Bloquear acesso externo para IP INTERNO Squid/Iptables
1. Bloquear acesso externo para IP INTERNO Squid/Iptables
rafakas
(usa Debian)
Enviado em 07/01/2009 - 11:42h
Bom dia, gostaria de saber como eu posso bloquear 1 IP interno de ser acessado Externamente, pois eu uso o Debian + Squid Autenticado + Iptables e tem 1 usuario que usa 1 programa (showmypc) para se conectar da casa dele no computador da empresa sendo que eu gostaria de apenas bloquear o IP da maquina que ele usa aqui na empresa 192.168.0.xx de receber qualquer conexão de entrada externa, mas tipo ele acessas os sites normalmente mas nao conseguir acessar de casa (ip dinamico) o computador do escritorio.Lembrando que esse programa foi baseado no VNC mas usa as portas normais tipo a 80, e a do proxy 3128 pois já bloquei as portas 5800 e 5900 de acesso Externo para toda a rede interna.
o meu rc.firewall no momento está assim:
#!/bin/sh
#
#
# Variaveis de Ambiente onde :
#
# ETH_WEB = eth com ip fixo da internet;
# ETH_INT = eth da rede interna;
# IP_WEB = IP visivel a Internet
# IP_INT = IP do firewal na rede Interna, Gateway da Rede
# REDE_LOCAL = Faixa de IP da Rede Interna e Mascara
ETH_WEB="eth0"
ETH_INT="eth1"
IP_WEB="xxx.no-ip.org"
IP_INT="192.168.0.100"
REDE_LOCAL="192.168.0.0/255.255.255.0"
#Modulos
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Limpando as tabelas
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
#iptables -A FORWARD -j LOG
# Politica de Acesso
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Ativando o roteamento
echo "1" >/proc/sys/net/ipv4/ip_forward
# liberando o loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# liberando o que vier da rede local
iptables -A INPUT -s $REDE_LOCAL -i $ETH_INT -j ACCEPT
# Liberacao de PING (ICMP) na Interface Externa com certa limitacao
iptables -A INPUT -i $ETH_WEB -p icmp -m limit --limit 2/s -j ACCEPT
# Liberacao de Portas de Servico com destino a porta web vindo da endereço web
#iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 21 -j ACCEPT #liberando ftp
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 22 -j ACCEPT #liberando ssh
#iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 23 -j ACCEPT #liberando telnet
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 2323 -j ACCEPT #liberando Programa Sergio Franco
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 3389 -j ACCEPT #liberando terminal service
#iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 23123 -j ACCEPT #liberando Torrent
#iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 5800 -j ACCEPT #liberando vnc
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $ETH_WEB -s 0/0 -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -i $RTH_WEB -s 0/0 -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $ETH_WEB -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $ETH_INT -j ACCEPT
iptables -A INPUT -p tcp --dport 5017 -i $ETH_WEB -j ACCEPT
#Liberando MSN para toda rede
iptables -t filter -A FORWARD -p tcp --dport 6891:6901 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 1863 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 5190 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 5190 -j ACCEPT
#liberando torrent
#iptables -t filter -A FORWARD -p tcp --dport 23123 -j ACCEPT
#iptables -t filter -A FORWARD -p udp --dport 23123 -j ACCEPT
#Liberando Sergio Franco PROGRAMA
iptables -t filter -A FORWARD -p tcp --dport 2323 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 2323 -j ACCEPT
#Ponto
#iptables -t filter -A FORWARD -p tcp --dport 5800 -j ACCEPT
#iptables -t filter -A FORWARD -p udp --dport 5800 -j ACCEPT
# CAT
iptables -t filter -A FORWARD -p tcp --dport 5017 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 5017 -j ACCEPT
# TED
iptables -t filter -A FORWARD -p tcp --dport 8017 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 8017 -j ACCEPT
#SERVER CAM
iptables -t filter -A FORWARD -p tcp --dport 2000 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 2000 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 39614 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 39614 -j ACCEPT
#CONECTIVIDADE SOCIAL
iptables -t filter -A FORWARD -p tcp --dport 2631 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 2631 -j ACCEPT
# RECEITANET
iptables -t filter -A FORWARD -p tcp --dport 3456 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 3456 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5190 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 56903 -j ACCEPT
#iptables -A FORWARD -s 192.168.1.1 -p tcp --dport 5190 -j ACCEPT
#Liberando o Conectividade Social
#iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 200.201.174.207 --dport 80 -j ACCEPT
iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 200.201.174.204 --dport 80 -j ACCEPT
iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 200.201.174.204 --dport 2631 -j ACCEPT
#CAIXA=200.201.174.0/24 # IP da CAIXA a ser liberado para toda a rede.
