Definição de rotas

1. Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 21/11/2016 - 08:36h

Bom Dia!

Tenho um Squid e um Firewall com regras de iptables.

Nesta rede existe uma VPN central com range 172.16.0.1- 172.16.1.254 onde as regras estão ok.
Porem esta VPN liga a outra com range 172.16.7.1 que não funciona o outlook e recebimento de arquivos.
Como poderia montar essa rota?? Alguém pode ajudar???


  


2. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 21/11/2016 - 16:29h

Boa Tarde
Existe conectividade entre as 2 redes?


3. Re: Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 21/11/2016 - 16:32h

valdinei.campos escreveu:

Boa Tarde
Existe conectividade entre as 2 redes?


Boa Tarde Valdinei
Existe sim, consigo fazer ping entre essas redes, inclusive navegação.



4. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 21/11/2016 - 16:39h

Voce esta usando Squid / Iptables?


5. Re: Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 21/11/2016 - 16:43h

valdinei.campos escreveu:

Voce esta usando Squid / Iptables?


Sim estou





6. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 21/11/2016 - 16:52h

Se voce não estiver utilizando SSO em seu squid, a liberação deverá ser feito em seu IPTABLES, liberando o trafego das portas 25 e 110. consegue detalhar melhor como esta sua topologia?




7. Re: Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 21/11/2016 - 16:55h

valdinei.campos escreveu:

Se voce não estiver utilizando SSO em seu squid, a liberação deverá ser feito em seu IPTABLES, liberando o trafego das portas 25 e 110. consegue detalhar melhor como esta sua topologia?



Então, essas portas estão liberadas, pois na rede 172.16.0.1 - 172.16.1.254 eu consigo usar o outlook, mas quando cai nessa VPN que a faixa de ip é 172.16.7.xx
não consigo.




8. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 21/11/2016 - 17:01h

Consegue me passar as regras de seu IPTables?




9. Re: Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 21/11/2016 - 17:12h

valdinei.campos escreveu:

Consegue me passar as regras de seu IPTables?

Sim está ai as regras

### Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

### Exclui todas as regras
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

### Exclui cadeias customizadas
iptables -X

### Zera os contadores das cadeias
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -Z

echo "Limpando as regras .................[ OK ]"


### Carregando os modulos do iptables ###
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE

echo "Carregando modulos do IPTABLES .....[ OK ]"

####### Regras de Proteção Novas 2016

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Abilitar o uso de syncookies (muito útil para evitar SYN flood attacks)
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Não aceita o redirecionamentode pacotes ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # proteção contra respostas a mensagens de erro falsas
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Evita a peste do Smurf Attack e alguns outros de redes locais


# Descarta pacotes reincidentes/persistentes da lista SUSPEITO (caso tenha 5 entradas ficará 1H em DROP / caso tenha 10 ficará 24H em DROP)

iptables -A INPUT -m recent --update --hitcount 10 --name SUSPEITO --seconds 86400 -j DROP
iptables -A INPUT -m recent --update --hitcount 5 --name SUSPEITO --seconds 3600 -j DROP

iptables -A INPUT -m recent --update --hitcount 10 --name SYN-DROP --seconds 86400 -j DROP
iptables -A INPUT -m recent --update --hitcount 5 --name SYN-DROP --seconds 3600 -j DROP



iptables -t nat -A PREROUTING -i eth1 -p tcp -d 187.45.12.86 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 187.45.12.86 --dport 5222:5233 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 40000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.168 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.177 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.177 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 216.52.233.197 --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.208 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.114 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.114 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.71 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.218.113.75 --dport 80 -j ACCEPT


iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.142.86.196 --dport 443 -j ACCEPT #TJSP
iptables -A FORWARD -s 172.16.0.0/24 -d 200.142.86.196/24 -p tcp --dport 443 -j ACCEPT #TJSP

iptables -A FORWARD -s 172.16.0.0/24 -d 189.28.143.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 189.28.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.114 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.181 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.168 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 50002 -j ACCEPT
iptables -A FORWARD -p tcp --sport 50002 -d 172.16.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 65000 -j ACCEPT
iptables -A FORWARD -p tcp --sport 50002 -d 172.16.0.0/24 -j ACCEPT


iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 110 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 587 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 993 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 443 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 443 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 143 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 995 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 5222 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 5223 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 3395 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 3392 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 8080 -j MASQUERADE

