REDIRECIONAMENTO

allandenibr
(usa Debian)

Enviado em 03/04/2011 - 01:47h

#!/bin/bash
# chkconfig: 35 90 92

. /etc/init.d/functions

export LANG="pt_BR"

IF_EXT="eth1"
IP_EXT=`ifconfig eth1 | grep "inet end" | cut -d: -f2 | cut -d\ -f2`
BRO_EXT=`ifconfig eth1 | grep "Bcast" | cut -d: -f3 | cut -d\ -f1`

IF_INT="eth0"
IP_INT="192.168.20.5"
BRO_INT="192.168.20.255"
REDE_INT="192.168.20.0/24"

REMOTOS="0.0.0.0/0"

REDES_RESERVADAS="0.0.0.0/8 10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 \
192.168.0.0/16 224.0.0.0/4 240.0.0.0/4 127.0.0.0/8"

DNS_PARCEIRO=""

IP_INTSRV=""

LISTA_NEGRA=""

# Ativa o proxy transparente
TRANSPARENT_PROXY="Y"

# Sites que não podem ser acessados por proxy
SEM_PROXY="www.receita.fazenda.gov.br"


#############################################################
# Parametros de VPN
#############################################################
# Interfaces de VPN separadas por espaco
IF_VPN="tun0"

# Rede para o tunel VPN
NET_VPN="10.8.0.0/24"

# Redes dos clientes separadas por espacos
NET_VPN_CLIENTS="192.168.10.0/24"

# IPs publicos dos clientes
IP_CLIENTS="201.62.112.26"

VPN_SERVER="Y"

#############################################################



# ConfiguraÃão do kernl
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Carga de módulos
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

start() {
echo -ne "Iniciando o Firewall\r"

# Ativa o Roteamento no Linux
echo 1 > /proc/sys/net/ipv4/ip_forward

# Zera as regras do Firewall
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

# Define as políticas padrões
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

############################## Regras de Entrada ###############################
# Bloqueia pacotes inválidos
iptables -A INPUT -m state --state INVALID -j DROP

# Permite a entrada de respostas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Bloqueia Floods
iptables -A INPUT -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH
iptables -A INPUT -j DROP -p tcp --tcp-flags SYN,RST SYN,RST
iptables -A INPUT -j DROP -p tcp --tcp-flags SYN,FIN SYN,FIN
iptables -A INPUT -j DROP -p tcp --tcp-flags ALL NONE


# Tráfego da própria máquina
iptables -A INPUT -i lo -j ACCEPT



# Regras de VPN
if [ "$VPN_SERVER"="Y" ]; then

PIDOVPN=`pidof openvpn`

if [ "$PIDOVPN" == "" ]; then
/usr/local/sbin/openvpn --config /etc/openvpn/taubate.conf --daemon

sleep 3
fi

for IF in $IF_VPN; do
iptables -A INPUT -i $IF -s $NET_VPN -j ACCEPT

for NET in $NET_VPN_CLIENTS; do
iptables -A INPUT -i $IF -s $NET -j ACCEPT
done
done

for CLIENT in $IP_CLIENTS; do
iptables -A INPUT -i $IF_EXT -p udp --dport 1194 -s $CLIENT -j ACCEPT
done
fi






# Bloqueia Spoof clássico
for NET_SPOOF in $REDES_RESERVADAS; do
iptables -A INPUT -s $NET_SPOOF -i $IF_EXT -j DROP
done

# Bloqueia a Lista Negra
if [ "$LISTA_NEGRA" != "" ]; then
for BLACK in $LISTA_NEGRA; do
iptables -A INPUT -s $BLACK -j DROP
done
fi

# cria_regras_TOS
iptables -A INPUT -t mangle -p tcp --sport http -j TOS --set-tos Maximize-Throughput


# Nega Ping do mundo externo
iptables -A INPUT -p icmp --icmp-type echo-request -i $IF_EXT -j DROP

# Permite o resto do ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Lan --> DHCP Local
iptables -A INPUT -p udp -i $IF_INT --dport 67 -j ACCEPT

# Lan --> NTP Local
iptables -A INPUT -p udp -i $IF_INT -s $REDE_INT --sport 123 --dport 123 -j ACCEPT

# Lan --> DNS Local
iptables -A INPUT -p udp -s $REDE_INT -i $IF_INT --dport 53 -j ACCEPT

# Lan --> Apache Local (HTTP)
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 80 -j ACCEPT

# Lan --> Apache Local (HTTPS)
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 443 -j ACCEPT

# Lan --> Samba
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT -m multiport --dport 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $REDE_INT -i $IF_INT -m multiport --dport 137,138 -j ACCEPT