iptables -t nat -A PREROUTING -i $ETH_INT -d 200.201.174.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i $ETH_INT -d 200.201.174.0/24 -j ACCEPT
#NODLOGIN a ser liberado para toda a rede.
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 90.183.101.16 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 89.202.149.41 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 89.202.149.40 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 89.202.149.47 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 89.202.149.44 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 90.183.101.14 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 89.202.149.46 --dport 80 -j ACCEPT
#iptables -A FORWARD -s $REDE_LOCAL -p tcp -d 66.7.208.222 --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -i $ETH_INT -d 200.201.174.0/24 -j ACCEPT
#iptables -t filter -A FORWARD -i $ETH_INT -d 200.201.174.0/24 -j ACCEPT
#Liberando o Skype
##### Criando Regra para Passagem (SKYPE)
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/24 -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#OUTLOOK
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 5017 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/25 -d 0/0 --dport 8017 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 4122 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 0/0 --dport 53 -j ACCEPT
# Liberando IP
iptables -A FORWARD -s 192.168.0.201 -j ACCEPT
iptables -A FORWARD -s 192.168.0.108 -j ACCEPT
iptables -A FORWARD -s 192.168.0.16 -j ACCEPT
iptables -A FORWARD -s 192.168.0.104 -j ACCEPT
iptables -A FORWARD -s 192.168.0.8 -j ACCEPT
iptables -A FORWARD -s 192.168.0.180 -j ACCEPT
iptables -A FORWARD -s 192.168.0.202 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.51 -j ACCEPT
iptables -A FORWARD -s 192.168.0.204 -j ACCEPT
iptables -A FORWARD -s 192.168.0.205 -j ACCEPT
iptables -A FORWARD -s 192.168.0.206 -j ACCEPT
iptables -A FORWARD -s 192.168.0.200 -j ACCEPT
iptables -A INPUT -i $ETH_WEB -j ACCEPT
# Redirecionando da porta 80 para o squid , fazendo proxy transparente
#iptables -t nat -A PREROUTING -p tcp -i $ETH_INT --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -p udp -i $ETH_INT --dport 80 -j REDIRECT --to-port 3128
# redirecionamento de portas para um host interno
#iptables -t nat -A PREROUTING -p tcp -i $ETH_WEB --dport 3389 -j DNAT --to 192.168.0.200:3398
iptables -t nat -A PREROUTING -p tcp -i $ETH_WEB --dport 4122 -j DNAT --to 192.168.1.104:4122
iptables -t nat -A PREROUTING -p tcp -d $ETH_WEB --dport 4122 -j DNAT --to 192.168.1.104
iptables -t nat -A PREROUTING -p tcp -s 0/0 --dport 4122 -i $ETH_WEB -j DNAT --to 192.168.1.104:4122
#Liberando o acesso do proxy
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.100 -p tcp --dport 3128 -j ACCEPT
#iptables -A OUTPUT -s 192.168.0.3 -d 0/0 -j ACCEPT
#Bloqueando o restante
iptables -A FORWARD -s $REDE_LOCAL -j REJECT
# fazendo o ip masquerade
iptables -t nat -A POSTROUTING -o $ETH_WEB -j MASQUERADE
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
