Ajuda com o Iptables
1. Ajuda com o Iptables
edumuitoloco
(usa CentOS)
Enviado em 27/08/2010 - 08:30h
Bom dia.Pessoal, sou iniciante no linux já faz um tempo, é que mexo sempre que dá um problema ou preciso implantar algumas coisas novas. O firewall já existia aqui na empresa antes mesmo de eu entrar, e, na época, nunca tive contato com linux. Posso falar que hoje conheço um pouco mais, porém tenho algumas dúvidas que não me deixam dormir tranquilo! =D
Vou postar meu firewall aqui e queria saber se alguém pode me ajudar com respostas para as seguintes perguntas(lembrando que não fui eu quem fez o firewall, e nem sei isso, quem o fez já saiu da empresa e não tenho contato... por isso eu fico no "escuro"):
Queria bloquear a porta 455 para a rede inteira, por exemplo, como devo fazer levando em consideração meu firewall? Ela já não estaria bloqueada com minha atual configuração?
Eu tenho 2 gateways nele... quando mudo para o segundo (eth2) a internet da empresa toda fica estranha... hora dá problema na resolução de nome de sites, hora o outlook não funciona... agora mesmo eu não consigo deixar a rede toda no gateway 2 pois o outlook para de funcionar(não é lei, ele fica intermitente... hora funciona, hora não, aí tenho que voltar a navegar pelo outro speedy)... tem algo que posso fazer para melhorar isso?
Meu SSh não funciona quando tento entrar de minha casa, mas na rede interna funciona na boa... como fazer funcionar externamente?
Eu também queria uma ajuda para entender os locais do meu firewall.. tipo assim... eu nunca sei onde adicionar uma nova regra nele, pois não entendo muito bem o que acontece no seu fluxo interno...
Bom... sei que peço demais, mas se alguém estiver disposto a me ajudar serei muito grato!!
#!/bin/bash
echo Criando variaveis da rede ...
LAN="eth0"
WAN1="eth1"
GW_WAN1="189.XX.XX.X"
WAN2="eth2"
GW_WAN2="187.XX.XX.XXX"
GW_PADRAO="eth1" #(Queria deixar o eth2 que é mais rápido)
echo Criando variaveis diversas ...
TRANSPROXY="0"
ACESSOVIAPROXY="1"
LISTAVARIAVEIS="1"
BLOQUEIAP2P="1"
BLOQUEIASAIDA="1"
echo Criando variaveis de redirecionamento ...
#Redireciona Entrada do TS (Porta 3389) para o link do speedy interno
IPE2="189.xx.xx.xxx"
IPI2="10.x.x.x"
TCP2="3389"
#UDP2=""
echo Definição de variáveis do firewall ...
MARK_WAN1=0x10
MARK_WAN2=0x20
LO=`ip address show lo scope host | grep 'inet '| cut -d " " -f 6| cut -d "/" -f 1`
IPLAN=`ip address show "$LAN" scope global | grep 'inet '| cut -d " " -f 6| cut -d "/" -f 1`
IPWAN1=`ip address show "$WAN1" scope global | grep 'inet '| cut -d " " -f 6| cut -d "/" -f 1`
if [ "$WAN2" != "" ] ; then
IPWAN2=`ip address show "$WAN2" scope global | grep 'inet '| cut -d " " -f 6| cut -d "/" -f 1`
fi
