Enviado em 14/05/2015 - 12:04h
Galera boa tarde.#!/bin/
# Script de Regras do Iptables
# Acionado por /etc/init.d/firewall start
# Criado pela Iccone Informatica (Sem data)
#ETH0 = EXTERNO - ETH1 = INTERNO
#### Bloqueio de Acesso externo ao Apache Web #####
iptables -A INPUT -p tcp -d IPEXTERNO --dport 80 -j DROP
iptables -A INPUT -p tcp -s IPEXTERNO --dport 80 -j DROP
#### Fim do Bloqueio ao Apache Web #####
###### Inicio das Regras normais do Firewall #####
#*filter
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A INPUT -i tun0 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --sport 53 -j ACCEPT #DNS
iptables -t filter -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT #http
iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT #ssl
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 110 -j ACCEPT #pop
iptables -t filter -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT #smtp
iptables -t filter -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 22 -j ACCEPT #ssh
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 21 -j ACCEPT #ftp
iptables -t filter -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 5900 -j ACCEPT #VNC
iptables -t filter -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 8245 -j ACCEPT #NO-IP
iptables -t filter -A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 10050 -j ACCEPT #Zabbix
iptables -t filter -A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 8081 -j ACCEPT #sunproxyadmin
iptables -t filter -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 8082 -j ACCEPT #us-cli - Utilistor
iptables -t filter -A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 21000 -j ACCEPT #irtrans - IRTrans Control
iptables -t filter -A INPUT -p tcp -m tcp --dport 21000 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT #http-alt - HTTP Alternate
iptables -t filter -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 2082 -j ACCEPT #infowave - Infowave Mobility Server
iptables -t filter -A INPUT -p tcp -m tcp --dport 2082 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 1194 -j ACCEPT #openvpn - OpenVPN
iptables -t filter -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 809 -j ACCEPT #SPTRANS
iptables -t filter -A INPUT -p tcp -m tcp --dport 809 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 137 -j ACCEPT #netbios-ns - NETBIOS Name Service
iptables -t filter -A INPUT -i eth1 -p udp -m udp --dport 137 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m tcp --sport 137 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m tcp --dport 137 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 139 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --dport 139 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 139 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 139 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 138 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --dport 138 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 138 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 138 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 22000 -j ACCEPT #snapenetio - SNAPenetIO - #alterado para eth1 "verificar se houver erros"
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 135 -j ACCEPT #epmap - DCE endpoint resolution
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 135 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 135 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --dport 135 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 445 -j ACCEPT #microsoft-ds - Microsoft-DS
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 445 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p udp -m udp --dport 445 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT #Redirecionaento squid
iptables -t filter -A INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT #http
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --sport 81 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp -m tcp --dport 81 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 7531 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --sport 37 -j ACCEPT #Relógio (time)
iptables -t filter -A INPUT -p tcp -m multiport -s 0/0 -d 192.168.11.254 --dport 3050,3051 -j ACCEPT #Firebird
iptables -t filter -A OUTPUT -p tcp -m multiport -s 0/0 -d 192.168.11.254 --sport 3050,3051 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m multiport -s 0/0 -d 192.168.11.254 --dport 3000,3001 -j ACCEPT #ntop
iptables -t filter -A OUTPUT -p tcp -m multiport -s 0/0 -d 192.168.11.254 --sport 3000,3001 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
iptables -t filter -A INPUT -p gre -j ACCEPT
iptables -t filter -A INPUT -p icmp -j ACCEPT
#iptables -t filter -A INPUT -m limit --limit 4/min -j LOG --log-prefix "INP_DROP -- DENY Policy " --log-level 6
iptables -t filter -A INPUT -j DROP
#### Definição de Portas por IP ####
#Diogo
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 443 -j ACCEPT #ssl
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 25 -j ACCEPT #smtp
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 587 -j ACCEPT #smtp
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 587 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 110 -j ACCEPT #pop
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 110 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 123 -j ACCEPT #NTP
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 123 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 8080 -j ACCEPT #http
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 802 -j ACCEPT #Swith 24 portas
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 802 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 809 -j ACCEPT #sptrans
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 809 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 3000 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 3000 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 3001 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.11.48 -p tcp -m tcp --dport 3001 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 3002 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --dport 3002 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --sport 2082 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.11.48 -p tcp -m tcp --dport 2082 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m multiport -s 0/0 -d 192.168.11.48 --dport 1433,1434 -j ACCEPT #SQL
iptables -t filter -A OUTPUT -p tcp -m multiport -s 0/0 -d 192.168.11.48 --sport 1433,1434 -j ACCEPT
