Firewall

Publicado por Fabio Tezzei 23/02/2006

[ Hits: 5.652 ]

Download firewall.sh




FIz mais um firewall, para a galera testar.
no caso do Debian, coloque o script no /bin
e crie um link simbolico para o rc2.d.
No caso de red hat e seus derivados, coloque no no /bin, com uma chamada no rc.local.

  



Esconder código-fonte

#!/bin/bash
echo
echo " Ativando o Firewall"
IP_SERVER=
IP_SERVER_interno=
ANY="0/0"
LOOPBACK="127.0.0.1"
INTERFACE_EXTERNA="eth0"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_ORI="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

echo "Carregando Modulos"

modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp


# Bloquea Geral Policy = DROP
## Caso for fazer compartilhamento de Internet, mudar FORWARD para ACCEPT
iptables -F
iptables -Z
iptables -t nat -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT

echo "Protecao contra ataques de spoof ativada "
## Protecao contra ATAQUES DE SPOOF com ip's invalidos
# Recusa pacotes para/dizendo ser de uma Classe A privada e loga.
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $CLASS_A -j DROP
iptables -A INPUT  -i $INTERFACE_EXTERNA -d $CLASS_A -j DROP

# Recusa pacotes para/dizendo ser de uma Classe B privada e loga.
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $CLASS_B -j DROP
iptables -A INPUT  -i $INTERFACE_EXTERNA -d $CLASS_B -j DROP
#iptables -A OUTPUT -s $CLASS_B -j DROP
#iptables -A OUTPUT -d $CLASS_B -j DROP

# Recusa pacotes para/dizendo ser de uma Classe C privada e loga.
#iptables -A INPUT  -i $INTERFACE_EXTERNA -s $CLASS_C -j DROP
#iptables -A OUTPUT -s $CLASS_C -j DROP
#iptables -A OUTPUT -d $CLASS_C -j DROP

# Recusa pacotes dizendo ser da interface de loopback e loga.
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $LOOPBACK -j DROP
#iptables -A OUTPUT -s $LOOPBACK -j DROP

# Recusa enderecos de ORIGEM da broadcast
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $BROADCAST_DEST -j DROP
iptables -A INPUT  -i $INTERFACE_EXTERNA -d $BROADCAST_ORI -j DROP

# Recusa uma classe D de enderecos multicast (in.h) (NET-3-HOWTO)
# Multicast eh ilegal como endereco de origem.
# Multicast usa UDP.
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $CLASS_D_MULTICAST -j DROP

# Recusa uma classe E de enderecos reservados
iptables -A INPUT  -i $INTERFACE_EXTERNA -s $CLASS_E_RESERVED_NET -j DROP


#Enderecos Reservados Pelo IANA
# recusa enderecos definidos como reservados pela IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 1.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 2.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 5.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 7.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 23.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 27.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 31.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 37.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 39.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 41.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 42.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 58.0.0.0/7 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 70.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 71.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 72.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 73.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 74.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 75.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 76.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 77.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 78.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 79.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 80.0.0.0/4 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 96.0.0.0/4 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 112.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 113.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 114.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 115.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 116.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 117.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 118.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 119.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 120.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 121.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 122.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 123.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 124.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 125.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 126.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 217.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 218.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 219.0.0.0/8 -j DROP 
iptables -A INPUT  -i $INTERFACE_EXTERNA -s 220.0.0.0/6 -j DROP

#Fechamento de bakdoor que possam ser abertas por trojans
#BackOrifice (logged)
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 31337 -j DROP
iptables -A INPUT -p udp -s $ANY -d $ANY --dport 31337 -j DROP

#NetBus
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 12345:12346 -j DROP
iptables -A INPUT -p udp -s $ANY -d $ANY --dport 12345:12346 -j DROP

#teste LOG NetBus
#iptables -A INPUT -s $ANY -m limit --limit 1/s -j LOG
#iptables -A FORWARD -p tcp --dport 12345:12346 -s $ANY -d $ANY -j LOG --log-prefix 'NetBus Lammer Attack'

#TrinOO
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 1542 -j DROP
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 27665 -j DROP
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 27444 -j DROP
iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 31335 -j DROP