REDEINTERNA=`ip route list dev "$LAN" scope link| cut -d " " -f 1`
REDEINTERNA="10.x.x.0/24"
REDEWAN1=`ip route list dev "$WAN1" scope link| cut -d " " -f 1`
if [ "$WAN2" != "" ] ; then
REDEWAN2=`ip route list dev "$WAN2" scope link| cut -d " " -f 1`
##PROVISORIO PORQUE ESTA PEGANDO ERRADO DISTRIB. FEDORA
REDEWAN2="187.xx.xxx.xxx/26"
fi
#Lista as variaveis usadas no firewall na tela
if [ "$LISTAVARIAVEIS" == "1" ] ; then
echo
echo Lista de Variaveis para o firewall
echo LAN=$LAN
echo WAN1=$WAN1
echo WAN2=$WAN2
echo GW_WAN1=$GW_WAN1
echo GW_WAN2=$GW_WAN2
echo GW_PADRAO=$GW_PADRAO
echo LO=$LO
echo IPLAN=$IPLAN
echo IPWAN1=$IPWAN1
echo IPWAN2=$IPWAN2
echo REDEINTERNA=$REDEINTERNA
echo REDEWAN1=$REDEWAN1
echo REDEWAN2=$REDEWAN2
echo BLOQUEIAP2P=$BLOQUEIAP2P
echo BLOQUEIASAIDA=$BLOQUEIASAIDA
echo TRANSPROXY=$TRANSPROXY
echo ACESSOVIAPROXY=$ACESSOVIAPROXY
echo IPE1=$IPE1, WANIPE1=$WANIPE1 , IPI1=$IPI1, TCP1=$TCP1, UDP1=$UDP1
echo IPE2=$IPE2, WANIPE2=$WANIPE2 , IPI2=$IPI2, TCP2=$TCP2, UDP2=$UDP2
echo IPE3=$IPE3, WANIPE3=$WANIPE3 , IPI3=$IPI3, TCP3=$TCP3, UDP3=$UDP3
echo
sleep 5
fi
echo "Adicionando tabelas roteamentos (gateway) ..."
TEMP=`cat /etc/iproute2/rt_tables |grep link1 |cut -d " " -f 1`
if [ "$TEMP" == "" ] ; then
echo "200 link1" >> /etc/iproute2/rt_tables
echo "199 link2" >> /etc/iproute2/rt_tables
fi
#Tabela de Roteamento Link 1
ip route add $REDEINTERNA dev $LAN table link1
ip route add $REDEWAN1 dev $WAN1 src $IPWAN1 table link1
ip route add $REDEWAN2 dev $WAN2 table link1
ip route add 127.0.0.0/8 dev lo table link1
ip rule add from $IPWAN1 table link1
ip route add default via $GW_WAN1 table link1
#Tabela de Roteamento Link 2
ip route add $REDEINTERNA dev $LAN table link2
ip route add $REDEWAN2 dev $WAN2 src $IPWAN2 table link2
ip route add $REDEWAN1 dev $WAN1 table link2
ip route add 127.0.0.0/8 dev lo table link2
ip rule add from $IPWAN2 table link2
ip route add default via $GW_WAN2 table link2
ip rule add fwmark $MARK_WAN1 table link1
ip rule add fwmark $MARK_WAN2 table link2
ip route del default
if [ "$GW_PADRAO" == "$WAN1" ] ; then
ip route add default via $GW_WAN1 dev $WAN1
fi
if [ "$GW_PADRAO" == "$WAN2" ] ; then
ip route add default via $GW_WAN2 dev $WAN2
fi
ip route f-sh cachê
echo Carga dos módulos necessários para o firewall ...
I=`uname -r`
cd /lib/modules/$I/kernel/net/ipv4/netfilter/
for i in `ls | cut -d "." -f 1| grep -v "ipchains"`; do modprobe $i ; done
echo Acertando parametros importantes do /proc/sys/net/ipv4 ...
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "1" > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/tcp_fack
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv4/tcp_timestamps
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
echo Zerando regras anteriores ...