# Lan --> CUPS
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 631 -j ACCEPT

# Lan --> PostgreSQL
# iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 5432 -j ACCEPT

# Lan --> MySQL
# iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 3306 -j ACCEPT

# Lan --> SWAT
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 901 -j ACCEPT

# Lan --> Squid
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 3128 -j ACCEPT

# Lan --> FTP Local
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 21 -j ACCEPT

# Lan --> SSH Local
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 22 -j ACCEPT

# Lan --> Telnet Local
# iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 23 -j ACCEPT

# Lan --> POP3 Local
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 110 -j ACCEPT

# Lan --> SMTP Local
iptables -A INPUT -p tcp -s $REDE_INT -i $IF_INT --dport 25 -j ACCEPT

# Mundo --> DNS Local
# iptables -A INPUT -p udp -d $IP_EXT -i $IF_EXT --dport 53 -j ACCEPT

# Mundo --> Apache Local (HTTP)
iptables -A INPUT -p tcp -i $IF_EXT -d $IP_EXT --dport 80 -j ACCEPT

# Mundo --> Apache Local (HTTPS)
# iptables -A INPUT -p tcp -i $IF_EXT -d $IP_EXT --dport 443 -j ACCEPT

# Mundo --> POP3
# iptables -A INPUT -p tcp -i $IF_EXT -d $IP_EXT --dport 110 -j ACCEPT

# Mundo --> SMTP
# iptables -A INPUT -p tcp -i $IF_EXT -d $IP_EXT --dport 25 -j ACCEPT

# Administração Remota via SSH
for IP in $REMOTOS; do
iptables -A INPUT -p tcp -s $IP -i $IF_EXT -d $IP_EXT --dport 22 -j ACCEPT
done

# Mundo --> FTP
iptables -A INPUT -p tcp -i $IF_EXT --dport 21 -j ACCEPT

# Transferência de Zona DNS
for IP_DNS in $DNS_PARCEIRO ; do
iptables -A INPUT -p tcp -s $IP_DNS -i $IF_EXT --dport 53 -j ACCEPT
done

# Bloqueia broadcasts
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d $BRO_INT -j DROP
iptables -A INPUT -d $BRO_EXT -j DROP

# Bloqueia anuncios do Messenger (sem log)
iptables -A INPUT -p udp --dport 1900 -j DROP

# Log do mundo externo
iptables -A INPUT -i $IF_EXT -j LOG -m limit --limit 30/m --limit-burst 5 --log-prefix "Entrada EXT: "

# Faz o Log do que sobrou
iptables -A INPUT -i ! $IF_EXT -j LOG -m limit --limit 30/m --limit-burst 5 --log-prefix "Entrada LAN: "

# Responde com REJECT às entradas da Lan
iptables -A INPUT -i $IF_INT -j REJECT


############################# Regras de Saída ##################################
# Bloqueia pacotes inválidos
iptables -A OUTPUT -m state --state INVALID -j DROP

# Permite a saída de respostas
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Bloqueia Floods
iptables -A OUTPUT -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH
iptables -A OUTPUT -j DROP -p tcp --tcp-flags SYN,RST SYN,RST
iptables -A OUTPUT -j DROP -p tcp --tcp-flags SYN,FIN SYN,FIN
iptables -A OUTPUT -j DROP -p tcp --tcp-flags ALL NONE

# Tráfego da própria máquina
iptables -A OUTPUT -o lo -j ACCEPT



# Regras de VPN
if [ "$VPN_SERVER"="Y" ]; then
for IF in $IF_VPN; do
iptables -A OUTPUT -o $IF -d $NET_VPN -j ACCEPT

for NET in $NET_VPN_CLIENTS; do
iptables -A OUTPUT -o $IF -d $NET -j ACCEPT
done
done

for CLIENT in $IP_CLIENTS; do
iptables -A OUTPUT -o $IF_EXT -p udp --sport 1194 -d $CLIENT -j ACCEPT
done
fi






# cria_regras_TOS
iptables -A OUTPUT -t mangle -p tcp --sport http -j TOS --set-tos Maximize-Throughput

# Servidor --> Lan (Samba)
iptables -A OUTPUT -p tcp -o $IF_INT -m multiport --dport 139,445 -j ACCEPT
iptables -A OUTPUT -p udp -o $IF_INT -m multiport --dport 137,138 -j ACCEPT

