Duvida Iptables + squid [RESOLVIDO]
1. Duvida Iptables + squid [RESOLVIDO]
tcorte
(usa CentOS)
Enviado em 12/08/2013 - 14:32h
Srs. Boa tarde!Estou enfrentando dificuldades com o meu firewall, estou montando um servidor novo para uma empresa
e quando tento executar o script da erro na sintaxe do iptables, alguem poderia me ajudar?
O servidor é um CentoOS 6.4 possui squid sarg e webmin
#!/bin/bash
echo ""
echo "CARREGANDO FIREWALL ................................."
echo ""
# Local para o executavel do IPTables
#IPT=`which iptables`;
echo "Definindo variaveis.................................[OK]"
# Interface da rede INTERNA
IF_INTERNA="eth0";
# Interface da rede EXTERNA
IF_EXTERNA="eth1";
# Interface da Rede DOMINIO
IF_DOMINIO='eth2';
# Definição da rede interna
REDE_INTERNA="192.168.0.0"
REDE_DOMINIO="10.1.1.0"
fw_start()
{
echo "Limpando Regras.....................................[OK]"
### Limpando regras iptables ###
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -X
echo "Ativando roteamento.................................[OK]"
#ativa o roteamento dinamico
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ================ POLITICAS PADRAO ===================
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
echo "Criando Regras de Seguranca.........................[OK]"
# Cria chain com regras de segurança
iptables -N BLOCK
iptables -A BLOCK -p icmp --icmp-type echo-request -j DROP
iptables -A BLOCK -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A BLOCK -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
iptables -A BLOCK -m unclean -j DROP
iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A BLOCK -j LOG --log-prefix "FW_ALERT: "
iptables -A BLOCK -j DROP
# Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas
iptables -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,6667 -j TOS --set-tos 0x10
echo "Liberando Trafego local.............................[OK]"
# Libera todo o trafego local
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i $IF_INTERNA -j ACCEPT
iptables -t filter -A FORWARD -i $IF_INTERNA -j ACCEPT
# Libera só FTP, SSH e WEB
iptables -t filter -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dports 21,22,80,6667 -j ACCEPT
# Libera a conexao para a rede interna
iptables -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE
iptables -t nat -A POSTROUTING -s $REDE_DOMINIO -j MASQUERADE
# Liberando portas squid, http e NTP. Estes serviços o firewall só irá responder se vierem da interface da rede interna.
iptables -A INPUT -p tcp --dport 3128 -i $REDE_INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i $REDE_INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i $REDE_DOMINIO -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -i $REDE_INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -i $REDE_INTERNA -j ACCEPT
iptables -A INPUT -p udp --dport 123 -i $REDE_INTERNA -j ACCEPT
# Cria um NAT para o SSH de uma maquina da rede interna
# iptables -t filter -A FORWARD -p tcp -d 0/0 --dport 2222 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 2222 -j DNAT --to 192.168.1.2:22
# Regras para evitar packet flood
iptables -A INPUT -j BLOCK
iptables -A FORWARD -j BLOCK
echo "Estacoes devem utilizar o Proxy.....................[OK]"
# OBRIGA AS ESTACOES A USAR O PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT -to-dest $IF_INTERNA
echo " "
echo ".................. FIREWALL NBRtec ATIVADO................."
echo " "
}
fw_stop()
{
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
}
fw_usage()
{
echo
echo "$0 (start | stop | restart | clear)"
echo
echo "start - Ativa o firewall"
echo "stop - Desativa o firewall"
echo "restart - Reativa o firewall"
echo "clear - Limpa os contatores"
}
fw_clear()
{
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
}
case $1 in
start)
fw_start;
;;
stop)
fw_stop;
;;
restart)
fw_stop;
fw_start;
;;
clear)
fw_clear;
;;
*)
fw_usage;
exit;
;;
esac