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done
echo Acertando políticas do firewall
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo Compartilha a conexão de internet com a rede interna
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $WAN2 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
if [ "$WAN2" != "" ] ; then
iptables -t nat -A POSTROUTING -o $WAN2 -j MASQUERADE
fi
if [ "$BLOQUEIAP2P" == "1" ] ; then
echo Configurando bloqueio de programas P2P
# Bloqueia programas P2P
#iMesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
#BearShare
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#ToadNode
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#WinMX
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
#Napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
#Morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#KaZaA
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#iptables -A INPUT -m string --string "X-Kazaa" -j DROP
#Limewire
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#Audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
fi
echo Configurando Proxy Transparente
if [ "$TRANSPROXY" == "1" ] ; then
iptables -t nat -A PREROUTING -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
fi
echo Configurando Acesso via Proxy - Bloqueando NAT para HTTP, HTTPS e FTP
if [ "$ACESSOVIAPROXY" == "1" ] ; then
# FWL
iptables -t nat -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix="Teste"
#REGRAS PARA ACESSO PROGRAMA DO BANCO SAFRA
#Tem que Colocar no Internet Explorer para nao usar proxy nos seguintes enderecos:
#wwws.safraempresas.com.br;safraempresas.com.br;www2s.safraempresas.com.br;dwl.safraempresas.com.br
# Financeiro
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.200.44.19 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.231.119.46 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.231.119.37 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.231.119.19 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.231.119.40 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.63 -d 200.231.119.47 -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
## Banco do Brasil
## Financeiro
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d office.bancobrasil.com.br -p tcp -m multiport --dport 80,8080,443,38 -j ACCEPT
################################################################################################################################
## Skype
#TI
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
#TI
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
#TI
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
#TI
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
#TI
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 443 -j ACCEPT
################################################################################################################################
## Sintegra
#TI - ATIVAR SOMENTE QUANDO ELE PEDIR (UMA VEZ POR MES) E DEPOIS COMENTAR NOVAMENTE - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 8017 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 8017 -j ACCEPT
## SOFTWARES DE USO DO RH
## Conectividade Social
# SEFIP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 2631 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 2631 -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d 200.201.174.204 -p tcp -m multiport --dport 2631 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d 200.201.174.204 -p tcp -m multiport --dport 2631 -j ACCEPT
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d 200.201.174.207 -p tcp -m multiport --dport 5017 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d 200.201.174.207 -p tcp -m multiport --dport 5017 -j ACCEPT #estava dport 2631 mudei p 5017
## - - Contingencia, a maquina dela foi para barueri. Ativar somente se precisar e reservar no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d 200.201.173.68 -p tcp -m multiport --dport 80 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d 200.201.173.68 -p tcp -m multiport --dport 80 -j ACCEPT #estava dport 2631 mudei p 5017
## - - Contingencia, a maquina dela foi para barueri. Ativar somente se precisar e reservar no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d 200.201.174.204 -p tcp -m multiport --dport 2631 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d 200.201.174.204 -p tcp -m multiport --dport 2631 -j ACCEPT
## - - Contingencia, a maquina dela foi para barueri. Ativar somente se precisar e reservar no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d 200.201.174.207 -p tcp -m multiport --dport 5017 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d 200.201.174.207 -p tcp -m multiport --dport 5017 -j ACCEPT #estava dport 2631 mudei p 5017
## CONTROL ID
#Control ID -- - - Suporte Remoto - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 5502,5017 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 5502,5017 -j ACCEPT
## CAGED
#CAGED - - ENVIO - Contingencia, a maquina dela foi para barueri. Ativar somente se precisar e reservar no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 2500 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 2500 -j ACCEPT
## RAIS
#RAIS - --- RH - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 3007 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 3007 -j ACCEPT
##################################################################################################################################
## MSN - - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - Orion - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - Orion - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - Orion - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - Orion - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - Placa de Rede Cabo - Engenheiro - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - Placa de Rede Wireless - Engenheiro - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
## MSN - - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 1863 -j ACCEPT
################################################################################################################################
## Ftp
#- - Porta 21 FTP - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
#- - - SEFAZ NF-e - Porta 21 FTP - DHCP EM 04-12-2009
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
#- Candido - SEFAZ NF-e - Porta 21 FTP - DHCP EM 04-12-2009
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
#- - 21 FTP --Rede Sem Fio
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 21 -j ACCEPT
################################################################################################################################
# SEFAZ NF-e
#- - - SEFAZ NF-e
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 24001 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 24001 -j ACCEPT
#- Candido - SEFAZ NF-e
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 24001 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 24001 -j ACCEPT
################################################################################################################################
# - - Softwares do Governo - Reservado DHCP
# DACON - Mensal - Informa PIS e COFINS e Faturamento do Mes
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 3456 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 3456 -j ACCEPT
# TED - Transmissao Eletronica de Documentos
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 8017 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 8017 -j ACCEPT
################################################################################################################################
# Softwares Diversos
#MIRC - - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 6667 -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 6667 -j ACCEPT
################################################################################################################################
PORTAS=3456,80,443,8080,8017,1723,5017,8081,7989,4747,8001
#3389
#3128
#5500
#6068
#8888
#2628
# A porta 5017 eh da Conectividade Social!!
## Servidor
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## Server02
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## -
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x2 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS,3689 -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x2 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS,3689 -j ACCEPT
## HelpDesk Ubuntu Linux - DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## GED - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x11 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x11 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# DES - -
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - - RESERVADO DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.xxx -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.xxx -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# ## - - - MSN - GAMBI DO PROXY - Reservado no DHCP.Por que? so da - precisa ficar liberado total??
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - - - NF ELETRONICA - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - - NF ELETRONICA - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - IG Teste- Nao consegui liberar no squid para usar o proxy (deixei sem proxy) acertar
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x1 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x1 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - - Softwares do Governo - Reservado no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x19 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x19 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## Reservada no DHCP - ESTA LIBERADA SOMENTE PARA O SAFRA COM PROXY NO NAVEGADOR
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x3 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x3 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - - Wireless - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## Teste - Reservado no DHCP
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## Softwares do RH e Governo - Reservado no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
## - PC - Reservado no DHCP
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p udp -m multiport --dport $PORTAS -j ACCEPT
# iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.62 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
# iptables -A FORWARD -i $LAN -s 10.x.x.62 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s 10.x.x.x9 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -A FORWARD -i $LAN -s 10.x.x.x9 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
#iptables -t nat -A PREROUTING -i $LAN -m mac --mac-source 00:b0:d0:a4:1e:10 -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN -s $REDEINTERNA -d $IPWAN1 -p tcp -m multiport --dport $PORTAS -j ACCEPT #IP LINK 1
iptables -t nat -A PREROUTING -i $LAN -s $REDEINTERNA -d $IPWAN2 -p tcp -m multiport --dport $PORTAS -j ACCEPT #IP LINK 2
iptables -t nat -A PREROUTING -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p tcp -m multiport --dport $PORTAS -j DROP
fi
echo Configurando Acesso das Portas liberadas para Saida para Internet
if [ "$BLOQUEIASAIDA" == "1" ] ; then
#REGRAS PARA DEBLOQUEIO DE SAIDA PARA INTERNET
#DNS, SMTP, POP E IMAP
iptables -A FORWARD -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p tcp -m multiport --dport 53,25,465,110,995,143,993,2222 -j ACCEPT
iptables -A FORWARD -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p udp -m multiport --dport 53,25,465,110,995,143,993,2222 -j ACCEPT
#EXCESSOES POR IP E PORTA - reservado no DHCP - O que eh isso?
# iptables -A FORWARD -i $LAN -s 10.x.x.x -d ! $REDEINTERNA -p tcp -m multiport --dport 3389,1723,700,600,10000 -j ACCEPT
#-
# iptables -A FORWARD -i $LAN -s 10.x.x.16 -d ! $REDEINTERNA -p tcp -m multiport --dport 2222,88,3389,1723,38081,38082 -j ACCEPT
#ADMUSER - -
# iptables -A FORWARD -i $LAN -s 10.x.x.14 -d ! $REDEINTERNA -p tcp -m multiport --dport 2222,88,3389,1723,38081,38082 -j ACCEPT
#ADMUSER - solange
#iptables -A FORWARD -i $LAN -s 10.x.x.x28 -d ! $REDEINTERNA -p tcp -m multiport --dport 2222,88,3389,1723,38081,38082 -j ACCEPT
#REGRAS PARA BLOQUEIO DE SAIDA PARA INTERNET
#deixar esta linha para exemplo
#iptables -A FORWARD -i $LAN -s 10.x.x.x1 -d ! $REDEINTERNA -j LOG --log-level 6 --log-prefix "fir:_ACESSO_ED_BLOQUEADO "
iptables -A FORWARD -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p tcp --syn -j REJECT
iptables -A FORWARD -i $LAN -s $REDEINTERNA -d ! $REDEINTERNA -p udp -j REJECT
fi
echo Redirecionamento de portas para servidores na rede interna
if [ "$IPE1" != "" ] ; then
if [ "$IPI1" != "" -a "$TCP1" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE1 -p tcp -m multiport --dport $TCP1 -j DNAT --to-destination $IPI1
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI1 -p tcp -m multiport --dport $TCP1 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE1" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI1 -p tcp -m multiport --sport $TCP1 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE1" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI1 -p tcp -m multiport --sport $TCP1 -j MARK --set-mark $MARK_WAN2
fi
fi
if [ "$IPI1" != "" -a "$UDP1" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE1 -p udp -m multiport --dport $UDP1 -j DNAT --to-destination $IPI1
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI1 -p udp -m multiport --dport $UDP1 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE1" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI1 -p udp -m multiport --sport $TCP1 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE1" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI1 -p udp -m multiport --sport $TCP1 -j MARK --set-mark $MARK_WAN2
fi
fi
fi
if [ "$IPE2" != "" ] ; then
if [ "$IPI2" != "" -a "$TCP2" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE2 -p tcp -m multiport --dport $TCP2 -j DNAT --to-destination $IPI2
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI2 -p tcp -m multiport --dport $TCP2 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE2" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI2 -p tcp -m multiport --sport $TCP2 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE2" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI2 -p tcp -m multiport --sport $TCP2 -j MARK --set-mark $MARK_WAN2
fi
fi
if [ "$IPI2" != "" -a "$UDP2" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE2 -p udp -m multiport --dport $UDP2 -j DNAT --to-destination $IPI2
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI2 -p udp -m multiport --dport $UDP2 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE2" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI2 -p udp -m multiport --sport $TCP2 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE2" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI2 -p udp -m multiport --sport $TCP2 -j MARK --set-mark $MARK_WAN2
fi
fi
fi
if [ "$IPE3" != "" ] ; then
if [ "$IPI3" != "" -a "$TCP3" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE3 -p tcp -m multiport --dport $TCP3 -j DNAT --to-destination $IPI3
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI3 -p tcp -m multiport --dport $TCP3 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE3" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI3 -p tcp -m multiport --sport $TCP3 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE3" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI3 -p tcp -m multiport --sport $TCP3 -j MARK --set-mark $MARK_WAN2
fi
fi
if [ "$IPI3" != "" -a "$UDP3" != "" ] ; then
iptables -t nat -A PREROUTING -d $IPE3 -p udp -m multiport --dport $UDP3 -j DNAT --to-destination $IPI3
# OBS: colocado o POSTROUTING pois existe um problema das máquinas internas acessarem um servidor interno pelo endereço válido na internet....
iptables -t nat -A POSTROUTING -o $LAN -s $REDEINTERNA -d $IPI3 -p udp -m multiport --dport $UDP3 -j SNAT --to-source $IPLAN
#Escolha de Gateway de saida para a internet
if [ "$IPE3" == "$IPWAN1" ] ; then
iptables -t mangle -A PREROUTING -s $IPI3 -p udp -m multiport --sport $TCP3 -j MARK --set-mark $MARK_WAN1
fi
if [ "$IPE3" == "$IPWAN2" ] ; then
iptables -t mangle -A PREROUTING -s $IPI3 -p udp -m multiport --sport $TCP3 -j MARK --set-mark $MARK_WAN2
fi
fi
fi
###############################################################################
echo Regras de POSTROUTING para tudo que sair da rede interna
###############################################################################
iptables -t nat -A POSTROUTING -o $WAN1 -j SNAT --to-source $IPWAN1
if [ "$IPWAN2" != "" ] ; then
iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT --to-source $IPWAN2
fi
if [ "$IPE1" == "" ] ; then
BOOT=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 | grep BOOTPRO| cut -d \" -f2`
if [ "$BOOT" == "dhcp" ] ; then
iptables -t nat -A POSTROUTING -s $REDEINTERNA -j MASQUERADE
fi
if [ "$BOOT" == "none" ] ; then
iptables -t nat -A POSTROUTING -s $REDEINTERNA -j SNAT --to-source $IPWAN1
if [ "$IPWAN2" != "" ] ; then
iptables -t nat -A POSTROUTING -s $REDEINTERNA -j SNAT --to-source $IPWAN2
fi
fi
fi
#######################################################
echo Política de tudo ser revistado antes pela BLACKLIST ...
#######################################################
# criação da CHAIN BLACKLIST
iptables -N BLACKLIST
iptables -A INPUT -j BLACKLIST
iptables -A OUTPUT -j BLACKLIST
iptables -A FORWARD -j BLACKLIST
#######################################################
#echo Inserindo regras de proteção do firewall como um todo ...
#######################################################
# regra de UNCLEAN
iptables -A BLACKLIST -m unclean -j LOG --log-level 6 --log-prefix "fir:_pacotes_unclean " --log-tcp-options -m limit --limit 6/h
iptables -A BLACKLIST -m unclean -j DROP
# regra de SYN ALL
iptables -A BLACKLIST -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PSH ALL -j LOG --log-level 6 --log-prefix "fir:_XMAS " --log-tcp-options -m limit --limit 6/h
iptables -A BLACKLIST -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PSH ALL -j DROP
# regra de SYN BUT NOT NEW
#iptables -A BLACKLIST -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "fir:_NEW_but_not_SYN " --log-tcp-options -m limit --limit 6/h
#iptables -A BLACKLIST -p tcp ! --syn -m state --state NEW -j DROP
# regra de INVALID
#iptables -A BLACKLIST -m state --state INVALID -j LOG --log-level 6 --log-prefix "fir:_INVALID " --log-tcp-options -m limit --limit 6/h
#iptables -A BLACKLIST -m state --state INVALID -j DROP
# regra de FRAGMENTOS
iptables -A BLACKLIST -f -j LOG --log-level 6 --log-prefix "fir:_FRAG " --log-tcp-options -m limit --limit 6/h
iptables -A BLACKLIST -f -j DROP
# regra de SCAN e FLOOD
#iptables -A BLACKLIST -p tcp --syn -m limit --limit 100/s -j LOG --log-level 6 --log-prefix "fir:_SYN_FLOOD_SCAN_REDE " --log-tcp-options -m limit --limit 6/h
#iptables -A BLACKLIST -j ACCEPT -m limit --limit 100/s
## Regra de seguranca de saida
iptables -A INPUT -p tcp --destination-port 28753 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 28753 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 28753 -j ACCEPT
iptables -A INPUT -p udp --destination-port 28753 -j ACCEPT
# outras regras de SCANNER
iptables -N SCANNER
iptables -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN RST -m limit --limit 5/s -j SCANNER
iptables -A INPUT -i eth+ -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/s -j SCANNER
iptables -A INPUT -i eth+ -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/s -j SCANNER
iptables -A INPUT -i eth+ -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/s -j SCANNER
iptables -A INPUT -i eth+ -p tcp --tcp-flags ALL NONE -m limit --limit 5/s -j SCANNER
iptables -A SCANNER -j LOG --log-level 6 --log-prefix "fir:_SCANNER " --log-tcp-options -m limit --limit 6/h
iptables -A SCANNER -j DROP
# regra de PING no firewall
iptables -N PINGIN
iptables -A INPUT -i eth+ -p icmp -m state --state NEW -j PINGIN
iptables -A PINGIN -j LOG --log-level 6 --log-prefix "fir:ping_no_firewall " -m limit --limit 1/m
iptables -A PINGIN -j ACCEPT -m limit --limit 6/m
# ping nos serviços
if [ "$IPE1" != "" ] ; then
iptables -N PINGFOR1
iptables -A FORWARD -i eth+ -p icmp -m state --state NEW -d $IPE1 -j PINGFOR1
iptables -A PINGFOR1 -j LOG --log-level 6 --log-prefix "fir:ping_nos_serviços1 " -m limit --limit 1/m
iptables -A PINGFOR1 -j ACCEPT -m limit --limit 6/m
fi
if [ "$IPE2" != "" ] ; then
iptables -N PINGFOR2
iptables -A FORWARD -i eth+ -p icmp -m state --state NEW -d $IPE2 -j PINGFOR2
iptables -A PINGFOR2 -j LOG --log-level 6 --log-prefix "fir:ping_nos_serviços2 " -m limit --limit 1/m
iptables -A PINGFOR2 -j ACCEPT -m limit --limit 6/m
fi
if [ "$IPE3" != "" ] ; then
iptables -N PINGFOR3
iptables -A FORWARD -i eth+ -p icmp -m state --state NEW -d $IPE3 -j PINGFOR3
iptables -A PINGFOR3 -j LOG --log-level 6 --log-prefix "fir:ping_nos_serviços3 " -m limit --limit 1/m
iptables -A PINGFOR3 -j ACCEPT -m limit --limit 6/m
fi
iptables -N SPOOF0
iptables -A INPUT -i $LAN -s $REDEWAN1 -j SPOOF0
iptables -A SPOOF0 -j LOG --log-level 6 --log-prefix "fir:_SPOOFING_"$LAN"" --log-tcp-options -m limit --limit 6/h
iptables -A SPOOF0 -j DROP
iptables -N SPOOF1
iptables -A INPUT -i $WAN1 -s $REDEINTERNA -j SPOOF1
iptables -A SPOOF1 -j LOG --log-level 6 --log-prefix "fir:_SPOOFING_"$WAN1"" --log-tcp-options -m limit --limit 6/h
iptables -A SPOOF1 -j DROP
if [ "$IPWAN2" != "" ] ; then
iptables -N SPOOF3
iptables -A INPUT -i $WAN2 -s $REDEINTERNA -j SPOOF3
iptables -A INPUT -i $WAN2 -s $REDEWAN1 -j SPOOF3
iptables -A SPOOF3 -j LOG --log-level 6 --log-prefix "fir:_SPOOFING_"$WAN2"" --log-tcp-options -m limit --limit 6/h
iptables -A SPOOF3 -j DROP
fi
################################################################################
echo Regras para REDE interna ...
################################################################################
echo Abre para a rede local
iptables -A INPUT -p tcp -s $REDEINTERNA -j ACCEPT
iptables -A INPUT -p udp -s $REDEINTERNA -j ACCEPT
################################################################################
echo Regras para interface lo ...
################################################################################
iptables -N LOCALHOST
iptables -A OUTPUT -o lo -j LOCALHOST
iptables -A INPUT -i lo -j LOCALHOST
iptables -A LOCALHOST -j ACCEPT
################################################################################
echo Regras para OUTPUT ...
################################################################################
iptables -N FIR
iptables -A OUTPUT -j FIR
iptables -A FIR -j ACCEPT
################################################################################
echo Portas liberadas no firewall para acesso via internet
################################################################################
# SSH com log
#iptables -N SSH
#iptables -A INPUT -i eth+ -p tcp --dport 445 -j SSH
#iptables -A SSH -j LOG --log-level 6 --log-prefix "fir:_acesso_porta_SSH " --log-ip-options -m limit --limit 1/m
#iptables -A SSH -j ACCEPT
#Regras para abertura dinamica da porta do SSH
# Para abrir a porta 22 tem que ter 3 tentativas na porta 2222 e as portas 2221 e 2223 fecha novamente a 22
#iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --name SSH --rsource --seconds 60 --hitcount 3 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp -m tcp --dport 2221 -m state --state NEW -m recent --name SSH --remove -j DROP
#iptables -A INPUT -i eth1 -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --rsource -j DROP
#iptables -A INPUT -i eth1 -p tcp -m tcp --dport 2223 -m state --state NEW -m recent --name SSH --remove -j DROP
#WEBMIN
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
#HTTP, SSL
iptables -A INPUT -p tcp -m tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn --dport 443 -j ACCEPT
#PROXY
iptables -A INPUT -p tcp -m tcp --syn --dport 8080 -j ACCEPT
# SMTP
#iptables -A INPUT -p tcp -m tcp --syn --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --syn --dport 465 -j ACCEPT
# POP
#iptables -A INPUT -p tcp -m tcp --syn --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --syn --dport 995 -j ACCEPT
# IMAP
#iptables -A INPUT -p tcp -m tcp --syn --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --syn --dport 993 -j ACCEPT
##SpamAssassin
#iptables -A INPUT -p tcp -m tcp --syn --dport 783 -j ACCEPT
## Identd
#iptables -A INPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
#CUPS