# Servidor --> Lan (DNS)
iptables -A OUTPUT -p udp -o $IF_INT --dport 53 -j ACCEPT

# Servidor --> Lan (HTTP)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 80 -j ACCEPT

# Servidor --> Lan (HTTPS)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 443 -j ACCEPT

# Servidor --> Lan (FTP)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 21 -j ACCEPT

# Servidor --> Lan (SSH)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 22 -j ACCEPT

# Servidor --> Lan (Telnet)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 23 -j ACCEPT

# Servidor --> Lan (POP3)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 110 -j ACCEPT

# Servidor --> Lan (SMTP)
iptables -A OUTPUT -p tcp -o $IF_INT --dport 25 -j ACCEPT

# Servidor --> Lan (Portas altas)
# iptables -A OUTPUT -p tcp -o $IF_INT --dport 1024:65535 -j ACCEPT
# iptables -A OUTPUT -p udp -o $IF_INT --dport 1024:65535 -j ACCEPT


# ICMP Servidor --> Mundo ou Lan
iptables -A OUTPUT -p icmp -j ACCEPT

# Servidor --> NTP
iptables -A OUTPUT -p udp -s $IP_EXT -o $IF_EXT --dport 123 -j ACCEPT

# Servidor --> Whois
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 43 -j ACCEPT

# Servidor --> DNS
iptables -A OUTPUT -p udp -s $IP_EXT -o $IF_EXT --dport 53 -j ACCEPT

# Servidor --> DHCP
# iptables -A OUTPUT -p udp -o $IF_EXT -m multiport --dport 67,68 -j ACCEPT

# Servidor --> HTTP Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 80 -j ACCEPT

# Servidor --> HTTPS Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 443 -j ACCEPT

# Servidor --> SMTP Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 25 -j ACCEPT

# Servidor --> POP3 Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 110 -j ACCEPT

# Servidor --> Telnet Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 23 -j ACCEPT

# Servidor --> SSH Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 22 -j ACCEPT

# Servidor --> FTP Externo
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 21 -j ACCEPT

# Antenticação do Speedy
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT -m multiport --dport 85,86 -j ACCEPT

# Servidor Transferência de Zona de DNS
for IP_DNS in $DNS_PARCEIRO ; do
iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT -d $IP_DNS --dport 53 -j ACCEPT
done

# Saída geral portas altas (Use com cuidado!!!)
# iptables -A OUTPUT -p tcp -s $IP_EXT -o $IF_EXT --dport 1024:65535 -j ACCEPT
# iptables -A OUTPUT -p udp -s $IP_EXT -o $IF_EXT --dport 1024:65535 -j ACCEPT

# Faz o Log do que sobrou
iptables -A OUTPUT -j LOG -m limit --limit 30/m --limit-burst 5 --log-prefix "Saída: "


########################## Regras de Encaminhamento ############################
# Bloqueia pacotes inválidos
iptables -A FORWARD -m state --state INVALID -j DROP

# Permite a encaminhamento de respostas
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Bloqueia Floods
iptables -A FORWARD -j DROP -p tcp --tcp-flags ALL FIN,URG,PSH
iptables -A FORWARD -j DROP -p tcp --tcp-flags SYN,RST SYN,RST
iptables -A FORWARD -j DROP -p tcp --tcp-flags SYN,FIN SYN,FIN
iptables -A FORWARD -j DROP -p tcp --tcp-flags ALL NONE


# Regras de VPN
if [ "$VPN_SERVER"="Y" ]; then
for IF in $IF_VPN; do
iptables -A FORWARD -o $IF -d $NET_VPN -j ACCEPT
iptables -A FORWARD -i $IF -s $NET_VPN -j ACCEPT

for NET in $NET_VPN_CLIENTS; do
iptables -A FORWARD -o $IF -d $NET -j ACCEPT
iptables -A FORWARD -i $IF -s $NET -j ACCEPT
done
done

fi




# cria_regras_TOS
iptables -A FORWARD -t mangle -p tcp --dport http -j TOS --set-tos Maximize-Throughput

# Lan --> Mundo (ICMP)
iptables -A FORWARD -p icmp -s $REDE_INT -i $IF_INT -o $IF_EXT -j ACCEPT

# Lan --> Mundo (HTTP)
if [ "$TRANSPARENT_PROXY" = "Y" ]; then

if [ "$SEM_PROXY" != "" ]; then
for SITE in $SEM_PROXY; do
IPs=`host $SITE | grep "has address" | cut -d\ -f4`

if [ "$IPs" != "" ]; then
for IP_SITE in $IPs; do

iptables -A PREROUTING -t nat -p tcp -s $REDE_INT -d $IP_SITE -i $IF_INT --dport 80 -j RETURN

iptables -A FORWARD -p tcp -s $REDE_INT -d $IP_SITE -i $IF_INT -o $IF_EXT --dport 80 -j ACCEPT

done
fi
done
fi

iptables -A PREROUTING -t nat -p tcp -s $REDE_INT -d ! $REDE_INT -i $IF_INT --dport 80 -j REDIRECT --to-ports 3128

iptables -A FORWARD -p tcp -s $REDE_INT -d $REDE_INT -i $IF_INT -o $IF_EXT --dport 80 -j ACCEPT
else
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 80 -j ACCEPT
fi