#### Libera o programa da caixa FGTS

iptables -t nat -A PREROUTING -p tcp -d 200.201.173.68 --dport 80 -j DNAT --to 200.201.173.68:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.173.68/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.166.200 --dport 80 -j DNAT --to 200.201.166.200:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.166.200/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.174.207 --dport 80 -j DNAT --to 200.201.174.207:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.174.207/32 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT



##### Libera a Transferencia de arquivos telefonica

iptables -t nat -A PREROUTING -p tcp -d 200.205.125.220 --dport 80 -j DNAT --to 200.205.125.220:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.220 --dport 0:65000 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 200.205.125.220 -j ACCEPT
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.220 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d ocsp.digicert.com -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d www.telefonica.net.br -j ACCEPT



iptables -t nat -A PREROUTING -p tcp -d 200.205.125.100 --dport 80 -j DNAT --to 200.205.125.100:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.100 --dport 0:65000 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 200.205.125.100 -j ACCEPT
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.100 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.205.125.100 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.205.125.100 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.205.125.100 -d 0/0 -j ACCEPT




##### Libera FINNET para depto de transito

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 179.124.44.131 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d client.finnet.com.br -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.196.233.158 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d fastclient.finnet.com.br -j ACCEPT

iptables -I FORWARD -p tcp -s 0/0 -d 200.196.233.158 --dport 0:65000 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 200.196.233.158 -j ACCEPT
iptables -I FORWARD -p tcp -s 0/0 -d 200.196.233.158 --dport 443 -j ACCEPT
iptables -I FORWARD -p all -s 200.196.233.158 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.196.233.158 -d 0/0 -j ACCEPT

######## Ocomom
iptables -t nat -A PREROUTING -p tcp -d 189.44.247.162 --dport 8080 -j DNAT --to-destination 172.16.0.6:8080
iptables -A FORWARD -p tcp --dport 8080 -j ACCEPT


####### Bloqueio quando necessario por ip

iptables -A INPUT -s 172.16.0.128 -j DROP
iptables -A FORWARD -s 172.16.0.128 -p tcp -m tcp --dport 80 -j DROP



####### Transito redirecionamento

iptables -I FORWARD -m iprange --src-range 172.16.7.1-172.16.7.20 -j ACCEPT
iptables -I FORWARD -m iprange --dst-range 172.16.7.1-172.16.7.20 -j ACCEPT
iptables -t nat -I POSTROUTING -m iprange --src-range 172.16.7.1-172.16.7.20 -j MASQUERADE




### compartilhando a conexao com a internet ###

echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #usado para proxy transparente
iptables -t nat -A POSTROUTING -s 172.16.0.0/255.255.0.0 -o eth1 -j MASQUERADE

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 172.16.0.2:3128


iptables -t nat -A PREROUTING -s 172.16.0.0/255.255.0.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 172.16.0.0/255.255.0.0 -p tcp --dport 443 -j REDIRECT --to-port 3130



#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128



iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT




##### Redirecionamento

iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 172.16.0.21:8080
iptables -A FORWARD -p tcp -i eth1 --dport 80 -d 172.16.0.21 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to-dest 172.16.0.20:8080
iptables -A FORWARD -p tcp -i eth1 --dport 80 -d 172.16.0.20 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3395 -j DNAT --to-dest 172.16.0.13:3395
iptables -A FORWARD -p tcp -i eth1 --dport 3395 -d 172.16.0.13 -j ACCEPT


#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3392 -j DNAT --to-dest 172.16.0.16:3392
#iptables -A FORWARD -p tcp -i eth1 --dport 3392 -d 172.16.0.16 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to-dest 172.16.0.6:8080
iptables -A FORWARD -p tcp -i eth1 --dport 8080 -d 172.16.0.6 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to-dest 172.16.0.4:8080
iptables -A FORWARD -p tcp -i eth1 --dport 8080 -d 172.16.0.4 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 10443 -j DNAT --to-dest 172.16.0.8:10443
iptables -A FORWARD -p tcp -i eth1 --dport 10443 -d 172.16.0.8 -j ACCEPT



iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-dest 172.16.0.29:30021
iptables -A FORWARD -p tcp -i eth1 --dport 80 -d 172.16.0.29 -j ACCEPT







######## Bloqueio do instagram
iptables -I FORWARD -p tcp --dport 443 -m string --algo bm --string "instagram.com" -j DROP



######################################################
# REGRAS : LIBERA ACESSO AO SPARK #
# Interface: Externa #
######################################################

iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
#iptables -A FORWARD -i $IFEXT -s 0/0 -p tcp --dport 5222 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.19.34.78 --dport 5222 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.19.34.78 --dport 5222 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/24 -d 0/0 --dport 5222 -j RETURN


#libera Banco do Brasil

iptables -A FORWARD -p tcp -s 0/0 -d 170.66.11.10 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d bb.com.br -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d bancobrasil.com.br -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 --dport 443 -j ACCEPT

#bloqueio acesso http e https fora do proxy
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -I FORWARD -m multiport -s 172.16.0.0/24 -p tcp --dport 25,110,993,465,443,587,443,143,995,3306 -j ACCEPT


iptables -A FORWARD -p udp -s 172.16.0.0/24 -d 200.175.182.139 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.175.182.139 --sport 53 -d 172.16.0.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 172.16.0.0/24 -d 200.175.5.139 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.175.5.139 --sport 53 -d 172.16.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 993 -j ACCEPT # SMTPS
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 110 -j ACCEPT # POP3
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 465 -j ACCEPT # POP3
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 143 -j ACCEPT # IMAP
iptables -A FORWARD -p tcp -s 172.16.0.0/24 --dport 3306 -j ACCEPT # mysql


# Libera requesição de um ip (Receita)
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 200.152.32.174 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.32.174 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.32.174 --dport 21 -j ACCEPT

# Sistema Siosbra e Sisobranet
iptables -t nat -A PREROUTING -p tcp -d 200.152.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.152.0.0/16 -j ACCEPT

# Abre uam porta para a receita ( inclusive para a internet)
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20 -j ACCEPT

# Abre uma porta para a receita ( inclusive para a internet)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

# Abre uma porta para a receita (inclusive para a internet)
iptables -A INPUT -p tcp --dport 24 -j ACCEPT
### libera ips Conectividade Social ###
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.47.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.173.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d cmt.caixa.gov.br -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 131.253.14.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 84.39.153.33 -j ACCEPT

#### Libera o programa da caixa FGTS

iptables -t nat -A PREROUTING -p tcp -d 200.201.173.68 --dport 80 -j DNAT --to 200.201.173.68:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.173.68/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.166.200 --dport 80 -j DNAT --to 200.201.166.200:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.166.200/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.174.207 --dport 80 -j DNAT --to 200.201.174.207:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.174.207/32 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d webres2.t.ctmail.com -j ACCEPT

##### Libera FINNET para depto de transito

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 179.124.44.131 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d client.finnet.com.br -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.196.233.158 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d fastclient.finnet.com.br -j ACCEPT

iptables -I FORWARD -p tcp -s 0/0 -d 200.196.233.158 --dport 0:65000 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 200.196.233.158 -j ACCEPT
iptables -I FORWARD -p tcp -s 0/0 -d 200.196.233.158 --dport 443 -j ACCEPT
iptables -I FORWARD -p all -s 200.196.233.158 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.196.233.158 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.196.233.158 -d 0/0 -j ACCEPT