#Habilitar Por Mac

#iptables -A INPUT -p icmp -m mac --mac-source 00:00:21:FA:B3:02 -j ACCEPT
#iptables -A OUTPUT -p icmp -d $ANY -j ACCEPT

#echo "Liberado FTP"
# Liberar FTP / IP  (SERVIDOR)
# Portas 20/21 - 
#iptables -A INPUT -p tcp -s $ANY --sport 1024:65535 -d $IP_SERVER --dport 21 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 21 -d $ANY --dport 1024:65535 -j ACCEPT
#iptables -A INPUT -p tcp -s $ANY --sport 1024:65535 -d $IP_SERVER --dport 20 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 20 -d $ANY --dport 1024:65535 -j ACCEPT


#Libera Cliente  SSH (22)
iptables -A INPUT -p tcp -s $ANY --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d $ANY --dport 22 -j ACCEPT

#Libera Servidor SSH (22)
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 22 -d $ANY -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 22 -d $ANY -j ACCEPT

#Libera Cliente Telnet (23)
#iptables -A INPUT -p tcp -s $ANY --sport 23 -j ACCEPT
#iptables -A OUTPUT -p tcp -d $ANY --dport 23 -j ACCEPT

#Libera Servidor Telnet (23)
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 23 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 23 -d $ANY -j ACCEPT

#Liberar Porta 25 (SMTP)
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 25 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 25 -d $ANY -j ACCEPT
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 25 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 25 -d $ANY -j ACCEPT
#iptables -A INPUT -p tcp -s $ANY -d 127.0.0.1 --dport 25 -j ACCEPT
#iptables -A OUTPUT -p tcp -s 127.0.0.1 --sport 25 -d $ANY -j ACCEPT

#Liberar Porta 80 (SERVIDOR)
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 80 -d $ANY -j ACCEPT

#iptables -A INPUT -p tcp -s $ANY -d 200.150.245.51 --dport 80 -j ACCEPT
#iptables -A OUTPUT -p tcp -s 200.150.245.51 --sport 80 -d $ANY -j ACCEPT

#Liberar Portas 110 (POP3)
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 110 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 110 -d $ANY -j ACCEPT

#Identd ( Problemas de Delay com NAT + DROP no Identd (Forum Firewall - LinuxSecurity)
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 113 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 113 -d $ANY -j ACCEPT
#iptables -A INPUT -p tcp -d $IP_SERVER --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A FORWARD -p tcp -d $IP_SERVER --dport 113 -j REJECT --reject-with tcp-reset

#Cliente DNS
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

#Servidor DNS
iptables -A INPUT -p udp -s $ANY -d $IP_SERVER_interno --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s $IP_SERVER_interno --sport 53 -d $ANY -j ACCEPT
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 53 -d $ANY -j ACCEPT

#Liberar Servidor IMAP (143)
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 143 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 143 -d $ANY -j ACCEPT

#Bloquear MYSQL Externo
#ptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 3306 -j DROP
#ptables -A OUTPUT -p tcp -s $IP_SERVER --sport 3306 -d $ANY -j DROP
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 3128 -j DROP


#Liberar Acesso FILE SERVER
#echo "Liberado acesso as portas 135,137,139" 
#iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 135:139 -j ACCEPT
#iptables -A OUTPUT -p tcp -d $ANY -s $IP_SERVER --sport 135:139 -j ACCEPT
#iptables -A INPUT -p udp -s $ANY -d $IP_SERVER --dport 135:139 -j ACCEPT
#iptables -A OUTPUT -p udp -s $IP_SERVER --sport 135:139 -d $ANY -j ACCEPT

echo "Liberado portas nao privilegiadas"
#Liberar Portas nao Privilegiadas (1024 -> 65535 ) (Clientes HTTP/MAIL etc)
#Sempre Deixar aberta
iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 1024:65535 -d $ANY -j ACCEPT


#Protecoes Gerais

##Protecao com Syn-flood DoS
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

##Protecao contra stealth scan
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

##Protecao contra Furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

##Protecao conta Ping of Death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Bloquear Pacotes Desfragmentados (headers)
iptables -A FORWARD -f -j DROP
iptables -A INPUT -f -j DROP


#Proteger Contra Scan, so deixar que Habilitado para ip especificado
#iptables -A INPUT -p tcp -s $ANY --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset



                 ################
                 #REGRAS DE PING#
                 ################

#Habilitar Pacotes ICMP
#Echo Reply -  Habilita responder ping, se mudar pra INPUT ele deixa pingar
iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -s $ANY --icmp-type 0 -j ACCEPT
#Destination Unreachable
iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 3 -j ACCEPT
#Redirect
iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 5 -j ACCEPT
#Echo Request - Receber PING
iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s $ANY --icmp-type 8 -j ACCEPT
#Time Exceeded
iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 11 -j ACCEPT


                 ##############################################
                 #REGRAS DE NAT que cliente pode acessar o que#
                 ##############################################


#Caso queiro que um client nat nao use telnet, por exemplo
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 23 -j DROP
#Bloquear Algumas Portas PAra maquinas Internas no Compartilhamento
#SSH
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 22 -j DROP
#HTTP
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80 -j DROP
#SMTP (Externo)
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP
#POP3 (Externo)
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 110 -j DROP
#ICQ
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 4000 -j DROP
#iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 4001 -j DROP








                         ###################################
                         #REGRAS DE NAT e REDIRECIONAMENTOS#
                         ###################################

#### Compartilhamento como Masquerading do ipchains
#Habilitando IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Usando Masquerading  ppp0 / ethX
iptables -t nat -A POSTROUTING -o $INTERFACE_EXTERNA -j MASQUERADE
###

#FTP - Software Tech For Win

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 20 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 21 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT



#Libera POP/SMTP Externos
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT


##### Liberado Geral - Servidores

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -d 192.168.0.1 -j ACCEPT
iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT


iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.2 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -s 192.168.0.2 -j ACCEPT
iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT


iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.253 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.253 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.254 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.254 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT


#####################################


#iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
#iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 53 -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT



#Redirecionamento de pacotes Exchange
iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 25 -j DNAT --to 192.168.0.2:25

#Redirecionamento Pop
iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 110 -j DNAT --to 192.168.0.2:110

#Redirecionamento Http
iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 80 -j DNAT --to 192.168.0.2:80

#Terminal Service
iptables -A PREROUTING -t nat -p tcp -d 200.150.245.51 --dport 3389 -j DNAT --to 192.168.0.1:3389
iptables -A PREROUTING -t nat -p tcp -d 200.150.245.52 --dport 3389 -j DNAT --to 192.168.0.2:3389


#Receita Federal
#iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 3456 -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 3456 -j ACCEPT
#iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT

#IP Interno saindo pelo Externo (Colocar aqui o ip da placa que esta na rede interna)
#iptables -t nat -A POSTROUTING -s 192.168.0.2/255.255.255.0 -j SNAT --to $IP_SERVER

#Proxy Transparente
#iptables -t nat -A PREROUTING -i $INTERFACE_EXTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128

#Liberar Localhost
iptables -A INPUT -i lo -s $ANY -j ACCEPT
iptables -A OUTPUT -o lo -d $ANY -j ACCEPT

#Liberar LAN
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -j ACCEPT

#SMTP para o Exchange

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

Scripts recomendados

Backup automático MySQL + arquivos do servidor web

Jogo da Velha

Instalação de programas em Debian-like

Get Tool

fwgen - gerador de regras de firewall iptables


  

Comentários
[1] Comentário enviado por LUIS_FERNANDO em 23/02/2006 - 16:46h

Gostaria se puderem me ajudar tenho q fazer um artigo sobre o sistema operacional coyote,mas preciso enfatizar mais o FIREWALL do q o LINUX.Qualquer ajuda sera bem vinda.

[2] Comentário enviado por _cabelo_ em 30/07/2007 - 21:35h

Cara se arrebentou com esse script

ta creto que não vou colocar isso ai no firewall mais é um abaita referencia pra estudo na hora da implementação não tenha duvida que vai pro favoritos

Parabéns


Contribuir com comentário




Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts