LIBERAR PORTAS DE CAMERAS [RESOLVIDO]
1. LIBERAR PORTAS DE CAMERAS [RESOLVIDO]
LeonardoKadina
(usa Ubuntu)
Enviado em 04/11/2010 - 10:05h
Pessoal sei que isso já deve ter passado por aqui até tentei algumas coisas no meu conhecimento, porém estou com um cliente novo e ele já tinha um Firewall X Squid , assim está funcionando e ele gosta mas precisa que eu libere umas portas de acesso externo para as cameras que ele colocou estes dias, o firewall dele é meio carregado e eu sou meio novo nesta parte. preciso liberar um range de portas 5000:5999 e as portas 88 e 3380(TS)mas já tentei de tudo e não rolou.Outra coisa eu deixei no final do Fireall todas as portas liberadas.
Minha rede entra na eth1 (WAN) e redireciona na ET0(LAN)
Obrigado desde já pela ajuda!
#! /bin/bash
iniciar(){
#Carregar moduloss
modprobe iptable_nat
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ip_gre
modprobe ipt_MASQUERADE
modprobe ip_nat
modprobe ip_nat_ftp
modprobe ipt_limit
printf "Modulos carreagdos.\n"
printf "*****************************ok********************************* \n"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
printf "Limpando tabelas e setando variaveis do kernel.. \n"
printf "*****************************ok********************************* \n"
#Definir regras
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo "Regras definidas."
printf "*****************************ok********************************* \n"
#Habilitando comunicação entre as placas de rede.
echo 1 > /proc/sys/net/ipv4/ip_forward
printf "Roteamento ativos.\n"
printf "*****************************ok********************************* \n"
# Evitando Spoofing de Rede
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
printf "Protecao contra Spoofing ativas.\n"
printf "*****************************ok********************************* \n"
# Evitando um Overflow de pacotes TCP
echo "1" > /proc/sys/net/ipv4/tcp_abort_on_overflow
printf "Protecao contra Overflow de pacotes TCP ativas.\n"
printf "*****************************ok********************************* \n"
# Tentando Evitar DDOS,DOS e SYN-FLOOD
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
printf "Protecao contra DDOS,DOS e SYN-FLOOD ativas.\n"
printf "*****************************ok********************************* \n"
#Protecao conta Ping da morte
printf "Protecao contra PING DA MORTE ativas.\n"
printf "*****************************ok********************************* \n"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Proteçao contra portscan stealth.
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#printf "Protecao contra PROT SACN STEALTH ativas.\n"
#printf "*****************************ok********************************* \n"
#********************************* REGRAS OUTPT ************************************
# *
#***********************************************************************************
#********************************* REGRAS INPUT ************************************
# *
#***********************************************************************************
# Abre a faixa de ip.
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
#cira um masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Permite conexões de alguns serviços seja para a internet
# quanto para a rede local
iptables -A INPUT -p tcp -m multiport --dports 22,80,3389,88 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports 22,80,3389,88 -j ACCEPT
# Abre a 22 e 21 porta (inclusive para a Internet):
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# net
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Impede pacotes mal formados
iptables -A INPUT -m state --state INVALID -j DROP
# Abre o trafego interno
iptables -A INPUT -i lo -j ACCEPT
printf "Abre comunicacao para interface interna ativas.\n"
printf "*****************************ok********************************* \n"
#Proxy transparente e cameras
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.10:3389
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.10:3389
#iptables -t nat -A PREROUTING -i eth0 -m multiport -p tcp --dport 3550:5900 -j DNAT --to-destination 192.168.0.136
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
printf "Proxtransparente ativado.\n"
printf "*****************************ok********************************* \n"
#******************************** REGRAS FORWARD ***********************************
# *
#***********************************************************************************
iptables -A FORWARD -p tcp -i eth0 --dport 88 -j ACCEPT ## Camera
iptables -A FORWARD -p tcp -i eth0 --dport 2000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 5222 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --sport 3128 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 1719 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 1723 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 1723 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 4156 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 809 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 143 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 143 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 443 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 110 -j ACCEPT
iptables -A FORWARD -p udp -i eth0 --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 47 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 47 -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -m multiport -p tcp --dport 5000:5900 -j DNAT --to-destination 10.0.0.5
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000:5900 -j DNAT --to 192.168.0.136
#iptables -t nat -A POSTROUTING -d 10.0.0.5 -j SNAT --to 192.168.0.136
#iptables -A FORWARD -p tcp -i eth0 --sport 1024:65535 -d 192.168.0.1/24 #--dport 21 -j ACCEPT
#iptables -A FORWARD -p tcp -i eth0 --sport 1024:65535 -d 192.168.0.1/24 #--dport 20 -j ACCEPT
#iptables -A FORWARD -p tcp -i eth0 -s ftp.servtec1.com.br -d 192.168.0.1/24 --dport 21 -j ACCEPT
#iptables -A FORWARD -p tcp -i eth1 -s ftp.servtec1.com.br -d 192.168.0.1/24 --dport 20 -j ACCEPT1
iptables -A FORWARD -p tcp -i eth1 --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --sport 21 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --sport 25 -j ACCEPT
printf "Fechando as demais portas. \n"
printf "*****************************ok********************************* \n"
iptables -A FORWARD -p tcp -i eth0 -j ACCEPT
iptables -A FORWARD -p udp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -j ACCEPT
printf "Regras de firewall ativadas.\n"
printf "*****************************ok********************************* \n"
}
status(){
iptables -L
}
parar(){
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
printf "Regras de firewall desativadas.\n"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"status") status ;;
"restart") parar; iniciar ;;
*) echo "Use os parametros stop|start|status|restart"
esac
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
