # Source NAT (POSTROUTING) e FORWARD # # Tratamento de casos espec�icos, onde m�uinas precisam de portas # liberadas ou acesso direto a internet. # ================================================================= # iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ # --dport 5900 -j DNAT --to 192.168.1.1:5900 # iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ # -s 192.168.1.1 -j MASQUERADE # iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ # -s 192.168.1.1 -j ACCEPT # iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ # -d 192.168.1.1 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ----------------------------------------------------------------- # LOG # ----------------------------------------------------------------- iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p tcp \ --dport 80 -j LOG --log-prefix "WEB-SEM-PROXY:" \ --log-level info -m limit --limit 5/minute iptables -A INPUT -j LOG --log-prefix "BAD INPUT:" \ --log-level info -m limit --limit 5/minute iptables -A OUTPUT -j LOG --log-prefix "BAD OUTPUT:" \ --log-level info -m limit --limit 5/minute iptables -A FORWARD -j LOG --log-prefix "BAD FORWARD:" \ --log-level info -m limit --limit 5/minute #>>>Controle de acesso ao servico baixo iptables -A INPUT -p tcp --dport 2121 -j LOG --log-prefix "Acesso ao Proftpd" iptables -A INPUT -p tcp --dport 3420 -j LOG --log-prefix "Acesso ao SSH" iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "WEB segura" #>>>>>>Gerando log de Backdoors iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash" iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus" iptables -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus" iptables -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice" ##################### LOG PACOTES EXTERN MARCADOS ########################## # iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j LOG --log-prefix "marcado FORWARD" # iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j LOG --log-prefix "Marcado do squid " # iptables -t mangle -A POSTROUTING -s $ip_cliente -j LOG --log-prefix "Marcado POSTROUTING" ;; stop) echo "Shutting Firewalling Services: " rm -rf /var/lock/subsys/firewall # ----------------------------------------------------------------- # Remove all existing rules belonging to this filter # ----------------------------------------------------------------- iptables -F iptables -X iptables -t mangle -F # ----------------------------------------------------------------- # Reset the default policy of the filter to accept. # ----------------------------------------------------------------- iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) status firewall ;; restart|reload) $0 stop $0 start ;; *) echo "Usage: firewall {start|stop|status|restart|reload}" exit 1 esac exit 0
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Instalação Uefi com o instalador clássico do Mageia (0)
É cada coisa que me aparece! - não é só 3% (2)
SysAdmin ou DevOps: Qual curso inicial pra essa área? (1)
Alguma pessoa pode me ajudar com drriver Core i3 7020u (Debian 12)? (2)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta