Ajuda sou Iniciante!
1. Ajuda sou Iniciante!
meguelito
(usa Nenhuma)
Enviado em 09/04/2008 - 08:55h
Bom dia Galera,Seguinte aqui na minha empresa tenho um Ubuntu com Iptables e Squid porém to tendo alguns problemas por não saber onde colocar as regras direito, então vou colocar minhas regras aqui e explicar o que eu preciso.
Abaixo as Regras:
IPTABLES="/sbin/iptables"
echo "Limpando Regras"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "Iniciando Regras"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | grep -v mangle | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//' | sed 's/\.ko.*$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
echo "Bloqueando Emule e Monitorando"
$IPTABLES -A FORWARD -m ipp2p --ipp2p -j LOG --log-prefix "Acesso P2P: "
$IPTABLES -A INPUT -m ipp2p --ipp2p -j DROP
$IPTABLES -A FORWARD -m ipp2p --ipp2p -j DROP
$IPTABLES -A OUTPUT -m ipp2p --ipp2p -j DROP
echo "Rule 0(NAT)"
#
# Nat
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source 192.168.254.2
echo "Rule 1(NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/24 -d 200.175.61.63 -j DNAT --to-destination 192.168.254.2
echo "Rule 2(NAT)"
#
#
$IPTABLES -t nat -A PREROUTING -p tcp --destination-port 7778 -j DNAT --to-destination 192.168.0.10:7778
$IPTABLES -t nat -A PREROUTING -d www.insidesystem.com.br -p tcp --destination-port 8081 -j DNAT --to-destination 192.168.0.4:8081
echo "Rule 3(Oracle IAS)"
#
#
#$IPTABLES -t nat -A PREROUTING -i eth+ -p tcp --dport 7777 -j DNAT --to-dest 192.168.0.5
#$IPTABLES -A FORWARD -p tcp -i eth+ --dport 7777 -d 192.168.0.5 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth+ -p tcp --dport 7778 -j DNAT --to-dest 192.168.0.5
$IPTABLES -A FORWARD -p tcp -i eth+ --dport 7778 -d 192.168.0.5 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth+ -p tcp --dport 3704 -j DNAT --to-dest 192.168.0.5
$IPTABLES -A FORWARD -p tcp -i eth+ --dport 3704 -d 192.168.0.5 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth+ -p tcp --dport 3204 -j DNAT --to-dest 192.168.0.5
$IPTABLES -A FORWARD -p tcp -i eth+ --dport 3204 -d 192.168.0.5 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth+ -p tcp --dport 3304 -j DNAT --to-dest 192.168.0.5
$IPTABLES -A FORWARD -p tcp -i eth+ --dport 3304 -d 192.168.0.5 -j ACCEPT
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Libera Talk e Msn para Ips Liberados.
$IPTABLES -A FORWARD -s 192.168.0.112/24 -p tcp --dport 5222 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -p tcp --dport 5223 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -d chatenabled.mail.google.com -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -d talk.google.com -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -d talkx.l.google.com -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -d tools.google.com -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.112/24 -d mail.google.com -j ACCEPT
# Bloqueia Google Talk e Msn
$IPTABLES -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5222 -j DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -p udp --dport 5222 -j DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -p udp --dport 5223 -j DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
# Dominios Msn e Talk
$IPTABLES -A FORWARD -d chatenabled.mail.google.com -j REJECT
$IPTABLES -A FORWARD -d talk.google.com -j REJECT
$IPTABLES -A FORWARD -d talkx.l.google.com -j REJECT
$IPTABLES -A FORWARD -d tools.google.com -j REJECT
$IPTABLES -A FORWARD -d mail.google.com -j REJECT
$IPTABLES -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#Bloqueando Proxies Externos.
$IPTABLES -A INPUT -i eth1 -p tcp -d 192.168.0.1 --destination-port 3128 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p tcp -d 192.168.0.1 --destination-port 3128 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -m multiport --destination-port 8080,3128,1080 -j DROP
$IPTABLES -A FORWARD -i eth1 -p tcp -m multiport --destination-port 8080,3128,1080 -j DROP
echo "Rule 0(eth1)"
#
#
#
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -j ACCEPT
echo "Rule 0(eth2)"
#
#
#
$IPTABLES -A INPUT -i eth2 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth2 -m state --state NEW -j ACCEPT
echo "Rule 0(eth0)"
#
# Libera DNS
#
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p udp --destination-port 53 -m state --state NEW -j ACCEPT
echo "Rule 1(eth0)"
#
# Libera http e https
#
#$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 80,443,8080,8009 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i eth0 -p tcp -m multiport --destination-port 80,443,8080,8009 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 80,443,8009 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m multiport --destination-port 80,443,8009 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 8088 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m multiport --destination-port 8088 -m state --state NEW -j ACCEPT
echo "Rule 2(eth0)"
#
# Libera email
#
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 993,995,25,143,110 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m multiport --destination-port 993,995,25,143,110 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m multiport --destination-port 993,995,25,143,110 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m multiport --destination-port 993,995,25,143,110 -m state --state NEW -j ACCEPT
#
# Rule 3(eth0)
#
echo "Rule 3(eth0)"
#
# Libera ssh
#
$IPTABLES -A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/24 -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 4(eth0)
#
echo "Rule 4(eth0)"
#
# Libera FTP
#
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 20 --destination-port 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m multiport --destination-port 21,20 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 20 --destination-port 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m multiport --destination-port 21,20 -m state --state NEW -j ACCEPT
echo "Rule 5(eth0)"
#
# Libera icmp
#
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
#
# Rule 6(eth0)
#
echo "Rule 6(eth0)"
#
#
#
$IPTABLES -A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
echo "Rule 8 (Proxy)"
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
#Rule 9 (Oracle-Tractebel)
echo "Rule 9 (Oracle-Tractebel)"
# Libera Oracle
#
$IPTABLES -A INPUT -i eth2 -p tcp --destination-port 1521 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -p tcp --destination-port 1521 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth2 -p tcp --destination-port 1521 -m state --state NEW -j ACCEPT
#
#Rule 10 (Libera VPN)
echo "Rule 10 (VPN)"
# Libera VPN
#
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 1723 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 1723 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 1723 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 1723 -m state --state NEW -j ACCEPT
#
#Rule 11 (LDAP)
echo "Rule 11 (LDAP)"
#
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --destination-port 389 -m state --state NEW -j ACCEPT
echo "Rule 12(DHCP)"
#
# Libera ssh
#
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 67 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 67 -m state --state NEW -j ACCEPT
#
# Rule 13(lo)
#
echo "Rule 13(antispam)"
#
# Libera antispam
#
$IPTABLES -I INPUT -p tcp -m state --state NEW -s 127.0.0.1 --dport 60000 -j ACCEPT
# Rule 0(lo)
#
echo "Rule 0(lo)"
#
#
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 0(tun0)
#
echo "Rule 0(tun0)"
#
#
#
$IPTABLES -A INPUT -i tun+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o tun+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o tun+ -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun+ -j MASQUERADE
echo "Rule 0(ppp0)"
#
#
#
$IPTABLES -A INPUT -i ppp+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o ppp+ -m state --state NEW -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
#
echo "Regra Geral"
$IPTABLES -A INPUT -p tcp --syn -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
# -- Fim das regras de Iptables.
Bom agora vamos ao que eu preciso, como vocês podem ver tenho 3 placas de rede eth0 192.168.254.2, eth1 192.168.0.0, eth2 10.3.1.54 e mais 3 Vpns Tun0 192.168.250.2, Tun1 10.1.0.2, Tun2 192.168.252.2 e ainda uma VPN para eu me conectar internamente que gera a ppp0, então o que eu precisava era o seguinte fazer com que um arquivo com uma lista de Ips tivesse acesso total filtrando pelo MAC, e que todos os outros tivesse tudo bloqueado, menos E-mail, Acesso as VPNS e Acesso a internet que é controlado pelo Squid, o resto como Msn, Google Talk ou mesmo que tentasse alterar seu proxy nada funcionaria e também gostaria que tudo que tivesse o destino da placa eth2 saisse por ela e não pela eth1 como acontece hoje.
Sei que é bastante coisa mas se alguém pudesse me ajudar fazendo um Script comentando o que faz eu ficarei mto grato, e também posso ajudar em coisas de Windows Server e Oracle.
Att.: Alan Juliano Metzger
DBA / Administrador de Redes.
MCSA - Microsoft Certified Systema Administrator.
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
DOOM clássico (quase) vanilla e um pouco melhorado
Mamãe, quero descompactar e também compactar arquivos no terminal!
Dicas
Conheça a extensão Just Perfection para mudar várias opções do Gnome
Desligando ou reiniciando o Gnome rapidinho
Desligando ou reiniciando o KDE rapidinho
Tópicos
Top 10 do mês
-
Xerxes
1° lugar - 87.808 pts -
Clodoaldo Santos
2° lugar - 54.912 pts -
Fábio Berbert de Paula
3° lugar - 54.304 pts -
Sidnei Serra
4° lugar - 35.983 pts -
Mauricio Ferrari
5° lugar - 19.941 pts -
Daniel Lara Souza
6° lugar - 18.790 pts -
Alberto Federman Neto.
7° lugar - 16.439 pts -
Diego Mendes Rodrigues
8° lugar - 16.037 pts -
edps
9° lugar - 13.611 pts -
Buckminster
10° lugar - 13.010 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
