
Enviado em 30/09/2020 - 14:23h
Boa tarde galera, criei este tópico pois já pesquisei muito mas ainda não consegui encontrar uma solução para o meu problema, além de conhecer pouco sobre o assunto.wget 10.5.5.2:8123
#!/bin/bash
# first cleanup everything
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
# default drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -P OUTPUT ACCEPT
# allow loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow ssh over eth0 from outside to system
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
# allow webserver
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
# Allow masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# System
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Forwards
iptables -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.27.224.0/20 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -j ACCEPT
iptables -A OUTPUT -o as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o as0t0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i as0t0 -s 172.27.224.0/20 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -i as0t0 -s 10.5.5.0/24 -d 0.0.0.0/0 -j ACCEPT
# Ports
iptables -A FORWARD -i eth0 -p tcp --dport 8123 -d 10.5.5.2 -j ACCEPT
iptables -A INPUT -i as0t0 -p tcp -s 10.5.5.2 --dport 8123 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to-destination 10.5.5.2:8123
# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Chain INPUT (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere vps1234.publiccloud.com.br state NEW udp dpt:openvpn
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere vps1234.publiccloud.com.br state NEW tcp dpt:943
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:9090
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:9987
ACCEPT tcp -- anywhere anywhere tcp dpt:10011
ACCEPT tcp -- anywhere anywhere tcp dpt:30033
ACCEPT tcp -- 10.5.5.2 anywhere tcp dpt:8123
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 172.27.224.0/20 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT tcp -- anywhere 10.5.5.2 tcp dpt:8123
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
ACCEPT tcp -- anywhere anywhere tcp spt:9090
ACCEPT tcp -- anywhere anywhere tcp spt:webmin
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:9987
ACCEPT tcp -- anywhere anywhere tcp spt:10011
ACCEPT tcp -- anywhere anywhere tcp spt:30033
Chain AS0_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_DNS (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
RETURN all -- anywhere anywhere
Chain AS0_IN (5 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
AS0_U_INTERNAL_IN all -- 10.5.5.2 anywhere
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.5.5.0/24
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_DNS tcp -- anywhere anywhere state NEW tcp dpt:domain
AS0_DNS udp -- anywhere anywhere state NEW udp dpt:domain
AS0_IN all -- anywhere 191.212.53.0/24
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_U_INTERNAL_OUT all -- anywhere 10.5.5.2
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere mark match 0x2000000/0x2000000
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_U_INTERNAL_IN (1 references)
target prot opt source destination
AS0_IN_NAT all -- anywhere 10.0.5.0/24
AS0_IN_NAT all -- anywhere 191.212.53.0/24
AS0_IN_POST all -- anywhere anywhere
Chain AS0_U_INTERNAL_OUT (1 references)
target prot opt source destination
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT all -- 10.0.5.0/24 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: "
DROP all -- anywhere anywhere
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.5.1 netmask 255.255.255.0 destination 10.0.5.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 33 bytes 4102 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 8027 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 191.212.53.47 netmask 255.255.255.0 broadcast 191.212.53..255
ether 22:4f:cc:27:d2:59 txqueuelen 1000 (Ethernet)
RX packets 17463562 bytes 2335444365 (2.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6311788 bytes 1425763570 (1.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 123046 bytes 98937342 (94.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 123046 bytes 98937342 (94.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0f2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.70 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c051:8794:97c4:7ac3 prefixlen 64 scopeid 0x20<link>
inet6 2804:d55:52e2:b800:8914:d08e:4895:4988 prefixlen 64 scopeid 0x0<global>
ether 80:ee:73:7d:7d:83 txqueuelen 1000 (Ethernet)
RX packets 2468025 bytes 216533800 (206.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13162807 bytes 1984356517 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 21451249 bytes 2170560228 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21451249 bytes 2170560228 (2.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.5.5.2 netmask 255.255.255.0 destination 10.5.5.2
inet6 fe80::cb53:8c05:d238:3cee prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 24 bytes 8027 (7.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4150 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6c:71:d9:d2:1b:52 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Como extrair chaves TOTP 2FA a partir de QRCODE (Google Authenticator)
Linux em 2025: Segurança prática para o usuário
Desktop Linux em alta: novos apps, distros e privacidade marcam o sábado
IA chega ao desktop e impulsiona produtividade no mundo Linux
Novos apps de produtividade, avanços em IA e distros em ebulição agitam o universo Linux
Como instalar o repositório do DBeaver no Ubuntu
Como instalar o Plex Media Server no Ubuntu
Digitando underscore com "shift" + "barra de espaços"
Como ativar a lixeira e recuperar aquivos deletados em um servidor Linux
Como mudar o nome de dispositivos Bluetooth via linha de comando
Fedora KDE plasma 42 X Módulo de segurança BB (Warsaw-2) (1)
O programa assinador digital (1)
PIP3 - erro ao instalar módulo do mariadb para o Python (9)