# Lan --> Mundo (NTP)
iptables -A FORWARD -p udp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 123 -j ACCEPT

# Lan --> Mundo (Whois)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 43 -j ACCEPT

# Lan --> Mundo (Honda IHS)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 135 -j ACCEPT
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 5000:5005 -j ACCEPT

# Lan --> Mundo (HTTPS)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 443 -j ACCEPT

# Lan --> Mundo (SMTP)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 25 -j ACCEPT

# Lan --> Mundo (POP3)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 110 -j ACCEPT

# Lan --> Mundo (IMAP)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 143 -j ACCEPT

# Lan --> Mundo (FTP)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 21 -j ACCEPT

# Lan --> Mundo (SSH)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 22 -j ACCEPT

# Lan --> Mundo (Telnet)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 23 -j ACCEPT

# Lan --> Mundo (PPTP - VPN Windows)
# iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 1723 -j ACCEPT
# iptables -A FORWARD -p 47 -s $REDE_INT -i $IF_INT -o $IF_EXT -j ACCEPT

# Lan --> Mundo (Autenticação do Speedy)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT -m multiport --dport 85,86 -j ACCEPT

# Lan --> Mundo (DNS)
iptables -A FORWARD -p udp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 53 -j ACCEPT

# Lan --> Mundo (SMB)
# iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT -m multiport --dport 139,445 -j ACCEPT
# iptables -A FORWARD -p udp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 137:138 -j ACCEPT

# Lan --> Mundo (Messenger)
for MSN_User in $(grep '^192.' /etc/squid/Free_Users); do
if [ "$MSN_User" != "" ]; then
iptables -A FORWARD -p tcp -s $MSN_User -i $IF_INT -o $IF_EXT --dport 1863 -j ACCEPT
fi
done
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 1863 -j REJECT


# Lan --> Mundo (KaZaA)
#iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT -m multiport --dport 1214,3531 -j ACCEPT
#iptables -A FORWARD -p udp -s $REDE_INT -i $IF_INT -o $IF_EXT -m multiport --dport 1214,3531 -j ACCEPT


# Lan --> Mundo (Portas Altas)
iptables -A FORWARD -p tcp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp -s $REDE_INT -i $IF_INT -o $IF_EXT --dport 1024:65535 -j ACCEPT


# Log de dentro pra fora
iptables -A FORWARD -i $IF_INT -o $IF_EXT -j LOG -m limit --limit 30/m --limit-burst 5 --log-prefix "Lan-->Mundo: "

# Log de fora pra dentro
iptables -A FORWARD -o $IF_INT -i $IF_EXT -j LOG -m limit --limit 30/m --limit-burst 5 --log-prefix "Mundo-->Lan: "

# Rejeita pacotes da Lan para o Mundo
iptables -A FORWARD -s $REDE_INT -i $IF_INT -o $IF_EXT -j REJECT


####################### Regras de NAT ########################################
# Faz o NAT da Lan para a Internet
iptables -A POSTROUTING -t nat -s $REDE_INT -o $IF_EXT -d ! $REDE_INT -j MASQUERADE

action $"Iniciando o Firewall" echo -n
}

stop() {
echo -ne "Parando o Firewall\r"

# Desativa o Roteamento no Linux
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

killall openvpn

action $"Parando o Firewall" echo -n
}

status () {
iptables -L -n -v

echo -e "\n\n######################################"
echo " Regras de NAT"
echo -e "######################################\n\n"

iptables -L -n -t nat -v
}

panic() {
echo -ne "Trancando tudo...\r"

# Desativa o Roteamento no Linux
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat
iptables -F -t mangle

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Permite apenas trafego local
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

killall openvpn

action $"Trancando tudo..." echo -n
}

case "$1" in
start)
start
exit 0
;;

stop)
stop
exit 0
;;

status)
status
exit 0
;;

panic)
panic
exit 0
;;

restart)
stop
start
exit 0
;;

*)
echo "Uso: start|stop|restart|status|panic"
exit 1
esac

echo ""

O que preciso é adicionar nesse firewall uma regra para receber uma requisição externa e direcionar para um maquina interna

Exemplo:

iptables -t nat -A PREROUTING -i 189.19.24.12 -p tcp --dport 8090 -m state --state \
NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.20.125


Esta correto?

ivo.becker
(usa Debian)

Enviado em 03/04/2011 - 13:23h

nem li... rs