##### Libera a Transferencia de arquivos telefonica

iptables -t nat -A PREROUTING -p tcp -d 200.205.125.220 --dport 80 -j DNAT --to 200.205.125.220:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.220 --dport 0:65000 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 200.205.125.220 -j ACCEPT
iptables -I FORWARD -p tcp -s 0/0 -d 200.205.125.220 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.205.125.220 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d ocsp.digicert.com -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d www.telefonica.net.br -j ACCEPT
### libera ips Conectividade Social ###

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.47.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d cmt.caixa.gov.br -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.208 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.71 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.98 -j ACCEPT ##CADSUS e DATASUS
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.168 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.114 -j ACCEPT ##CADSUS e DATASUS
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 -j ACCEPT ##CADSUS e DATASUS
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.189.113.75 -j ACCEPT ##CADSUS e DATASUS





### Programas da Saude

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 187.45.12.86 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 187.45.12.86 --dport 5222:5233 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 40000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.181 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.168 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.177 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.177 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 216.52.233.197 --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.208 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.114 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 189.28.143.114 --dport 65000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.60.71 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.218.113.75 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 172.16.0.0/0 --dport 3306 -j ACCEPT

# DATASUS

iptables -A FORWARD -s 172.16.0.0/24 -d 189.28.143.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 189.28.0.0/16 -p tcp --dport 80 -j ACCEPT


iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.114 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.181 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.0.0/24 -d 189.28.143.168 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 50002 -j ACCEPT

#Libera Porta IMAP -POP - SMTP - Oficial

iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 587 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 993 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 443 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 143 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 995 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 5222 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 5223 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 3395 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 8080 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 3306 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 2631 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 172.16.0.0/0 -p tcp --dport 8098 -j MASQUERADE

############################# Evitando scans do tipo "porta origem=porta destino" ###

########## Protecao contra port scanners

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
iptables -A SCANNER -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL scan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "pscan: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "pscan 2: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "SYNFIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "NMAP-XMAS-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "FIN-SCAN: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP


/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "NMAP-ID: "
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "SYN-RST: "

##########################################################################################################








## Programas de mensagens ###

# bloqueando icq
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT




### Programas p2p ###



# bloqueando bittorrent
iptables -A FORWARD -p tcp --dport 6881:6889 -j REJECT
# bloqueando imesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT

# bloqueando bearshare
iptables -A FORWARD -p tcp --dport 6346 -j REJECT

# bloqueando toadnode
iptables -A FORWARD -p tcp --dport 6346 -j REJECT

# bloqueando winmx
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT

# bloqueando napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT

# bloqueando morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT

# bloqueando kazaa
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT

# bloqueando limewire
iptables -A FORWARD -p tcp --dport 6346 -j REJECT

# bloqueando audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT

# bloqueando emule
iptables -A FORWARD -p tcp --dport 4662 -j REJECT
iptables -A FORWARD -p udp --dport 4672 -j REJECT



### Protegendo contra pacotes danificados (usados em ataques DoS) ###
iptables -A FORWARD -m unclean -j DROP

### ip bloqueado
iptables -A FORWARD -d 208.69.32.132/24 -j REJECT






10. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 21/11/2016 - 17:43h

Realmente de fato já existe um MASQUERADE liberando o acesso pra toda rede 172.16.x.x. em relação ao gateway das 2 redes, esta na mesma maquina? é a mesma onde esta rondando o iptables?


11. Re: Definição de rotas

Alexandre Faria Pierini
pierini

(usa Conectiva)

Enviado em 22/11/2016 - 09:00h

valdinei.campos escreveu:

Realmente de fato já existe um MASQUERADE liberando o acesso pra toda rede 172.16.x.x. em relação ao gateway das 2 redes, esta na mesma maquina? é a mesma onde esta rondando o iptables?

O gateway da máquina aponta 172.16.7.1 que é a VPN do range 172.16.7.xxx dentro dela existe um apontamento 172.16.0.2 que o servidor squid/firewall



12. Re: Definição de rotas

Valdinei de Souza Campos
valdinei.campos

(usa CentOS)

Enviado em 22/11/2016 - 09:04h

Bom dia

me passa por favor o resultado do comando: atraves da rede 172.16.7.0/24

tracert -d 8.8.8.8





01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts