Liberar acesso fora do proxy [RESOLVIDO]
1. Liberar acesso fora do proxy [RESOLVIDO]
cabal_linux
(usa Linux Mint)
Enviado em 24/10/2012 - 20:52h
Boa noite pessoal, estou com um problema que e o seguinte.Preciso que os ip de 192.168.1.1 ate 192.168.1.10 naveguem sem precisar de passar pelo proxy.
Estou postando aqui meu script pra que possam me ajudar.
Estou usando o Debian 5.0.5
#!/bin/bash
#Nesse script levar em consideracao eth1 e eth0 rede local e internet respectivamente
iniciar(){
echo "Iniciando o Firewall .................................[ OK ]"
echo "...."
echo "..."
echo ".."
echo "."
# Carregando modulos
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
# Limpando as regras em memoria
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Libera conexõtabilizadas.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Compartilhamento NET
modprobe ip_tables
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
# Liberar passar fora do proxy
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.1 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.2 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.3 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.4 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.5 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.6 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.7 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.8 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.9 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.10 -d 0/0 -j ACCEPT
echo "Maquinas liberadas sem proxy .......................[ OK ]"
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 465 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 587 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 465 -j ACCEPT
iptables -A FORWARD -p tcp --sport 587 -j ACCEPT
iptables -A FORWARD -p tcp --sport 995 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# Bloquiar MSN
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
# Portas que estao abertas para a internet
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 221 -j ACCEPT
iptables -A INPUT -p tcp --dport 3050 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
iptables -A INPUT -p tcp --dport 3050 -j ACCEPT
iptables -A INPUT -p udp --dport 3050 -j ACCEPT
# Porta do Remote Desktop
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
# Bloquear pacotes ICMP
iptables -A INPUT -p icmp -j REJECT
# Librando algumas portas
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
# Direciona todo o trafego da porta 80 para o Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/25 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/25 --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
# Loga tentativa de acesso a determinadas portas
iptables -A INPUT -p tcp --dport 20 -i eth0 -j LOG --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 21 -i eth0 -j LOG --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 22 -i eth0 -j LOG --log-prefix "FIREWALL: ssh: "
iptables -A INPUT -p tcp --dport 23 -i eth0 -j LOG --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i eth0 -j LOG --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i eth0 -j LOG --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i eth0 -j LOG --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p tcp --dport 113 -i eth0 -j LOG --log-prefix "FIREWALL: identd: "
iptables -A INPUT -p tcp --dport 137:139 -i eth0 -jLOG --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i eth0 -j LOG --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i eth0 -j LOG --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 6881 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p udp --dport 6885 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p udp --dport 4444 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p tcp --dport 6667:6668 -i eth0 -j LOG --log-prefix "FIREWALL: irc: "
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j LOG --log-prefix "FIREWALL: squid: "
echo "Gerador de LOG's ativado .............................[ OK ]"
# Nat para Firebird Server
iptables -t nat -A PREROUTING -p tcp --dport 3050 -j DNAT --to 192.168.1.1:3050
iptables -t nat -A PREROUTING -p udp --dport 3050 -j DNAT --to 192.168.1.1:3050
# Nat SSH
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to 192.168.1.3:22
iptables -t nat -A PREROUTING -p udp --dport 22 -j DNAT --to 192.168.1.3:22
# Acesso SSH Server
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.3:22
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.3:22
iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 22 -j DNAT --to 192.168.1.3
# Acesso REMOTE DESKTOP Server
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i eth0 -d 0/0 -p tcp -m tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to 192.168.1.1
# Bloqueia Portas de 1025 a 65535
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 1025:65535 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1025:65535 -j DROP
# Ultima da cadeia
iptables -A INPUT -p tcp --syn -j REJECT
echo "Ativacao de regras de firewall .......................[ OK ]"
}
parar(){
# Zerando o Firewall (Flush)
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Desativacao de regras de firewall ....................[ OK ]"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Indique um dos paratros de configuracao 'start' ou 'stop' ou 'restart'"
esac
Agradeço a ajuda de voces.
Aguardo