#### Fim da Definição de Portas por IP ####
#### Definição de Portas Gerais ####
iptables -t filter -A FORWARD -p tcp -m tcp --sport 1234 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 1234 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 5900 -j ACCEPT #vnc-server - VNC Server
iptables -t filter -A FORWARD -p tcp -m tcp --dport 5900 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT #ssl
iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 123 -j ACCEPT #NTP
iptables -t filter -A FORWARD -p tcp -m tcp --dport 123 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 8080 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 809 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 809 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 3000 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 3000 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 3002 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 3002 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 587 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 587 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 25 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 25 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 110 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 110 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 123 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 123 -j ACCEPT
### Portas DVR Intelbras ###
iptables -t filter -A FORWARD -p tcp -m tcp --dport 37777 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 37777 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 7070 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 7070 -j ACCEPT
### Fim das Portas do DVR Intelbras ###
### Portas ATA ###
iptables -t filter -A FORWARD -p udp -m udp --dport 5060 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 5060 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 5090 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 5090 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 5000 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 5000 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 4515 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 4515 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --dport 4516 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m udp --sport 4516 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --dport 9000:9049 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --dport 5480:5489 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --dport 7000:7499 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --dport 23000:23999 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --dport 40000:40999 -j ACCEPT
### Fim das Portas do ATA ###
### Portas CPS MOBILE ###
iptables -t filter -A FORWARD -p tcp -m tcp --dport 2021 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 2021 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -m tcp --sport 8080 -j ACCEPT
### Fim das Portas CPS MOBILE ###
## Bloqueio Redes Sociais
# Apenas para a lista da linha abaixo será permitido o acesso!
for t in `cat /Administrativo/Internet/access.dat` ; do
# Bloqueia o acesso a todos exceto os da lista (!)
iptables -I FORWARD -i eth1 -m string --algo bm --string "facebook.com" -j DROP ! -s $t
iptables -I FORWARD -i eth1 -m string --algo bm --string "twitter.com" -j DROP ! -s $t
done
## Fim do Bloqueio Redes Sociais
iptables -t filter -A FORWARD -p udp -m multiport --dport 2101:2240 -j ACCEPT
iptables -t filter -A FORWARD -p udp -m multiport --sport 2121:2240 -j ACCEPT
### Fim das Portas SUPORTE GRV X ###
#### Fim da Definição de Portas Gerais ####
#iptables -t filter -A FORWARD -m limit --limit 4/min -j LOG --log-prefix "FWD_DROP -- DENY Policy " --log-level 6
iptables -t filter -A FORWARD -j DROP
#*mangle
#*nat
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.11.0/255.255.255.0 -o eth0 -j MASQUERADE
### Encaminhamento portas DVR ###
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 7070 -j DNAT --to-destination 192.168.11.33:7070
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 37777 -j DNAT --to-destination 192.168.11.33:37777
### Fim do Encaminhamento portas DVR ###
### Encaminhamento portas CPS MOVEL ###
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.11.87:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2021 -j DNAT --to-destination 192.168.11.87:2021
### Fim do Encaminhamento portas CPS MOVEL ###
### Encaminhamento portas ATA ###
#EXTERNO
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5060 -j DNAT --to-destination 192.168.11.48:5060
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5090 -j DNAT --to-destination 192.168.11.48:5090
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 4515 -j DNAT --to-destination 192.168.11.48:4515
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 4516 -j DNAT --to-destination 192.168.11.48:4516
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5000 -j DNAT --to-destination 192.168.11.48:5000
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5090 -j DNAT --to-destination 192.168.11.48:5090
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 9000:9049 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 5480:5489 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 7000:7499 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 23000:23999 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 40000:40999 -j DNAT --to-dest 192.168.11.48
#INTERNO
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5060 -j DNAT --to-destination 192.168.11.48:5060
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5090 -j DNAT --to-destination 192.168.11.48:5090
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4515 -j DNAT --to-destination 192.168.11.48:4515
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4516 -j DNAT --to-destination 192.168.11.48:4516
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5000 -j DNAT --to-destination 192.168.11.48:5000
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5090 -j DNAT --to-destination 192.168.11.48:5090
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dport 9000:9049 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dport 5480:5489 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dport 7000:7499 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dport 23000:23999 -j DNAT --to-dest 192.168.11.48
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dport 40000:40999 -j DNAT --to-dest 192.168.11.48
### Fim do Encaminhamento portas ATA ###
#iptables -A INPUT -j LOG --log-level info --log-prefix "DROP:"
#iptables -A OUTPUT -j LOG --log-level info --log-prefix "DROP:"
##### Fim do Firewall #####