edilmarcio
(usa Debian)
Enviado em 06/03/2013 - 10:06h
Bom dia Galera do VOL, estou com o seguinte problema:
O site
www.agricultura.gov.br não abre não minhas máquinas da rede nem a pau ....
Porem no firewall ele baixa a index.html normalmente ..
alguém pode me ajudar ... segue abaixo regras do firewall
#!/bin/bash
iniciar(){
# Compartilhar conexão:
#Regras Iniciais
route del default gw 192.168.2.1
IF_LAN='eth1'
IF_LINK1='eth2'
IF_LINK2='eth0'
GW_LINK1='192.168.200.1'
GW_LINK2='192.168.2.1'
##-----------------------------------------------------------------------------------
modprobe iptable_nat
modprobe ipt_string
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 10 > /proc/sys/net/ipv4/route/gc_timeout
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5190 -j REJECT
echo "Compartilhamento ativado."
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/24 -d
www.agricultura.gov.br -p tcp --dport 80 -j RETURN
##-----------------------------------------------------------------------------------
#Conectividade SOcial
iptables -t nat -I PREROUTING -i eth1 -p tcp -d 200.201.160/20 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
# Balanceamento de carga com marcacao de pacotes------------------------------
iptables -t mangle -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j MARK --set-mark 1001
iptables -t mangle -A PREROUTING -i $IF_LAN -p tcp --dport 443 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i $IF_LAN -p tcp --dport 587 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i $IF_LAN -p tcp --dport 110 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i $IF_LAN -p tcp --dport 3389 -j MARK --set-mark 1000
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1001
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 1000
iptables -t mangle -A OUTPUT -p tcp --dport 587 -j MARK --set-mark 1000
iptables -t mangle -A OUTPUT -p tcp --dport 110 -j MARK --set-mark 1000
iptables -t mangle -A OUTPUT -p tcp --dport 3389 -j MARK --set-mark 1000
#iptables -t mangle -A PREROUTING -m state --state new -j MARK --set-mark 2
#iptables -t mangle -A PREROUTING -m state --state new -m statistic --mode random --probability 0,5 -j MARK --set-mark 3
ip rule add fwmark 1000 table 10 prio 20
ip rule add fwmark 1001 table 20 prio 20
ip route add default via $GW_LINK1 dev $IF_LINK1 table 10
ip route add default via $GW_LINK2 dev $IF_LINK2 table 20
ip route flush cache
##-----------------------------------------------------------------------------------
##Bloqueio Facebook ---------------------------------------------
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.24.255 74.119.76.0-74.119.76.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK1
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK1
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK1
done
FACEBOOK_ALOW="192.168.0.101 192.168.0.22 192.168.0.225 192.168.0.177 192.168.0.243 192.168.0.212"
for msr in $FACEBOOK_ALOW; do
iptables -I FACEBOOK1 -s $msr -j ACCEPT
done
iptables -A FACEBOOK1 -j REJECT
##------------------------------------------------------------------------------------------------
#Bloqueia MAC
iptables -t filter -A INPUT -m mac --mac-source 01:00:5e:00:00:fc -j DROP
iptables -A FORWARD -m mac --mac-source 01:00:5e:00:00:fc -j DROP
##------------------------------------------------------------------------------------------------
#Proxy Transparente:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Proxy transparente ativado."
##------------------------------------------------------------------------------------------------
#Permite conexoes locais e ssh
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp --dport 3001 -j ACCEPT
iptables -A INPUT -p tcp --dport 3003 -j ACCEPT
iptables -A INPUT -p tcp --dport 8800 -j ACCEPT
iptables -A INPUT -p tcp --dport 3007 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp --dport 1311 -j ACCEPT
##------------------------------------------------------------------------------------------------
#Redirecionamento de Portas
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.101:3389
#Regras basicas de firewall
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p udp --dport 0:1023 -j DROP
echo "Regras de Firewall ativadas."
}
#------------------------------------------------------------------------------------------------
parar(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Regras desativadas"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parametros [ start - stop - restart ]"
esac