Liberar Porta WTS, Configurar PPOE e NO-IP CENTOS 5
1. Liberar Porta WTS, Configurar PPOE e NO-IP CENTOS 5
fernandoformehl
(usa CentOS)
Enviado em 26/02/2016 - 20:07h
Boa noite, sou novo na atuação em servidor linux, segui um tutorial completo no nosso amigo W Marino no link, https://www.vivaolinux.com.br/artigo/Servidor-Firewall-Proxy-utilizando-CentOS-IPtables-Squid-DHCP-D...após instalado, surgiu alguns detalhes de como Liberar a Porta WTS 3389, Configurar PPOE e NO-IP para iniciar automaticamente, minha instação fisica é
modem ip 192.168.25.1, interface eth0 10.0.0.2 (interna), eth1 192.168.25.110 (internet) o modem esta feito o dmz para 192.168.25.110, porem nao funciona o ip/porta 10.0.0.20:3389 (windows). vou deixar abaixo o meu script completo do iptables.
Configurações Iptables
Arquivo de configuração (/etc/firewall.sh)
#!/bin/sh
iptables="/usr/local/sbin/iptables"
tc="/sbin/tc"
####################################################################
################################## DEFININDO VARIAVEIS DE REDE #####
####################################################################
# <><><><><><><><><><><><><><><><>
# Internet
# <><><><><><><><><><><><><><><><>
INET_IP="192.168.25.110"
IF_INET_IP="eth1"
# <><><><><><><><><><><><><><><><>
# Rede local
# <><><><><><><><><><><><><><><><>
IF_LAN="eth0"
LAN_IP="10.0.0.2"
LAN_IP_RANGE="10.0.0.0/24"
#LAN_IP2="y.y.y.y"
#LAN_IP2_RANGE="y.y.y.y/y"
#LAN_IP3="z.z.z.z"
#LAN_IP3_RANGE="z.z.z.z/y"
#LAN_RANGE="x.x.x.x/x"
# <><><><><><><><><><><><><><><><>
# Rede VPN
# <><><><><><><><><><><><><><><><>
REDE_VPN_RANGE="10.0.0.0/27"
IF_VPN="tun0"
# Definir Rotas VPN
#route add -net 192.168.x.x netmask 255.255.255.0 gw 10.0.0.2
#route add -net 192.168.x.x netmask 255.255.255.0 gw 10.0.0.3
#route add -net 192.168.x.x netmask 255.255.255.0 gw 10.0.0.4
# <><><><><><><><><><><><><><><><>
# Rede Voip
# <><><><><><><><><><><><><><><><>
#INET_IP_VOIP_SAINTE="x.x.x.x"
#INET_IP_VOIP_ENTRANTE="x.x.x.x"
##IF_LAN_VOIP="eth0"
#IF_LAN_VOIP="bond0"
#LAN_VOIP_RANGE="x.x.x.x/x"
#LAN_IP_VOIP="x.x.x.x"
#IP_GW_VOIP="X.X.X.X"
# <><><><><><><><><><><><><><><><>
# Roteamento - Testes
# <><><><><><><><><><><><><><><><>
#ip route add x.x.x.x/29 dev ethx src x.x.x.x table link2
#ip route add default via x.x.x.x table link2
#ip rule add from x.x.x.x table link2
#ip rule add from x.x.x.x table link2
####################################################################
################################## REGRAS INICIAIS #################
####################################################################
# Limpa tabelas
$iptables -v -t filter -F
$iptables -v -t nat -F
$iptables -v -t mangle -F
# Carrega modulos
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ppp-compress-18
/sbin/modprobe tun # vpn
# Carrega modulos Balanceamento Carga
/sbin/modprobe sch_htb
#/sbin/modprobe ipt_tos
# Carrega modulos VoIP
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
#/sbin/modprobe sch_htb
#/sbin/modprobe ipt_tos
# Ativa protecao Kernel
# Spoof
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
# Nao responde a ping para broadcast
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Habilitando repasse de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
# Ativa SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Configura portas de saida o NAT
echo "15000 65550" > /proc/sys/net/ipv4/ip_local_port_range
#echo "30000 60000" > /proc/sys/net/ipv4/ip_local_port_range
# Muda politica para negar tudo
$iptables -v -P INPUT DROP
# Aceita todas as conexoes localhost para localhost
$iptables -v -t filter -A INPUT -i lo -j ACCEPT
# Conexoes relacionadas e estabelecidas
$iptables -v -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -v -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
############################################################################
################################## OoS - Priorizacao pacotes/controle banda#
############################################################################
#Cria interface para controle de banda - Upload
/sbin/ip link set imq0 up
##****************************** REGRAS DE QOS ***********************************
## Abaixo segue exemplo de regras gerais. as regras corretas serao definidas nas configuracoes
## individuais dos usuarios
#$iptables -v -t mangle -A PREROUTING -d $INET_IP_VOIP_SAINTE -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A PREROUTING -d $INET_IP_VOIP_SAINTE -j MARK --set-mark 0x1
#$iptables -v -t mangle -A PREROUTING -d $INET_IP_VOIP_ENTRANTE -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A PREROUTING -d $INET_IP_VOIP_ENTRANTE -j MARK --set-mark 0x1
#$iptables -v -t mangle -A PREROUTING -s $IP_GW_VOIP ! -d $LAN_RANGE -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A PREROUTING -s $IP_GW_VOIP ! -d $LAN_RANGE -j MARK --set-mark 0x1
#$iptables -v -t mangle -A PREROUTING -s $IP_GW_VOIP -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A PREROUTING -s $IP_GW_VOIP -j MARK --set-mark 0x1
#$iptables -v -t mangle -A POSTROUTING ! -s $LAN_RANGE -d $IP_GW_VOIP -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A POSTROUTING ! -s $LAN_RANGE -d $IP_GW_VOIP -j MARK --set-mark 0x1
#$iptables -v -t mangle -A POSTROUTING -d $IP_GW_VOIP -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A POSTROUTING -d $IP_GW_VOIP -j MARK --set-mark 0x1
#$iptables -v -t mangle -A FORWARD -d $IP_GW_VOIP -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A FORWARD -d $IP_GW_VOIP -j MARK --set-mark 0x1
#$iptables -v -t mangle -A FORWARD -s $IP_GW_VOIP -j TOS --set-tos Minimize-Delay
#$iptables -v -t mangle -A FORWARD -s $IP_GW_VOIP -j MARK --set-mark 0x1
## TOS stuff: (type: iptables -m tos -h) - Minimize-Delay 16 (0x10) - Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04) - Minimize-Cost 2 (0x02) - Normal-Service 0 (0x00)
## Rede Voip para Rede Local e Vice Versa
#$iptables -v -t mangle -A PREROUTING -i $IF_LAN_VOIP -s $LAN_VOIP_RANGE -d $LAN_RANGE -j MARK --set-mark 0x3
#$iptables -v -t mangle -A POSTROUTING -o $IF_LAN -s $LAN_RANGE -d $LAN_VOIP_RANGE -j MARK --set-mark 0x3
## Rede Local para Rede Local
#$iptables -v -t mangle -A PREROUTING -i $IF_LAN -s $LAN_RANGE -d $LAN_RANGE -j MARK --set-mark 0x3
#$iptables -v -t mangle -A POSTROUTING -o $IF_LAN -s $LAN_RANGE -d $LAN_RANGE -j MARK --set-mark 0x3
## Limpando Regras
#$tc qdisc del dev $IF_INET_IP root
#$tc qdisc del dev $IF_LAN root
#$tc qdisc del dev $IF_LAN_VOIP root
## UPLOAD - Rede Externa
#$tc qdisc add dev $IF_INET_IP root handle 1: htb default 40
## Duas LPs
#$tc class add dev $IF_INET_IP parent 1: classid 1:1 htb rate 4400kbit ceil 4400kbit
#$tc class add dev $IF_INET_IP parent 1:1 classid 1:10 htb rate 1600kbit ceil 1600kbit prio 1 # Voip
#$tc class add dev $IF_INET_IP parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
#$tc class add dev $IF_INET_IP parent 1:1 classid 1:30 htb rate 2000kbit ceil 2500kbit prio 3 # Reservado
#$tc class add dev $IF_INET_IP parent 1:1 classid 1:40 htb rate 26000kbit ceil 2600kbit prio 4 #demais
## Uma LP
##$tc class add dev $IF_INET_IP parent 1: classid 1:1 htb rate 2200kbit ceil 2200kbit
##$tc class add dev $IF_INET_IP parent 1:1 classid 1:10 htb rate 800kbit ceil 800kbit prio 1 # Voip
##$tc class add dev $IF_INET_IP parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
##$tc class add dev $IF_INET_IP parent 1:1 classid 1:30 htb rate 2000kbit ceil 2500kbit prio 3 # Reservado
##$tc class add dev $IF_INET_IP parent 1:1 classid 1:40 htb rate 1200kbit ceil 1200kbit prio 4 #demais
#$tc qdisc add dev $IF_INET_IP parent 1:10 handle 120: sfq perturb 10
#$tc qdisc add dev $IF_INET_IP parent 1:20 handle 130: sfq perturb 10
#$tc qdisc add dev $IF_INET_IP parent 1:30 handle 140: sfq perturb 10
#$tc filter add dev $IF_INET_IP parent 1:0 protocol ip prio 1 handle 1 fw flowid 1:10 # Voip
#$tc filter add dev $IF_INET_IP parent 1:0 protocol ip prio 2 handle 2 fw flowid 1:20 # Teste
#$tc filter add dev $IF_INET_IP parent 1:0 protocol ip prio 3 handle 3 fw flowid 1:30 # Reservado
#$tc filter add dev $IF_INET_IP parent 1:0 protocol ip prio 4 handle 4 fw flowid 1:40 # Demais
## DOWNLOAD - Rede Interna
#$tc qdisc add dev $IF_LAN root handle 1: htb default 40
#$tc class add dev $IF_LAN parent 1: classid 1:1 htb rate 16000kbit ceil 100000kbit
## Duas LPs
#$tc class add dev $IF_LAN parent 1:1 classid 1:10 htb rate 1600kbit ceil 1600kbit prio 1 # VOIP
#$tc class add dev $IF_LAN parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
#$tc class add dev $IF_LAN parent 1:1 classid 1:30 htb rate 16000kbit ceil 100000kbit prio 3 # Redes locais
#$tc class add dev $IF_LAN parent 1:1 classid 1:40 htb rate 2600kbit ceil 2600kbit prio 4 # Demais
## Uma LP
##$tc class add dev $IF_LAN parent 1:1 classid 1:10 htb rate 800kbit ceil 800kbit prio 1 # VOIP
##$tc class add dev $IF_LAN parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
##$tc class add dev $IF_LAN parent 1:1 classid 1:30 htb rate 16000kbit ceil 100000kbit prio 3 # Redes locais
##$tc class add dev $IF_LAN parent 1:1 classid 1:40 htb rate 1200kbit ceil 1200kbit prio 4 # Demais
#$tc qdisc add dev $IF_LAN parent 1:10 handle 120: sfq perturb 10
#$tc qdisc add dev $IF_LAN parent 1:20 handle 130: sfq perturb 10
#$tc qdisc add dev $IF_LAN parent 1:30 handle 140: sfq perturb 10
#$tc filter add dev $IF_LAN parent 1:0 protocol ip prio 1 handle 1 fw flowid 1:10 # VOIP
#$tc filter add dev $IF_LAN parent 1:0 protocol ip prio 2 handle 2 fw flowid 1:20 # Teste
#$tc filter add dev $IF_LAN parent 1:0 protocol ip prio 3 handle 3 fw flowid 1:30 # Redes locais
#$tc filter add dev $IF_LAN parent 1:0 protocol ip prio 4 handle 4 fw flowid 1:40 # Demais
## DOWNLOAD - Rede Voip
#$tc qdisc add dev $IF_LAN_VOIP root handle 1: htb default 40
#$tc class add dev $IF_LAN_VOIP parent 1: classid 1:1 htb rate 16000kbit ceil 100000kbit
## Duas LPs
#$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:10 htb rate 1600kbit ceil 1600kbit prio 1 # VOIP
#$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
#$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:30 htb rate 16000kbit ceil 100000kbit prio 3 # Redes locais
#$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:40 htb rate 2600kbit ceil 2600kbit prio 4 # Demais
## Uma LP
##$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:10 htb rate 800kbit ceil 8000kbit prio 1 # VOIP
##$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:20 htb rate 200kbit ceil 200kbit prio 2 # Teste
##$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:30 htb rate 16000kbit ceil 100000kbit prio 3 # Redes locais
##$tc class add dev $IF_LAN_VOIP parent 1:1 classid 1:40 htb rate 1200kbit ceil 1200kbit prio 4 # Demais
#$tc qdisc add dev $IF_LAN_VOIP parent 1:10 handle 120: sfq perturb 10
#$tc qdisc add dev $IF_LAN_VOIP parent 1:20 handle 130: sfq perturb 10
#$tc qdisc add dev $IF_LAN_VOIP parent 1:30 handle 140: sfq perturb 10
#$tc filter add dev $IF_LAN_VOIP parent 1:0 protocol ip prio 1 handle 1 fw flowid 1:10 # VOIP
#$tc filter add dev $IF_LAN_VOIP parent 1:0 protocol ip prio 2 handle 2 fw flowid 1:20 # Teste
#$tc filter add dev $IF_LAN_VOIP parent 1:0 protocol ip prio 3 handle 3 fw flowid 1:30 # Redes locais
#$tc filter add dev $IF_LAN_VOIP parent 1:0 protocol ip prio 4 handle 4 fw flowid 1:40 # Demais
## Limpando Regras
#$tc qdisc del dev $IF_INET_IP root
#$tc qdisc del dev $IF_LAN root
#$tc qdisc del dev $IF_LAN_VOIP root
####################################################################
################################## TABELA FILTER ###################
####################################################################
# Servico snmp - Relatorios banda
$iptables -v -t filter -A OUTPUT -p udp -s 127.0.0.1 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -v -t filter -A INPUT -p udp -s 0/0 --sport 161:162 -d 127.0.0.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Servico ntp - hora
$iptables -v -t filter -A INPUT -p UDP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 123 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# SSH Rede Interna
$iptables -v -t filter -A INPUT -p TCP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 22 -m state --state NEW -j ACCEPT
# Desabilitar abaixo por questoes de seguranca
$iptables -v -t filter -A INPUT -p TCP -d $INET_IP --dport 22 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# Consultas DNS - Rede Interna e externa
$iptables -v -t filter -A INPUT -p TCP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 53 -m state --state NEW -j ACCEPT
$iptables -v -t filter -A INPUT -p UDP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 53 -m state --state NEW -j ACCEPT
$iptables -v -t filter -A INPUT -p TCP -i $IF_VPN -s $REDE_VPN_RANGE -d $LAN_IP --dport 53 -m state --state NEW -j ACCEPT
$iptables -v -t filter -A INPUT -p UDP -i $IF_VPN -s $REDE_VPN_RANGE -d $LAN_IP --dport 53 -m state --state NEW -j ACCEPT
# Habilitar abaixo caso este servidor responda para DNS externo
# $iptables -v -t filter -A INPUT -p TCP -i $IF_INET_IP -d $INET_IP --dport 53 -m state --state NEW -j ACCEPT
# $iptables -v -t filter -A INPUT -p UDP -i $IF_INET_IP -d $INET_IP --dport 53 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# WWW Firewall
# Externo
# $iptables -v -t filter -A INPUT -p TCP -d $INET_IP --dport 8081 -m state --state NEW -j ACCEPT
# Interno
$iptables -v -t filter -A INPUT -p TCP -d $LAN_IP --dport 8081 -m state --state NEW -j ACCEPT
$iptables -v -t filter -A INPUT -p TCP -d $LAN_IP --dport 80 -m state --state NEW -j ACCEPT
$iptables -v -t filter -A INPUT -p TCP -d $LAN_IP --dport 443 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# MYSQL Firewall
# Desabilitar abaixo por questoes de seguranca
$iptables -v -t filter -A INPUT -p TCP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 3306 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# vpn Firewall
$iptables -v -t filter -A INPUT -p UDP -i $IF_INET_IP -s 0/0 -d $INET_IP --dport 1194 -m state --state NEW -j ACCEPT
#-------------------------------------------------------------------
# Rsyslog - exemplo para mikrotik
#$iptables -v -t filter -A INPUT -p UDP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 514 -m state --state NEW -j ACCEPT
#$iptables -v -t filter -A INPUT -p TCP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 514 -m state --state NEW -j ACCEPT
# RADIUS
#$iptables -v -t filter -A INPUT -p UDP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 1812 -m state --state NEW -j ACCEPT
#$iptables -v -t filter -A INPUT -p UDP -i $IF_LAN -s $LAN_IP_RANGE -d $LAN_IP --dport 1813 -m state --state NEW -j ACCEPT
####################################################################
################################## TABELA NAT ######################
####################################################################
####################################################################
#-------------------------------------------------------------------
# Liberacao: Externa
#-------------------------------------------------------------------
####################################################################
#-------------------------------------------------------------------
#-------------------------------------------------------------------
# Liberacoes Temporarias
#-------------------------------------------------------------------
#-------------------------------------------------------------------
#-------------------------------------------------------------------
#-------------------------------------------------------------------
# LIberacoes Testes
#-------------------------------------------------------------------
#-------------------------------------------------------------------
#-------------------------------------------------------------------
#-------------------------------------------------------------------
# LIberacoes Exemplos
#-------------------------------------------------------------------
#-------------------------------------------------------------------
# Alterando ip saida
# iptables -v -t nat -I POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y-y.y.y.y
# Redirecionando
# $iptables -v -t nat -A PREROUTING -p TCP -d x.x.x -j DNAT --to y.y.y.y-y.y.y.y
#-------------------------------------------------------------------
# Web
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 8030 -j DNAT --to x.x.x.x:80
#-------------------------------------------------------------------
# Voip
# Voip - Sainte
# $iptables -v -t nat -A POSTROUTING -s $IP_GW_VOIP -j SNAT --to-source $INET_IP_VOIP_SAINTE
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -d $INET_IP_VOIP_SAINTE -j DNAT --to $IP_GW_VOIP
# Voip - Entrante
# iptables -v -t nat -A PREROUTING -i $IF_INET_IP -d $INET_IP_VOIP_ENTRANTE -j DNAT --to $IP_GW_VOIP
#-------------------------------------------------------------------
# SMTP SLL - com autenticacao
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 587 -j DNAT --to x.x.x.x:587
# SMTP
#$iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 25 -j DNAT --to x.x.x.x:25
# SMTP - SSL
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 465 -j DNAT --to x.x.x.x:465
# POP
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 110 -j DNAT --to x.x.x.x:110
# IMAP
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 143 -j DNAT --to x.x.x.x:143
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 993 -j DNAT --to x.x.x.x:993
# Webmail
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp -d webmail.sintropab.org.br --dport 80 -j DNAT --to x.x.x.x:80
# webmail http
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 7080 -j DNAT --to x.x.x.x:7080
# webmail https
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 7443 -j DNAT --to x.x.x.x:7443
#-------------------------------------------------------------------
# Sites
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp -d www.sintropab.org.br --dport 80 -j DNAT --to x.x.x.x:80
#-------------------------------------------------------------------
# Terminal Service
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 3389 -j DNAT --to 10.0.0.20:3389
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d x.x.x.x --dport 3389 -m time --timestart 19:00:00 --timestop 22:30:00 --datestop 2038-01-19T01:14:07 -j DNAT --to 10.0.0.20:3389
#-------------------------------------------------------------------
# Spark (Openfire)
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 80 -j DNAT --to x.x.x.x:80
# Cliente/Servidor
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 5222 -j DNAT --to x.x.x.x:5222
# Cliente/Servidor Seguro
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 5223 -j DNAT --to x.x.x.x:5223
# Console
###$iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 9090 -j DNAT --to x.x.x.x:9090
# Console seguro
###$iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 9191 -j DNAT --to x.x.x.x:9191
# Transferencia de arquivo
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 7777 -j DNAT --to x.x.x.x:7777
# Conexao insegura a clientes
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 7070 -j DNAT --to x.x.x.x:7070
# Conexao segura a clientes
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 7443 -j DNAT --to x.x.x.x:7443
# Service that allows Flash clients connect to other hostnames and ports.
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p TCP -d chat.sintropab.org.br --dport 5229 -j DNAT --to x.x.x.x:5229
#-------------------------------------------------------------------
# Redireciona para servidor de ftp
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 8027 -j DNAT --to-destination x.x.x.x:21
# Range de porta utilizavel ftp passivo
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5501 -j DNAT --to-destination x.x.x.x:5501
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5502 -j DNAT --to-destination x.x.x.x:5502
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5503 -j DNAT --to-destination x.x.x.x:5503
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5504 -j DNAT --to-destination x.x.x.x:5504
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5505 -j DNAT --to-destination x.x.x.x:5505
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5506 -j DNAT --to-destination x.x.x.x:5506
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5507 -j DNAT --to-destination x.x.x.x:5507
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5508 -j DNAT --to-destination x.x.x.x:5508
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5509 -j DNAT --to-destination x.x.x.x:5509
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5510 -j DNAT --to-destination x.x.x.x:5510
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5511 -j DNAT --to-destination x.x.x.x:5511
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5512 -j DNAT --to-destination x.x.x.x:5512
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5513 -j DNAT --to-destination x.x.x.x:5513
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5514 -j DNAT --to-destination x.x.x.x:5514
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5515 -j DNAT --to-destination x.x.x.x:5515
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5516 -j DNAT --to-destination x.x.x.x:5516
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5517 -j DNAT --to-destination x.x.x.x:5517
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5518 -j DNAT --to-destination x.x.x.x:5518
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5519 -j DNAT --to-destination x.x.x.x:5519
# $iptables -v -t nat -A PREROUTING -i $IF_INET_IP -p tcp --dport 5520 -j DNAT --to-destination x.x.x.x:5520
#-------------------------------------------------------------------
#-------------------------------------------------------------------
# LIberacoes Permanentes
#-------------------------------------------------------------------
#-------------------------------------------------------------------
####################################################################
################################## LIBERACOES TRANSPARANTES ########
####################################################################
####################################################################
#-------------------------------------------------------------------
# Liberacao: Para enderecos externos
#-------------------------------------------------------------------
####################################################################
# Liberar gdaenet.edunet.sp.gov.br porta 8080
#-------------------------------------------------------------------
# Liberar Antispam UOL
$iptables -v -t nat -A PREROUTING -p TCP -s $LAN_IP_RANGE -d tira-teima.as.uol.com.br --dport 80 -j ACCEPT
$iptables -v -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -d tira-teima.as.uol.com.br --dport 80 -j MASQUERADE
$iptables -v -t nat -A PREROUTING -p TCP -s $LAN_IP_RANGE -d n.tt.uol.com.br --dport 80 -j ACCEPT
$iptables -v -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -d n.tt.uol.com.br --dport 80 -j MASQUERADE
#-------------------------------------------------------------------
# Liberar Ativacao Windows
$iptables -v -t nat -A PREROUTING -p TCP -s $LAN_IP_RANGE -d 131.107.115.254 --dport 443 -j ACCEPT
$iptables -v -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -d 131.107.115.254 --dport 443 -j MASQUERADE
#-------------------------------------------------------------------
# Liberar Atualizacao SpyBot
$iptables -v -t nat -A PREROUTING -p TCP -s $LAN_IP_RANGE -d www.safer-networking.org --dport 80 -j ACCEPT
$iptables -v -t nat -A POSTROUTING -p TCP -s $LAN_IP_RANGE -d www.safer-networking.org --dport 80 -j MASQUERADE
#-------------------------------------------------------------------
# Exemplo - Conectividade Social
# Cria tabelas especificas
# Cria tabelas especificas
# $iptables -v -t filter -X cnsfilter
# $iptables -v -t filter -N cnsfilter
# $iptables -v -t filter -A cnsfilter -p TCP -d 200.201.160.0/20 -j ACCEPT
# $iptables -v -t filter -A cnsfilter -p TCP -d 200.252.47.0/24 -j ACCEPT
# $iptables -v -t filter -A cnsfilter -p TCP -d cmt.caixa.gov.br -j ACCEPT
# $iptables -v -t filter -A cnsfilter -p TCP -d conectividade.caixa.gov.br -j ACCEPT
# $iptables -v -t nat -X cnsnat
# $iptables -v -t nat -N cnsnat
# $iptables -v -t nat -A cnsnat -p TCP -d 200.201.160.0/20 -j ACCEPT
# $iptables -v -t nat -A cnsnat -p TCP -d 200.252.47.0/24 -j ACCEPT
# $iptables -v -t nat -A cnsnat -p TCP -d cmt.caixa.gov.br -j ACCEPT
# $iptables -v -t nat -A cnsnat -p TCP -d conectividade.caixa.gov.br -j ACCEPT
# $iptables -v -t nat -X cnsnatpost
# $iptables -v -t nat -N cnsnatpost
# $iptables -v -t nat -A cnsnatpost -p TCP -d 200.201.160.0/20 -j MASQUERADE
# $iptables -v -t nat -A cnsnatpost -p TCP -d 200.252.47.0/24 -j MASQUERADE
# $iptables -v -t nat -A cnsnatpost -p TCP -d cmt.caixa.gov.br --dport 80 -j MASQUERADE
# $iptables -v -t nat -A cnsnatpost -p TCP -d conectividade.caixa.gov.br --dport 80 -j MASQUERADE
# Libera Usuarios para CNS
#$iptables -v -t filter -A FORWARD -p TCP -s x.x.x.x -j cnsfilter
#$iptables -v -t nat -A PREROUTING -p TCP -s x.x.x.x -j cnsnat
#$iptables -v -t nat -A POSTROUTING -s x.x.x.x -j cnsnatpost
####################################################################
#-------------------------------------------------------------------
# Liberacao: Para enderecos internos
#-------------------------------------------------------------------
####################################################################
#-------------------------------------------------------------------
# Liberacao de Acesso Voip - Gateway Interno
# $iptables -v -t nat -A PREROUTING -p TCP -s $IP_GW_VOIP -j ACCEPT
# $iptables -v -t filter -A FORWARD -p tcp -s $IP_GW_VOIP -j ACCEPT
# $iptables -v -t nat -A POSTROUTING -s $IP_GW_VOIP -j MASQUERADE
# $iptables -v -t nat -A PREROUTING -p TCP -s 10.10.10.3 -j ACCEPT
# $iptables -v -t filter -A FORWARD -p tcp -s 10.10.10.3 -j ACCEPT
# $iptables -v -t nat -A POSTROUTING -s 10.10.10.3 -j MASQUERADE
#-------------------------------------------------------------------
# Aceitar ping para enderecos do VoIP
# $iptables -v -t filter -A INPUT -d $INET_IP_VOIP_SAINTE -p icmp -j ACCEPT
# $iptables -v -t filter -A INPUT -d $INET_IP_VOIP_ENTRANTE -p icmp -j ACCEPT
#-------------------------------------------------------------------
# Libera redes locais para VPN
# $iptables -v -t filter -A FORWARD -s $REDE_VPN_RANGE -d $LAN_IP_RANGE -j ACCEPT
# $iptables -v -t filter -A FORWARD -s $LAN_IP_RANGE -d $REDE_VPN_RANGE -j ACCEPT
# $iptables -v -t nat -A POSTROUTING -p TCP -s $REDE_VPN_RANGE -d $LAN_IP_RANGE -j MASQUERADE
####################################################################
################################## CARREGA REGRAS DOS USUARIOS
####################################################################
# Apaga tabelas criadas abaixo
$iptables -v -t filter -X UserInput
$iptables -v -t filter -X UserForward
$iptables -v -t nat -X UserPrerouting
$iptables -v -t nat -X UserPreroutingAuth
$iptables -v -t nat -X UserPreroutingAuthHttp
$iptables -v -t nat -X UserPostrouting
$iptables -v -t filter -X UserForwardMsn1
$iptables -v -t filter -X UserForwardMsn2
$iptables -v -t nat -X UserPostroutingMsn
#Cria tabelas personalizadas usuarios
$iptables -v -t filter -N UserInput
$iptables -v -t filter -N UserForward
$iptables -v -t nat -N UserPrerouting
$iptables -v -t nat -N UserPreroutingAuth
$iptables -v -t nat -N UserPreroutingAuthHttp
$iptables -v -t nat -N UserPostrouting
#Cria tabelas personalizadas usuarios msn
$iptables -v -t filter -N UserForwardMsn1
$iptables -v -t filter -N UserForwardMsn2
$iptables -v -t nat -N UserPostroutingMsn
#Definir tabelas personalizadas
#Libera acesso iptables Msn
$iptables -v -t filter -A UserForwardMsn1 -p TCP --dport 1863 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn1 -p TCP -d msn.com --dport 443 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn1 -p TCP -d live.com --dport 443 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn1 -p TCP -d login.live.com --dport 443 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn1 -p TCP -d hotmail.com --dport 443 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn1 -p TCP -d live.com --dport 80 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP --dport 1863 -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d live.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d login.live.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d hotmail.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d webmessenger.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d gateway.messenger.hotmail.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d msn.com.br -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d messenger.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d hotmail.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d messenger.hotmail.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d rad.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d c.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d storage.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d webmessenger.msn.com -j ACCEPT
$iptables -v -t filter -A UserForwardMsn2 -p TCP -d hotmail.com -j ACCEPT
$iptables -v -t nat -A UserPostroutingMsn -p TCP -d 0/0 --dport 1863 -j MASQUERADE
$iptables -v -t nat -A UserPostroutingMsn -p TCP -d msn.com --dport 443 -j MASQUERADE
$iptables -v -t nat -A UserPostroutingMsn -p TCP -d live.com --dport 443 -j MASQUERADE
$iptables -v -t nat -A UserPostroutingMsn -p TCP -d login.live.com --dport 443 -j MASQUERADE
$iptables -v -t nat -A UserPostroutingMsn -p TCP -d hotmail.com --dport 443 -j MASQUERADE
/etc/firewall-usuarios.sh
/etc/firewall-usuarios-auth.sh
#Redireciona para tabelas personalizadas usuarios
$iptables -v -t filter -A INPUT -j UserInput
$iptables -v -t filter -A FORWARD -j UserForward
$iptables -v -t nat -A PREROUTING -j UserPrerouting
$iptables -v -t nat -A POSTROUTING -j UserPostrouting
####################################################################
################################## BLOQUEIO DE COMUNICADORES
####################################################################
# MSN
$iptables -v -t filter -A FORWARD -s 0/0 -p TCP --dport 1863:1864 -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -p UDP --dport 1863:1864 -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -p TCP --dport 6891:6901 -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -p TCP --dport 5000:5010 -j DROP #Chat Yahoo
$iptables -v -t filter -A FORWARD -s 0/0 -p TCP --dport 5190 -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -p UDP --dport 5190 -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d gateway.messenger.hotmail.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d e-messenger.net -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d msn.com.br -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d messenger.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d login.passport.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d hotmail.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d messenger.hotmail.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d rad.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d ak.englishtonw.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d c.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d storage.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d iloveim.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d ebuddy.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d webmessenger.msn.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d login.live.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d hotmail.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d live.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d imo.im -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d o.imo.im -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d www.imo.im -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d talk.l.google.com -j DROP
$iptables -v -t filter -A FORWARD -s 0/0 -d web.whatsapp.com -j DROP
# Bloqueio Facebook
$iptables -v -t filter -X ForwardFacebook
$iptables -v -t filter -N ForwardFacebook
$iptables -v -t filter -A ForwardFacebook -m iprange --dst-range 66.220.144.0-66.220.159.255 -j DROP
$iptables -v -t filter -A ForwardFacebook -m iprange --dst-range 69.63.176.0-69.63.191.255 -j DROP
$iptables -v -t filter -A ForwardFacebook -m iprange --dst-range 204.15.20.0-204.15.23.255 -j DROP
$iptables -v -t filter -A ForwardFacebook -m iprange --dst-range 204.74.64.0-204.74.127.255 -j DROP
$iptables -v -t filter -A ForwardFacebook -m iprange --dst-range 69.171.224.0-69.171.255.255 -j DROP
$iptables -v -t filter -A ForwardFacebook -d www.facebook.com -j DROP
$iptables -v -t filter -A ForwardFacebook -d facebook.com -j DROP
# Bloqueio Facebook
# $iptables -v -t filter -A FORWARD -s x.x.x.x -j ForwardFacebook
# Liberação Facebook
$iptables -v -t filter -X ForwardFacebook_libera
$iptables -v -t filter -N ForwardFacebook_libera
$iptables -v -t filter -A ForwardFacebook_libera -m iprange --dst-range 66.220.144.0-66.220.159.255 -j ACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -m iprange --dst-range 69.63.176.0-69.63.191.255 -j ACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -m iprange --dst-range 204.15.20.0-204.15.23.255 -j ACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -m iprange --dst-range 204.74.64.0-204.74.127.255 -j ACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -m iprange --dst-range 69.171.224.0-69.171.255.255 -jACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -d www.facebook.com -j ACCEPT
$iptables -v -t filter -A ForwardFacebook_libera -d facebook.com -j ACCEPT
# $iptables -v -t filter -A FORWARD -s x.x.x.x -j ForwardFacebook_libera
####################################################################
################################## REGRAS FINAIS
####################################################################
#-------------------------------------------------------------------
# Bloqueio de portas de email pra quem nao esta liberado
# SMTP
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 25 -d 0/0 -j DROP
# POP3
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 110 -d 0/0 -j DROP
# IMAP
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 143 -d 0/0 -j DROP
# SMTPS
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 465 -d 0/0 -j DROP
# IMAPS
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 993 -d 0/0 -j DROP
# POP3S/SPOP
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 995 -d 0/0 -j DROP
