feliperossi
(usa Debian)
Enviado em 18/05/2008 - 15:36h
bom galera esses dias estava com um problema no meu script de firewall e novamento a galera do VOL me ajudoum, mas agora estou sofrendo com outro problema estou com dificuldades de entender as regras de INPUT OUTPUT E FORWARD para liberação de serviços na rede e etc, bom pelo menos jah consegui compartilhar a net na rede mas minha intenção eh de compartilhar isso com restrições setando portas especificas etc, e serviços tbm
peço q me ajudem a setar a regra q vai compartilhar os serviços de internet na minha rede conforme segue meu script de firewall abaixo, alguns serviços deixem comentados
pois meu maior problema esta em compartilhar net na rede
desde jah mto obrigado
#!/bin/bash
#
# chkconfig: 2345 03 92
# description: Regras de firewall
#
#######################################
# Define variaveis
#######################################
WAN=10.1.1.10
LAN=192.168.1.10
REDE=192.168.1.0/24
#http,https,dns,smtp,pop3,ssh,ftp,jabber,jabber/s
#SRV_TCP="80,443,53,25,110,22,21,5222,5223"
#SRV_UDP=53
#TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
#TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#IPT=/sbin/iptables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
case $1 in
start)
echo "Iniciando Firewall"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#######################################
# Define politicas default
#######################################
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
#######################################
# Limpa todas as regras
#######################################
#iptables -t filter -F
#iptables -t nat -F
#iptables -t mangle -F
#iptables -t raw -F
#########################################
# Liberar pacotes pertencentes a conexões permitidas
#########################################
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### Liberar tudo p/ o boss
#iptables -A FORWARD -m mac --mac-source 00:18:8B:DF:F9:F7 -s 192.168.1.0 -j ACCEPT
### liberar acesso a alguns servicos
### e negar o restante (politica default)
##############################################
iptables -A FORWARD -s $LAN -d $WAN -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A FORWARD -s $LAN -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -d $LAN -p udp -m udp --sport 53 -j ACCEPT
##############################################
iptables -A OUTPUT -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
###LIBERA ACESSO A SERVICOS ESPECIFICOS
iptables -A FORWARD -s $LAN -d $WAN -p tcp -m multiport --dports 2082,2086,2095 -j ACCEPT
##############################################
### Negar acesso ao msn
#iptables -A FORWARD -p tcp --dport 569 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 65.54.179.198 -j DROP
#iptables -A FORWARD -d 65.54.183.198 -j DROP
#iptables -A FORWARD -d 65.4.13.0/24 -j DROP
#iptables -A FORWARD -d messenger.hotmail.com -j DROP
### Negar Acesso KAZAA
#iptables -A FORWARD -d 213.248.112.0/24 -j DROP
#iptables -A FORWARD -m tcp -p tcp --dport 1214 -j DROP
#### Liberar acesso ao proxy (local)
#iptables -A INPUT -s $LAN -i $WAN -p tcp -m tcp --dport 3128 -j ACCEPT
#############################################
# Fazer masquerade da rede local
#############################################
#iptables -t nat -A POSTROUTING -o 10.1.1.10 -j MASQUERADE
#############################################
# Fazer proxy transparente sem autenticação
#############################################
#iptables -t nat -A PREROUTING -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
#############################################
# Liberar pings
#############################################
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 0 -j ACCEPT
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 5 -j ACCEPT
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 8 -j ACCEPT
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 11 -j ACCEPT
#iptables -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 12 -j ACCEPT
#iptables -A INPUT -m limit --limit 5/s -p icmp --icmp-type 0 -j ACCEPT
#iptables -A INPUT -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT
#iptables -A INPUT -m limit --limit 5/s -p icmp --icmp-type 8 -j ACCEPT
#iptables -A INPUT -m limit --limit 5/s -p icmp --icmp-type 11 -j ACCEPT
#iptables -A INPUT -m limit --limit 5/s -p icmp --icmp-type 12 -j ACCEPT
#iptables -A OUTPUT -m limit --limit 5/s -p icmp --icmp-type 0 -j ACCEPT
#iptables -A OUTPUT -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT
#iptables -A OUTPUT -m limit --limit 5/s -p icmp --icmp-type 8 -j ACCEPT
#iptables -A OUTPUT -m limit --limit 5/s -p icmp --icmp-type 11 -j ACCEPT
#iptables -A OUTPUT -m limit --limit 5/s -p icmp --icmp-type 12 -j ACCEPT
#############################################
#BLOQUEIO CONTRA INVASAO
#iptables -t filter -A FORWARD -s 0/0 -d 10.1.1.1 -p tcp --sport 1025:65535 --dport 80 -m state --state NEW --syn -i $WAN -j ACCEPT
#############################################
#BLOQUEIO CONTRA SYNFLOODS
#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#PORT SCANNERS OCULTOS
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#PING DA MORTE
#iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#PROTECAO CONTRA IP SPOOFING
#iptables -A INPUT -s 10.0.0.0/8 -i $WAN -j DROP
#iptables -A INPUT -s 172.16.0.0/16 -i $WAN -j DROP
#iptables -A INPUT -s 192.168.0.0/24 -i $WAN -j DROP
#GERA LOG DE ACESSO A PORTAS PROIBIDAS E ALGUNS BACKDOORS
#PORTA FTP
#iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "servico: FTP"
#PORTA WINCRASH
#iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "servico: Wincrash"
#PORTA BACK ORIFICE
#iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "servico: Back Orifice"
#BLOQUEANDO EM SILENCIO
#iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" -j DROP
#BLOQUEANDO POR UMA HORA
#iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" -m limit --limit 1/hour -j LOG
#PROTECAO CONTRA TROJAN
#iptables -A INPUT -i $LAN -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan LAN:"
#iptables -A INPUT -i $LAN -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan LAN:"
#iptables -A INPUT -i $LAN -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
#iptables -A INPUT -i $LAN -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
#iptables -A INPUT -i $WAN -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan WAN:"
#iptables -A INPUT -i $WAN -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan WAN:"
#iptables -A INPUT -i $WAN -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
#iptables -A INPUT -i $WAN -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
;;
stop)
echo "limpando Firewall"
#######################################
# Define politicas default
#######################################
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT
#######################################
# Limpa todas as regras
#######################################
#iptables -t filter -F
#iptables -t nat -F
#iptables -t mangle -F
#iptables -t raw -F
#########################################
;;
status)
#iptables -L -n
;;
*)
echo "Opcoes validas: (start|stop|status)"
;;
esac