Firewall com proxy transparente completo
Publicado por Leonardo Berbert Gomes 21/11/2006
[ Hits: 13.758 ]
Homepage: https://www.linkedin.com/in/leoberbert
Bem pessoal, este foi o script de firewall mais eficaz que já fiz até hoje. Basta adaptá-lo com as suas placas de rede e ser feliz. Recomendo a todos.
#!/bin/bash # ######################################################################### # # # Função do Script: FIREWALL # # Versão: 1.0 # # # # By Leonardo B.G. - 2006 - leoberbert@gmail.com.br # # Copyright (C) 2006 G.B., Leonardo # # # ######################################################################### # EXTERNAL=eth0 INTERNAL=eth1 IP=10.11.110.0/24 WIN=10.11.110.18 #TS=IP_DO_SERVIDOR_TS #--- Set TOS 16 TOS_SERV="80 443" flush_rules() { iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -Z } add_rules() { ######################Habilitando o roteamento e bloqueando alguns de pacotes echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ######################CARREGANDO MODULOS /sbin/modprobe iptable_nat /sbin/modprobe ip_tables /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ipt_multiport /sbin/modprobe ip_nat_ftp /sbin/modprobe iptable_mangle /sbin/modprobe ipt_tos /sbin/modprobe ipt_limit ######################Liberacao do Loopback iptables -A INPUT -i lo -j ACCEPT ######################Priorizar o trafego http/https da rede: for PORT in $TOS_SERV do iptables -t mangle -A OUTPUT -o $EXTERNAL -p tcp --dport $PORT -j TOS --set-tos 16 done ######################REDIRECIONANDO PROXY TRANSPARENTE iptables -t nat -I PREROUTING -i $INTERNAL -p tcp -d ! 200.201.174.0/24 \ --dport 80 -j REDIRECT --to-port 3128 ######################Mascaramento #iptables -t nat -A POSTROUTING -s $IP -d 0/0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s $IP -o $EXTERNAL -j MASQUERADE ######################LIBERANDO SSH #iptables -A INPUT -s 10.11.110.18 -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -s 200.195.1.114 -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -j DROP ######################OUTLOOK iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 25 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 110 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL ######################Fecha fecha conexao squid por interface de rede iptables -A INPUT -i $EXTERNAL -p tcp --dport 3128 -j DROP ######################PORTAS LIBERADAS #FTP iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 21 -o $EXTERNAL # #HTTPS iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 443 -o $EXTERNAL # #SIG/PROAF iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 6969 -o $EXTERNAL # #DCTF CMPF iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8017 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3456 -o $EXTERNAL # #SSH iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 22 -o $EXTERNAL # #BANCO CENTRAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5024 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 1024 -o $EXTERNAL # #VNC iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5900 -o $EXTERNAL # #PcAnyWhere iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5631 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 5632 -o $EXTERNAL # #Intranets porta 8080 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8080 -o $EXTERNAL # #Download Direto Suporte iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8527 -o $EXTERNAL # #Painel IDMG iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 19638 -o $EXTERNAL # #Terminal Server iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXTERNAL # #CONECTIVIDADE CAIXA ECONOMICA iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp -d 200.201.174.207 --dport 80 -o $EXTERNAL # #CPANEL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 2082 -o $EXTERNAL ######################REDIRECIONAMENTOS #VNC iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to $WIN # #PcAnyWhere iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5631 -j DNAT --to $WIN iptables -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 5632 -j DNAT --to $WIN # #TS #iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 3389 -j DNAT --to $TS ######################Log a portas proibidas e alguns backdoors #Porta FTP iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico: FTP" # #Porta Wincrash iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash" # #Portas BackOrifice iptables -A INPUT -p tcp --dport 31337 -j LOG --log-prefix "Servico: BackOrifice" iptables -A INPUT -p tcp --dport 31338 -j LOG --log-prefix "Servico: BackOrifice" # #Bloqueando tracertroute iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL --dport 33435:33525 -j DROP # #Precaucao contra BUG's na traducao de enderecos de rede (NAT) iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP # #Bloqueia Pings vindo de fora iptables -A INPUT -i $EXTERNAL -m state --state NEW -p icmp -j ACCEPT ######################Protege contra pacotes danificados #Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP iptables -A FORWARD -m unclean -j DROP # #Allow all connections OUT and only related ones IN iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT } case $1 in start) echo -n Starting Firewall... add_rules echo "Done" ;; stop) echo -n Stoping Firewall... flush_rules echo "Done" ;; restart) echo -n Restarting Firewall... flush_rules add_rules echo "Done" ;; status) echo "============================ Firewall rules:" iptables -L -n echo "============================ Masquerade tables:" iptables -t nat -L -n echo "============================ Mangle table:" iptables -t mangle -L -n ;; *) echo Usar: "$0 { status | start | stop | restart }" ;; esac
Remove Automaticamente os Kernel Antigos do GRUB
Gerenciamento de clientes com cbq,squid e firewall no kurumin.
Criar pacotes .deb apartir de script
Bloquear Facebook no Linux Educacional 3
Script de backup para fita DAT
Nenhum coment�rio foi encontrado.
Aprenda a Gerenciar Permissões de Arquivos no Linux
Como transformar um áudio em vídeo com efeito de forma de onda (wave form)
Como aprovar Pull Requests em seu repositório Github via linha de comando
Visualizar arquivos em formato markdown (ex.: README.md) pelo terminal
Dando - teoricamente - um gás no Gnome-Shell do Arch Linux
Como instalar o Google Cloud CLI no Ubuntu/Debian
Mantenha seu Sistema Leve e Rápido com a Limpeza do APT!
Procurando vídeos de YouTube pelo terminal e assistindo via mpv (2025)
Alguém já testou plataformas de investimento voltadas para a América d... (0)
Zorin OS - Virtual Box não consigo abrir maquinas virtuais (6)
Iinstalar o Scanner Kodak i940 no Linux Mint 19/20? (3)