Firewall

1. Firewall

alexsuporte2008
(usa RedHat)

Enviado em 11/05/2008 - 17:05h

quando eu reinicio o linux o firewall sobe normal, mais um das liberações que fiz não subiu e se eu restarto o serviço fire ele sobe mais as outras portas não funciona.

Os que estão em parenteses foi o que eu fiz hoje e no restart no serviço ele ativa mais os demais não

e se eu restarto o linux o firewall sobe mais o liberação que criei hoje não sobe.

segue aqui o rc.firewall

# Custom firewall rules.
# This file is executed by the firewall on stop/start/restart.
# LIBERA TRÃEGO DA LAN PARA CX. FEDERAL NA PORTA 80 (IDA/ VOLTA)
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 200.201.174.0/24 --dport 80 -j ACCEPT
# LIBERA TRÃEGO DA LAN PARA CX. FEDERAL NA PORTA 2631 (IDA/ VOLTA)
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 --dport 2631 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 200.201.174.0/24 --dport 2631 -j ACCEPT
# LIBERA TRÃEGO DA LAN PARA CX. FEDERAL NA PORTA 80 (IDA/ VOLTA)
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 200.201.174.0/24 --dport 80 -j ACCEPT
# LIBERA TRÃEGO DA LAN PARA CX. FEDERAL NA PORTA 2631 (IDA/ VOLTA)
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 --dport 2631 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 200.201.174.0/24 --dport 2631 -j ACCEPT
# EXCLUE IP DA CX. FEDERAL DO PROXY TRANSPARENTE
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.0.0/24 -d 200.201.174.0/24 --dport 80 -j RETURN
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.0.0/24 -s 200.201.174.0/24 --dport 80 -j RETURN
# REDIRECIONA TRÃEGO INTERNO PARA PROXY TRANSPARENTE
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.0.0/24 -d ! 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A PREROUTING -p udp -i eth1 -s 192.168.0.0/24 -d ! 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128
################################### ## Conectividade Social ################################### ########################
########## Bloqueando Msn para toda rede ################################### ##
echo "Bloqueio do MSN Messenger para Toda Rede"
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p tcp --dport 1863 -j DROP
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p tcp --dport 7001 -j DROP
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p tcp --dport 1857 -j DROP
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p tcp --dport 554 -j DROP
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p udp --dport 554 -j DROP
/sbin/iptables -A PREROUTING -t nat -s 192.168.0.0/24 -p udp --dport 4662 -j DROP
#iptables -t nat -I PREROUTING -p 47 -j DNAT --to 192.168.0.253
#iptables -t nat -I PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.0.253
#iptables -t nat -I PREROUTING -p udp --dport 1723 -j DNAT --to 192.168.0.253
# Redirecionamento Microsiga
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 1909 -j DNAT --to-destination 192.168.0.11
iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 1909 -d 192.168.0.11 -j ACCEPT
iptables -A FORWARD -d 0.0.0.0/0 -p tcp --sport 1909 -s 192.168.0.11 -j ACCEPT
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 1024 -j DNAT --to-destination 192.168.0.10
iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 1024 -d 192.168.0.10 -j ACCEPT
iptables -A FORWARD -d 0.0.0.0/0 -p tcp --sport 1024 -s 192.168.0.10 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.11
iptables -A FORWARD -p tcp --dport 3389 -d 192.168.0.11 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -s 192.168.0.11 -j ACCEPT
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 2024 -j DNAT --to-destination 192.168.0.11
iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 2024 -d 192.168.0.11 -j ACCEPT
iptables -A FORWARD -d 0.0.0.0/0 -p tcp --sport 2024 -s 192.168.0.11 -j ACCEPT
# Redirecionar 1433 para maquina final 10
iptables -t nat -A PREROUTING -d xxx.xx.xxx.xx -p tcp --dport 1433 -j DNAT --to 192.168.0.10:1433
iptables -t nat -A POSTROUTING -d 192.168.0.10 -p tcp --dport 1433 -j SNAT --to xxx.xx.xxx.xx
# Redirecionar 2024 para maquina final 11
iptables -t nat -A PREROUTING -d xxx.xx.xxx.xx -p udp --dport 2024 -j DNAT --to 192.168.0.11:2024
iptables -t nat -A POSTROUTING -d 192.168.0.11 -p udp --dport 2024 -j SNAT --to xxx.xx.xxx.xx
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT
# Redirecionamento FTP (criado hoje)
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -p tcp --dport 21 -j DNAT --to-destination 192.168.0.253
iptables -A FORWARD -s 0.0.0.0/0 -p tcp --dport 21 -d 192.168.0.253 -j ACCEPT
iptables -A FORWARD -d 0.0.0.0/0 -p tcp --sport 21 -s 192.168.0.253 -j ACCEPT
# Redirecinar FTP para maquina final 253(Criado hoje)
iptables -t nat -A PREROUTING -d xxx.xx.xxx.xx -p udp --dport 21 -j DNAT --to 192.168.0.21:21
iptables -t nat -A POSTROUTING -d 192.168.0.253 -p udp --dport 21 -j SNAT --to xxx.xx.xxx.xx
LLEVON="201.6.98.153 63.134.253.169 216.32.90.170 "
for i in $LLEVON; do {
iptables -I INPUT -s $i -j ACCEPT
iptables -I FORWARD -s $i -j ACCEPT
iptables -I FORWARD -d $i -j ACCEPT
iptables -I OUTPUT -d $i -j ACCEPT
}; done;

0 0

Quote