Firewall com controle de acessos (firewall)
Firewall completo para você implantar em sua rede wireless ou provedor
Categoria: Init
Software: Firewall com controle de acessos
[ Hits: 12.599 ]
Por: Rodrigo Rodrigues de mattos
Bom, esta é a minha primeira contribuiçãoo de .conf, então decidi que seria para aumentar segurança do seu Linux.
Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar a segurança da minha rede de 20 computadores unidos por wireless encontrei.
Espero de seja proveitoso para todos que passam por aqui.
Observacao: O arquivo netfur.txt aqui usado possui a seguinte
nomenclatura
, ,
#!/bin/sh
#
# /etc/rc.d/init.d/firewall
# chkconfig: - 60 95
# description: Este script controla o start/stop do servico de \
# firewall baseado no iptables.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Habilita ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# Parametros
case "$1" in
start)
echo "Starting Firewalling Services: "
touch /var/lock/subsys/firewall
# -----------------------------------------------------------------
# Define o default como DROP
# -----------------------------------------------------------------
# Remove todas as regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
# -----------------------------------------------------------------
# Definicao de variaveis
# -----------------------------------------------------------------
EXTERNAL_IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | cut -dP -f1`
# colocar a linha para buscar o ip da ppp0
EXTERNAL_INTERFACE="ppp0"
# colocar aqui o dispositivo pppo
EXTERNAL_NET="192.168.0.0/255.255.255.0"
INTERNAL_IP="192.168.1.1"
INTERNAL_INTERFACE="eth1"
INTERNAL_NET="192.168.1.0/255.255.255.224"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# -----------------------------------------------------------------
# Define o default como DROP
# -----------------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# -----------------------------------------------------------------
# Carrega modulos
# -----------------------------------------------------------------
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_REJECT
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_MARK
modprobe iptable_nat
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tos
modprobe iptable_mangle
# modprobe ipt_unclean
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "5 4 1 7" > /proc/sys/kernel/printk
# -----------------------------------------------------------------
# Habilita trafego loopback
# -----------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# -----------------------------------------------------------------
# Anti-Spoofing
# -----------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
# ligando proteç para SYN flood. Deve ser feita em todos os servidores
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# -----------------------------------------------------------------
# Habilita trafego na rede interna
# -----------------------------------------------------------------
# Libera tr�ego entre redes 192.168.1.0
# ##Abrindo trafego IPSEC
# iptables -A INPUT -p udp --dport 5000 -s 0/0 -d 0/0 -j ACCEPT
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
##Permitir acesso a subrede
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
## Bloquear Multiquest
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
##Permitir trafego entre as redes
#iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
# iptables -A FORWARD -s 192.168.1.3 -m mac --mac-source 00:0F:B0:3C:A6:6E -d 192.168.1.0/27 \
# -j ACCEPT
# Portas Para Rede Windows!!!! OBS:. 192.168.1.0/27 e o mesmo que 192.168.1.0/255.255.255.224
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 2121 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 2121 -j ACCEPT
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
# -p tcp --dport 5900 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
# -p tcp --sport 5900 -j ACCEPT
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/16 \
# -p tcp --dport 47151 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/16 \
# -p tcp --sport 47151 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 20 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 9920 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 9920 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 1863 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 137 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 137 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 138 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 138 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 139 -j ACCEPT
# Libera acesso ao proxy e DNS e icmp para todas as maquinas
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p icmp -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p icmp -j ACCEPT
##############################################################
# LIBERA O PROXY INTERMO NA REDE
###############################################################
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
# -p tcp --dport 3128 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
# -p tcp --sport 3128 -j ACCEPT
##############################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p udp -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p udp -j ACCEPT
# Libera acesso total ao firewall para algumas (REDE LOCAL)
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.1 -j ACCEPT
#######################################################################
# A REGRA ABAIXO SERVE PARA LIBERAR O ACESSO TOTAL PARA O IP APONTADO
#######################################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.2 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.2 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.3 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.3 -j ACCEPT
############Liberados para os Aps #####################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.29 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.29 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.30 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.30 -j ACCEPT
########################################################################
# Libera ping do firewall para a internet
########################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 0 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 3 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 4 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 11 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 12 -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT
###########################################################################
# Libera ping do firewall para a rede local
##########################################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 0 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 3 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 4 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 11 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 12 -d $INTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT
# =================================================================
# As linhas a seguir liberam o acesso de m�uinas da internet
# a acessar recursos deste computador como servidor, as regras
# servem para liberar as portas para o meio esterno.
# =================================================================
# -----------------------------------------------------------------
# HTTP Server (porta 80 e 8080 para o Apache)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 80 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 8080 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 8080 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
##################################################################
# Libera SSH >>>>>>>>>>>>>>3420
##################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 3420 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 3420 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
#################################################################
# FECHANDO A PORTA 3128 PARA O MUNDO EXTERNO
#################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 3128 -j DROP
#################################################################
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport $UNPRIVPORTS \
# -d $EXTERNAL_IP --dport 22 -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport 22 \
# -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport $UNPRIVPORTS \
# -d $EXTERNAL_IP --dport 5000:5200 -j ACCEPT
#################################################################
# HTTTPS :443 Acesso EXTERNO #
#################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 443 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 443 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
####################################################################################
# Regras para Impedir ataques do Tipo DoS, NetBus,Ping, Port Scaner, Back Orifice
####################################################################################
# >>>>>> Back Orifice
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p udp --dport 31337 -j DROP
# >>>>>>>> NetBus
iptables -A INPUT -p tcp --dport 12345:12346 -j DROP
iptables -A INPUT -p udp --dport 12345:12346 -j DROP
# >>>>>>> Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL_INTERFACE --dport 33435:33525 -j DROP
#>>>>>>>> Proteç contra Syn-floods
#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#>>>>>>> Proteç contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#>>>>>>> Proteç contra port scanners ocultos
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#####################################################################################
# -----------------------------------------------------------------
# AUTH Server (porta 113)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 113 -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 113 \
-d 0/0 --dport $UNPRIVPORTS -j REJECT
####################################################################
# Esta linha esta liberando o acesso para o servidor PROftpd
###################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 2121 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 2121 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 20 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $EXTERNAL_IP --sport 20 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 20 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 20 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 40000:65535 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 40000:65535 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
# ================================================================
# iptables -A INPUT -j ACCEPT -p tcp --dport 2121
# iptables -A OUTPUT -j ACCEPT -p tcp --dport 2121
# =================================================================
# As linhas a seguir liberam o acesso desta m�uina para recur-
# na internet.
# =================================================================
# Permite que esta maquina acesse qualquer servidor na internet
# Linhas obrigatorias ter para o funcionamento do firewall
###################################################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
-o $EXTERNAL_INTERFACE -j ACCEPT
# -----------------------------------------------------------------
# DNS Client (porta 53) Usado para servidor de DNS
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s 0/0 --sport 53 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 53 -j REJECT
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 53 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 53 -j ACCEPT
# -----------------------------------------------------------------
# Finger Client (porta 79)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 79 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 79 -j ACCEPT
# -----------------------------------------------------------------
# AUTH Client (porta 113)
# -----------------------------------------------------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 113 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 113 -j ACCEPT
#>>>porta para os radios
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 772 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 772 -j ACCEPT
# -----------------------------------------------------------------
# WHOIS Client (porta 43)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 43 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 43 -j ACCEPT
#####################################################################################
# >>> Libera Acesso livre externo para alguem da minha rede interna SEM PROXY <<<
#####################################################################################
#>>>>>
list=`cat /etc/netfuture/firewall/netfur.txt`
for rede in `echo $list`;do
#laco Capturando dados do netfur.txt
ip_cliente=`echo $rede | cut -d , -f1`
mac_cliente=`echo $rede | cut -d , -f2`
mark_cliente=`echo $ip_cliente | cut -d. -f4` # Pega o mark pre definido em netfur.txt
#>>> linha contendo a regra de iptables
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s $ip_cliente -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s $ip_cliente -m mac --mac-source $mac_cliente -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $ip_cliente -j ACCEPT
######## Marca os pacotes com 10 que vem da ppp0 ########################
iptables -t mangle -A FORWARD -s $ip_cliente -j MARK --set-mark $mark_cliente
iptables -t mangle -A FORWARD -s $ip_cliente -j ACCEPT
iptables -t mangle -A FORWARD -d $ip_cliente -j MARK --set-mark $mark_cliente
iptables -t mangle -A FORWARD -d $ip_cliente -j ACCEPT
# iptables -t mangle -A POSTROUTING -j RETURN
# iptables -t mangle -A PREROUTING -s $ip_cliente -j MARK --set-mark $mark_cliente
# iptables -t mangle -A PREROUTING -j RETURN
################################# Marcas nos pacotes ##############################
# iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
# -d $ip_cliente -j MARK --set-mark $mark_cliente
###############################################################
# LIBERA O PROXY INTERMO NA REDE
###############################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j ACCEPT
# iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j MARK --set-mark $mark_cliente
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 3128 -j ACCEPT
#################################################################
#>>> Proxy Trasparente para rede
#################################################################
iptables -t nat -A PREROUTING -p tcp -s $ip_cliente -m mac --mac-source $mac_cliente --dport 80 -j REDIRECT --to-port 3128
done
# fim do loop
# =================================================================
# Source NAT (POSTROUTING) e FORWARD
#
# Tratamento de casos espec�icos, onde m�uinas precisam de portas
# liberadas ou acesso direto a internet.
# =================================================================
# ACESSO AOS APS PARA CONFIGURACAO NETFUTURE : 8089
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
--dport 8029 -j DNAT --to 192.168.1.29:80
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s 192.168.1.29 -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s 192.168.1.29 -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d 192.168.1.29 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# =================================================================
# ACESSO AOS APS PARA CONFIGURACAO NETFUTURE_1 ; 8088
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
--dport 8030 -j DNAT --to 192.168.1.30:80
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s 192.168.1.30 -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s 192.168.1.30 -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d 192.168.1.30 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# =================================================================
# Source NAT (POSTROUTING) e FORWARD
#
# Tratamento de casos espec�icos, onde m�uinas precisam de portas
# liberadas ou acesso direto a internet.
# =================================================================
# iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
# --dport 5900 -j DNAT --to 192.168.1.1:5900
# iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
# -s 192.168.1.1 -j MASQUERADE
# iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
# -s 192.168.1.1 -j ACCEPT
# iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
# -d 192.168.1.1 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# -----------------------------------------------------------------
# LOG
# -----------------------------------------------------------------
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p tcp \
--dport 80 -j LOG --log-prefix "WEB-SEM-PROXY:" \
--log-level info -m limit --limit 5/minute
iptables -A INPUT -j LOG --log-prefix "BAD INPUT:" \
--log-level info -m limit --limit 5/minute
iptables -A OUTPUT -j LOG --log-prefix "BAD OUTPUT:" \
--log-level info -m limit --limit 5/minute
iptables -A FORWARD -j LOG --log-prefix "BAD FORWARD:" \
--log-level info -m limit --limit 5/minute
#>>>Controle de acesso ao servico baixo
iptables -A INPUT -p tcp --dport 2121 -j LOG --log-prefix "Acesso ao Proftpd"
iptables -A INPUT -p tcp --dport 3420 -j LOG --log-prefix "Acesso ao SSH"
iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "WEB segura"
#>>>>>>Gerando log de Backdoors
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash"
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus"
iptables -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus"
iptables -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice"
##################### LOG PACOTES EXTERN MARCADOS ##########################
# iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j LOG --log-prefix "marcado FORWARD"
# iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j LOG --log-prefix "Marcado do squid "
# iptables -t mangle -A POSTROUTING -s $ip_cliente -j LOG --log-prefix "Marcado POSTROUTING"
;;
stop)
echo "Shutting Firewalling Services: "
rm -rf /var/lock/subsys/firewall
# -----------------------------------------------------------------
# Remove all existing rules belonging to this filter
# -----------------------------------------------------------------
iptables -F
iptables -X
iptables -t mangle -F
# -----------------------------------------------------------------
# Reset the default policy of the filter to accept.
# -----------------------------------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0
Comentários
[1] Comentário enviado por demattos em 16/02/2008 - 10:16h
bom dia, nao apareceu como a nomeclatura do arquivo usado com o nome netfur.txt, mas estou passando para que seja facil entender o script completo
list=`cat /etc/netfuture/firewall/netfur.txt`
seria assim o arquivo netfur.txt
ip do cliente,mac do cliente,nome do cliente
t+
bom dia, nao apareceu como a nomeclatura do arquivo usado com o nome netfur.txt, mas estou passando para que seja facil entender o script completo
list=`cat /etc/netfuture/firewall/netfur.txt`
seria assim o arquivo netfur.txt
ip do cliente,mac do cliente,nome do cliente
t+
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Monitorando o Preço do Bitcoin ou sua Cripto Favorita em Tempo Real com um Widget Flutuante
IA Turbina o Desktop Linux enquanto distros renovam forças
Como extrair chaves TOTP 2FA a partir de QRCODE (Google Authenticator)
Dicas
Ativando e usando "zoom" no ambiente Cinnamon
Vídeo Nostálgico de Instalação do Conectiva Linux 9
Como realizar um ataque de força bruta para desobrir senhas?
Tópicos
Estou tentando ser legalista, mas tá complicado! (8)
Thinkpads são bons mesmo ?! (0)
Queda no serviços da Cloudflare, alguns sites estão fora do ar. (1)
Top 10 do mês
-
Xerxes
1° lugar - 114.352 pts -
Fábio Berbert de Paula
2° lugar - 82.004 pts -
Mauricio Ferrari
3° lugar - 24.186 pts -
Alberto Federman Neto.
4° lugar - 23.240 pts -
edps
5° lugar - 21.639 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
6° lugar - 20.307 pts -
Daniel Lara Souza
7° lugar - 20.187 pts -
Buckminster
8° lugar - 19.354 pts -
Andre (pinduvoz)
9° lugar - 19.203 pts -
Diego Mendes Rodrigues
10° lugar - 16.176 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
