.:Leo:.
(usa CentOS)
Enviado em 20/11/2009 - 13:21h
Pessoal sou novato em relação a iptables e squid e então venho aqui pedir ajuda pra vocês.
Tenho um servidor linux, onde nele ficam os dados e o firewall, e outra maquina com Windows, ambas na mesma rede e gostaria de poder acessar remotomente essa outra maquina (Windows, ip: 192.168.1.3), atraves da "conexão de area de trabalho remota" nesse meu script abaixo, gostaria de saber como adicionar uma exeção para poder permitir isso.
Desde já agradece a paciência e colaboração.
##### shell script firewall #####
iniciar(){
echo "Definindo variaveis"
ILOCAL=eth0
INET=eth1
RESTAB1=192.168.1.0/24
RESTAB2=192.168.2.0/24
RESTAB4=192.168.3.0/24
RESTAB5=192.168.4.0/24
RESTAB6=192.168.5.0/24
RESTAB7=192.168.6.0/24
RPLENA=192.168.10.0/24
echo "Variaveis definidas"
#echo "Carregando modulos necessarios"
modprobe iptable_filter
modprobe iptable_nat
modprobe iptable_mangle
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_tables
modprobe ipt_iprange
modprobe ipt_TOS
modprobe ipt_tos
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_REDIRECT
modprobe ipt_MASQUERADE
modprobe ipt_TCPMSS
#echo "Modulos carregados"
echo "Definindo a politica padrao para cada chain"
# Tabela filter
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Tabela nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING DROP
# Tabela mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
echo "Politica padrao definido"
echo "Ativando o roteamento de pacotes (requerido para NAT)"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Iniciando regras da tabela filter"
####################################################
# Tabela FILTER #
####################################################
echo "Iniciando regras da chain input da tabela filter"
##### Chain INPUT #####
echo "Criando a chain net-input para tratar trafego da internet"
iptables -N net-input
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -A INPUT -i lo -j ACCEPT
# Permitindo trafego interno
iptables -A INPUT -s $RESTAB1 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RESTAB2 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RESTAB4 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RESTAB5 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RESTAB6 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RESTAB7 -i $ILOCAL -j ACCEPT
iptables -A INPUT -s $RPLENA -i $ILOCAL -j ACCEPT
# Acesso ssh da maquina do diomar
iptables -A INPUT -p tcp -s 192.168.1.250/32 --dport 22 -j ACCEPT
# Conexoes da Internet sao tratadas pelo chain net-input
iptables -A INPUT -i $INET -j net-input
# Conexoes desconhecidas sao registradas e derrubadas
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
iptables -A INPUT -j DROP
echo "Inciando regras da chain forward da tabela filter"
##### Chain FORWARD #####
# Trafego liberado entre as redes plena-matriz-filiais
iptables -A FORWARD -d $RESTAB2 -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB4 -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB5 -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB6 -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB7 -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RESTAB2 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RESTAB4 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RESTAB5 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RESTAB6 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RESTAB7 -j ACCEPT
iptables -A FORWARD -d $RPLENA -s $RESTAB1 -j ACCEPT
iptables -A FORWARD -d $RESTAB1 -s $RPLENA -j ACCEPT
# Permite redirecionamento de conexoes entre as interfaces locais especificadas
iptables -A FORWARD -d $RESTAB1 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -d $RESTAB2 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -d $RESTAB4 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -d $RESTAB5 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -d $RESTAB6 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -d $RESTAB7 -i $INET -o $ILOCAL -j ACCEPT
iptables -A FORWARD -s $RESTAB1 -i $ILOCAL -o $INET -j ACCEPT
iptables -A FORWARD -s $RESTAB2 -i $ILOCAL -o $INET -j ACCEPT
iptables -A FORWARD -s $RESTAB4 -i $ILOCAL -o $INET -j ACCEPT
iptables -A FORWARD -s $RESTAB5 -i $ILOCAL -o $INET -j ACCEPT
iptables -A FORWARD -s $RESTAB6 -i $ILOCAL -o $INET -j ACCEPT
iptables -A FORWARD -s $RESTAB7 -i $ILOCAL -o $INET -j ACCEPT
# Trafego vindo/indo para outras interfaces sao registrados e bloqueados
iptables -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
iptables -A FORWARD -j DROP
echo "Inciando regras da chain net-input"
##### Chain net-input #####
# Permite icmp vindo da Internet com certa limitacao
iptables -A net-input -p icmp -m limit --limit 2/s -j ACCEPT
# Aceita trafego vindo da Internet para o servico www (porta 80)
iptables -A net-input -p tcp --dport 80 -j ACCEPT
# Permitindo acesso soluma via SSH e area de trabalho remota do windows xp
#iptables -A net-input -s 200.193.231.154 -p tcp -j ACCEPT
# Permitindo acesso Signature a area de trabalho remota da Xdoc
#iptables -A net-input -s 200.162.240.72 -p tcp -j ACCEPT
#iptables -A net-input -s 189.62.19.55 -p tcp -j ACCEPT
#iptables -A net-input -s 200.169.162.10 -p tcp -j ACCEPT
# Tentativa de acesso externo a certos servicos sao registrados e bloqueados
iptables -A net-input -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
iptables -A net-input -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc "
iptables -A net-input -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc "
iptables -A net-input -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
iptables -A net-input -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
# Registra e bloqueia tentativa de novas conexoes
iptables -A net-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: net-in"
iptables -A net-input -m state --state ! ESTABLISHED,RELATED -j DROP
# Aceita qualquer outro tipo de trafego
iptables -A net-input -j ACCEPT
echo "Iniciando regras tabela nat"
####################################################
# Tabela NAT #
####################################################
echo "Inciando regras da chain postrouting da tabela nat"
##### Chain POSTROUTING #####
# Permite qualquer conexao vinda com destino a lo e rede local para eth0
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB1 -o $ILOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB2 -o $ILOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB4 -o $ILOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB5 -o $ILOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB6 -o $ILOCAL -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB7 -o $ILOCAL -j ACCEPT
echo "Mascaramento de outros servicos da rede interna indo para Internet"
iptables -t nat -A POSTROUTING -s $RESTAB1 -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $RESTAB2 -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $RESTAB4 -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $RESTAB5 -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $RESTAB6 -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $RESTAB7 -o $INET -j MASQUERADE
# Liberando acesso direto signature
#iptables -t nat -A POSTROUTING -s $RESTAB1 -o $INET -d 200.169.162.10 -j ACCEPT
# Liberando accesso direto a smtp
iptables -t nat -A POSTROUTING -s $RESTAB1 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB2 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB4 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB5 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB6 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
iptables -t nat -A POSTROUTING -s $RESTAB7 -o $INET -m multiport -p tcp --dports 22,25,53,110,443,465,587,995 -j ACCEPT
# Registrando e bloqueando trafego desconhecido da Internet para rede interna
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB1 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB2 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB4 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB5 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB6 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB7 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB1 -j DROP
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB2 -j DROP
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB4 -j DROP
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB5 -j DROP
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB6 -j DROP
iptables -t nat -A POSTROUTING -o $ILOCAL -d $RESTAB7 -j DROP
# Conexao real estabelecida, endereco modificado, trafego liberado
iptables -t nat -A POSTROUTING -o $INET -j ACCEPT
# Registrando e bloqueando qualquer outro tipo de trafego desconhecido
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT "
iptables -t nat -A POSTROUTING -j DROP
echo "Inciando regras da chain prerouting da tabela nat"
##### Chain PREROUTING #####
# Acesso signature
#iptables -t nat -A PREROUTING -s 200.169.162.10 -j DNAT --to 192.168.1.15
# Permitindo acesso soluma via SSH e area de trabalho remota do windows xp
#iptables -t nat -A PREROUTING -s 200.193.231.154 -p tcp -i $INET -j DNAT --to 192.168.1.11:22
#iptables -t nat -A PREROUTING -s 200.193.231.154 -p tcp -i $INET -j DNAT --to 192.168.1.15:3389
# Permitindo acesso Signature a area de trabalho remota da Xdoc
#iptables -t nat -A PREROUTING -s 200.162.240.72 -p tcp -i $INET -j DNAT --to 192.168.1.15:3389
#iptables -t nat -A PREROUTING -s 189.62.19.55 -p tcp -i $INET -j DNAT --to 192.168.1.15:3389
# Permitindo estacao diomar direto pelo NAT
iptables -t nat -A PREROUTING -i $ILOCAL -s 192.168.1.15/32 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $ILOCAL -s 192.168.1.250/32 -p tcp --dport 80 -j ACCEPT
# Redireciona o trafego da porta 80 para 3128 (squid)
echo "Redirecionando trafego para o squid"
iptables -t nat -A PREROUTING -i $ILOCAL -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Inciando regras da tabela mangle"
####################################################
# Tabela MANGLE #
####################################################
echo "Iniciando regras da chain output da tabela mangle"
##### Chain OUTPUT #####
# Definindo minimo de espera para servicos ftp, telnet, irc e DNS
#iptables -t mangle -A OUTPUT -o $INET -p tcp --dport 21 -j TOS --set-tos 0x10
#iptables -t mangle -A OUTPUT -o $INET -p tcp --dport 23 -j TOS --set-tos 0x10
#iptables -t mangle -A OUTPUT -o $INET -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
#iptables -t mangle -A OUTPUT -o $INET -p tcp --dport 53 -j TOS --set-tos 0x10
}
parar(){
echo "Desabilitando o repasse de pacotes do kernel"
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
echo "Regras de firewall e compartilhamento desativados"
}
case "$1" in
"start") iniciar;;
"stop") parar;;
"restart") parar; iniciar;;
*) echo "Use os parametros start ou stop";;
esac