#iptables -A INPUT -p tcp --dport 631 -j ACCEPT
#DNS
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
#CONFIGURAO ADICIONAL PARA ROTEAMENTO DA VPN - MUDEI PARA O 4 NO DIA 28-04
iptables -t nat -A PREROUTING -d XXX.XX.XXX.XXX -p 47 -j DNAT --to-destination 10.x.x.x
iptables -t nat -A PREROUTING -d XXX.XX.XXX.XXX -p tcp --dport 1723 -j DNAT --to-destination 10.x.x.x
iptables -t nat -A PREROUTING -d XXX.XX.XXX.XXX -p 47 -j DNAT --to-destination 10.x.x.x
iptables -t nat -A PREROUTING -d XXX.XX.XXX.XXX -p tcp --dport 1723 -j DNAT --to-destination 10.x.x.x
## Configuroes para VPN o pptpd do Linux ####
iptables -A INPUT -p tcp -d XXX.XX.XXX.XXX --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -d XXX.XX.XXX.XXX -j ACCEPT
modprobe ppp_generic
modprobe ppp_deflate
modprobe pppoeatm
modprobe ppp_async
modprobe ppp_mppe
modprobe ip_gre
##############################################
#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
##############################################
# Configuracao SSH
#Abre acesso ao SSH porta 539
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT #contingencia ssh
#Abre acesso ao SSH porta 1030
#iptables -A INPUT -p tcp --dport 1030 -j ACCEPT
## Saida para a internet
iptables -t nat -A PREROUTING -p tcp --dport 28753 -j DNAT --to-dest 10.x.x.x
iptables -A FORWARD -p tcp --dport 28753 -d 10.x.x.x -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 28753 -j DNAT --to-dest 10.x.x.x
iptables -A FORWARD -p udp --dport 28753 -d 10.x.x.x -j ACCEPT
# -lisar dica de seguranca no SSH abaixo para liberar somente os ips listados
#Seguranca SSH
iptables -t filter -N SSH
iptables -t filter -A SSH -s 10.x.x.1/24 -j ACCEPT
iptables -t filter -A SSH -s 192.168.1.1/24 -j ACCEPT
iptables -t filter -A SSH -s XXX.XX.XXX.XXX -j ACCEPT
iptables -t filter -A SSH -s 127.0.0.1 -j ACCEPT
iptables -t filter -A SSH -s XXX.XX.XXX.XXX -j ACCEPT
iptables -t filter -A SSH -s XXX.XX.XXX.XXX -j ACCEPT
iptables -t filter -A SSH -j DROP
#iptables -t filter -I INPUT -p tcp --dport 22 -j SSH
##############################################
#ALTERA O LINK PADRAO POR IP DE ORIGEM INDEPENDENTE DO LINK PADRAO DO SERVIDOR
#Descomentar esta linha quando precisar direcionar para XXX.XX.XXX.XXX
iptables -t mangle -A PREROUTING -s 10.x.x.x -j MARK --set-mark 0x20 #LINK 2
iptables -t nat -A PREROUTING -p tcp --dport 1325 -j DNAT --to 10.x.x.x11:3389 #ged TS
#iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to 127.0.0.1:22 #ged
#iptables -t nat -A PREROUTING -p tcp --dport 13389 -j DNAT --to 10.x.x.14:5900 #- TS
#iptables -t nat -A PREROUTING -p tcp --dport 23389 -j DNAT --to 10.x.x.x:5900 #- TS
#DEFINE PRIORIDADE DE SAIDA PARA AS SOLICITACOES DE PAGINAS HTTP e FTP
iptables -t mangle -A OUTPUT -o eth1 -p tcp -m multiport --dports 20,80,443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth2 -p tcp -m multiport --dports 20,80,443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth1 -p tcp -m multiport --dports 21,22,53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth2 -p tcp -m multiport --dports 21,22,53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp -m multiport --dports 25,110 -j TOS --set-tos 2
iptables -t mangle -A OUTPUT -o eth2 -p tcp -m multiport --dports 25,110 -j TOS --set-tos 2
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 25,110 -j TOS --set-tos 2
iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 25,110 -j TOS --set-tos 2
################################################
#Controle de Trafego
killall bandwidthd
/usr/local/bandwidthd/bandwidthd
Troquei os IP's por XXXX...
Um abraço,
Eduardo.
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