# GMAIL
$iptables -v -t filter -A UserForward -p tcp -s $LAN_IP_RANGE --dport 587 -d 0/0 -j DROP
#-------------------------------------------------------------------
# Bloqueio de Redes invalidas por interface
$iptables -v -t filter -A INPUT -i $IF_INET_IP -s $LAN_IP_RANGE -j DROP
#-------------------------------------------------------------------
# Protecao contra port scanners
# $iptables -v -t filter -A INPUT -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#-------------------------------------------------------------------
# Protecao contra Ping
$iptables -v -t filter -A INPUT -p icmp --icmp-type echo-request -m length --length 0:99 -m limit --limit 1/s -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------------------------------
# Protecao contra pacotes com conexoes invalidas
$iptables -v -t filter -A INPUT -m state --state INVALID -j DROP
#-------------------------------------------------------------------
# Protecao contra ultrasurf - em conjunto com fail2ban
$iptables -v -t filter -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "
#-------------------------------------------------------------------
# Logging
# $iptables -v -t filter -A INPUT -j LOG --log-level 6 --log-prefix "INPUT..: "
# CRIA LOG's PRA TUDO QUE NAO POSSUI REGRA
# $iptables -v -t filter -A INPUT -j LOG --log-level 6 --log-prefix "[Pacotes INPUT]"
# $iptables -v -t filter -A OUTPUT -j LOG --log-level 6 --log-prefix "[Pacotes OUTPUT]"
# $iptables -v -t filter -A FORWARD -j LOG --log-level 6 --log-prefix "[Pacotes FORWARD]"
#-------------------------------------------------------------------
# Descarte dos pacotes
# $iptables -v -t filter -A INPUT -p TCP -j REJECT --reject-with tcp-reset
# INFORMACOES UTEIS
#PACKET IN->-PREROUTING-[routing]->-FORWARD->--POSTROUTING->- PACKET OUT
# - mangle | - mangle - mangle
# - nat (dst) | - filter - nat (src)
# | |
# INPUT OUTPUT
# - mangle - mangle
# - filter - nat (dst)
# | - filter
# | |
# `--->--[application]-->---'
# Reiniciar serviço fail2ban
/usr/bin/fail2ban-client reload
Arquivo de configuração (/etc/firewall-usuarios.sh)
#!/bin/sh
iptables="/usr/local/sbin/iptables"
tc="/sbin/tc"
# <><><><><><><><><><><><><><><><>
# Controle de Banda
# <><><><><><><><><><><><><><><><>
LAN_IP="10.0.0.2"
LAN_IP_RANGE="10.0.0.0/24"
# Atencao: definir a banda da sua internet aqui
IF_UPLOAD="imq0"
IF_DOWNLOAD="eth0"
BANDA_UPLOAD="5500kbit"
BANDA_DOWNLOAD="5500kbit"
# Controle de Banda
# Configurando interfaces
# Download
$tc qdisc del dev $IF_DOWNLOAD root
$tc qdisc add dev $IF_DOWNLOAD root handle 1:0 htb default 51
$tc class add dev $IF_DOWNLOAD parent 1:0 classid 1:1 htb rate 1000000kbit ceil 1000000kbit
$tc class add dev $IF_DOWNLOAD parent 1:1 classid 1:2 htb rate $BANDA_DOWNLOAD ceil $BANDA_DOWNLOAD prio 4 # net
$tc class add dev $IF_DOWNLOAD parent 1:1 classid 1:50 htb rate 1000000kbit ceil 1000000kbit prio 3 # Trafego Local
$tc class add dev $IF_DOWNLOAD parent 1:2 classid 1:51 htb rate 10kbit ceil 110kbit prio 10
$tc filter add dev $IF_DOWNLOAD parent 1:0 protocol ip prio 3 u32 match ip src $LAN_IP match ip dst $LAN_IP_RANGE classid 1:50
# UPLOAD
$tc qdisc del dev $IF_UPLOAD root
$tc qdisc add dev $IF_UPLOAD root handle 1:0 htb default 51
$tc class add dev $IF_UPLOAD parent 1:0 classid 1:1 htb rate 1000000kbit ceil 1000000kbit
$tc class add dev $IF_UPLOAD parent 1:1 classid 1:2 htb rate $BANDA_UPLOAD ceil $BANDA_UPLOAD prio 4 # net
$tc class add dev $IF_UPLOAD parent 1:1 classid 1:50 htb rate 1000000kbit ceil 1000000kbit prio 3 # Trafego Local
$tc class add dev $IF_UPLOAD parent 1:2 classid 1:51 htb rate 10kbit ceil 110kbit prio 10
$tc filter add dev $IF_UPLOAD parent 1:0 protocol ip prio 3 u32 match ip src $LAN_IP match ip dst $LAN_IP_RANGE classid 1:50
#Limpa tabelas personalizadas
$iptables -v -t filter -F UserInput
$iptables -v -t filter -F UserForward
$iptables -v -t nat -F UserPrerouting
$iptables -v -t nat -F UserPostrouting
$iptables -v -t nat -F UserPreroutingAuth
$iptables -v -t nat -F UserPreroutingAuthHttp
<<< CONFIGURACAO INDIVIDUAL DOS USUARIOS - (machine.php)
$iptables -v -t nat -A UserPrerouting -j UserPreroutingAuth
$iptables -v -t nat -A UserPrerouting -j UserPreroutingAuthHttp
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Dicas
Criando uma VPC na AWS via CLI
Multifuncional HP imprime mas não digitaliza
Dica básica para escrever um Artigo.
Como Exibir Imagens Aleatórias no Neofetch para Personalizar seu Terminal
Tópicos
UUID da partição efi mudou, multiboot já era...e agora? (6)
Acabei zuando meu Linux inteiro e estou desesperado (6)
Top 10 do mês
-
Xerxes
1° lugar - 69.435 pts -
Fábio Berbert de Paula
2° lugar - 53.442 pts -
Buckminster
3° lugar - 20.582 pts -
Mauricio Ferrari
4° lugar - 16.457 pts -
Alberto Federman Neto.
5° lugar - 15.637 pts -
Daniel Lara Souza
6° lugar - 14.526 pts -
Diego Mendes Rodrigues
7° lugar - 14.181 pts -
edps
8° lugar - 11.959 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
9° lugar - 11.480 pts -
Andre (pinduvoz)
10° lugar - 11.445 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
