Liberação de IP
1. Liberação de IP
leandronti
(usa Debian)
Enviado em 24/03/2010 - 16:54h
Prezados, estou assumindo a Administração dos servidores e tenho levado uma surra no linux, sou um usuário basico porém venho me empenhando bastante parar adquirir novas experiências e conhecimentos.Ando tendo problemas e perdendo horas buscando uma maneira de liberar o ip do diretor, já consegui uma ACL para abrir passagem pelo squid porém agora ele quer ter acesso irrestrito.
Ja tentei algumas alternativas postadas no site e na internet porem não sei se por falha minha por não estar sabendo onde adicionar os comandos.
Abaixo deixo uma cópia do meu arquivo firewall para que possam me ajudar....
#####################################
# V A R I A V E I S / A L I A S E S #
#####################################
# ********
# comandos
# ********
# BASICOS
IPTABLES="/sbin/iptables"
# NAT
PSR="$IPTABLES -t nat -A POSTROUTING"
PRR="$IPTABLES -t nat -A PREROUTING"
# CHAINS BASICAS
INPUT="$IPTABLES -t filter -A INPUT"
MINPUT="$IPTABLES -t mangle -A INPUT"
OUTPUT="$IPTABLES -t filter -A OUTPUT"
FORWARD="$IPTABLES -t filter -A FORWARD"
# TRAFEGO LOCAL
FNI="$IPTABLES -t filter -A FIREWALL_N_INTERNET"
MFNI="$IPTABLES -t mangle -A MANGLE_FIREWALL_N_INTERNET"
FND="$IPTABLES -t filter -A FIREWALL_N_DMZ"
FNA="$IPTABLES -t filter -A FIREWALL_N_INTRANET"
FNV="$IPTABLES -t filter -A FIREWALL_N_VPN"
FNG="$IPTABLES -t filter -A FIREWALL_N_GERAL"
# TRAFEGO ROTEADO
INI="$IPTABLES -t filter -A INTRANET_N_INTERNET"
IND="$IPTABLES -t filter -A INTRANET_N_DMZ"
DNI="$IPTABLES -t filter -A DMZ_N_INTERNET"
VNA="$IPTABLES -t filter -A VPN_N_INTRANET"
VND="$IPTABLES -t filter -A VPN_N_DMZ"
# NETBIOS
SMB="$IPTABLES -t filter -A NETBIOS"
# SEGURANCA
DROPNL="$IPTABLES -A DROPNOTLOG"
TROJCHK="$IPTABLES -A TROJANS_CHECK"
TROJEND="$IPTABLES -A TROJANS_END"
#BL="$IPTABLES -A BLACKLIST"
#LWBL="$IPTABLES -A LW_BLACKLIST"
#LW="$IPTABLES -A LOGWATCH"
PSCAN="$IPTABLES -A PORTSCAN"
# **********
# interfaces
# **********
IF_LOC="lo" # Interface Loopback
IF_EXT="eth1" # Interface da externa (router)
IF_VLX="eth2" # Link Virtua
IF_DMZ="eth3" # Interface da DMZ
IF_INT="eth0" # Interface da interna
IF_VPN="ppp+" # Interfaces da VPN
# *****
# redes
# *****
NET_ANY="0.0.0.0/0" # Rede remota
NET_LOC="127.0.0.0/24" # Rede da interface IF_LOC
NET_INT="192.168.10.0/24" # Rede da interface IF_INT
NET_DMZ="201.45.151.64/26" # Rede da interface IF_DMZ
NET_EXT="200.214.226.128/26" # Rede da interface IF_EXT
NET_VPN="192.168.10.192/28" # Rede da VPN 193-206
NET_VLX="10.0.0.0/8" # Rede Velox
NET_RECEITA="161.148.185.130" # Rede da Receita Federal
IP_LANDESIGNERS="201.33.25.131"
NET_CAIXA="200.201.160.0/20"
# *****
# bcast
# *****
BRO_INT="192.168.10.255" # Broadcast da rede RJ
BRO_DMZ="201.45.151.127" # Broadcast da rede DMZ
BRO_ALL="255.255.255.255" # Broadcast geral
BRO_EXT="200.214.226.255" # Broadcast da rede EXTERNA
BRO_VLX="10.255.255.255" # Broadcast da rede Virtua
#BRO_VPN="10.0.0.255" # Broadcast da rede VPN
# ---
# DMZ
# ---
SRV_PR="201.45.151.67"
# -------
# Interna
# -------
SRV_MAIL="192.168.10.2"
# ***************
# Usuarios
# ***************
USR_HERICK="192.168.10.101"
USR_LETICIA="192.168.10.104 192.168.10.105 192.168.10.106"
USR_RICARDO="192.168.10.103"
USR_PIMENTEL="192.168.10.102"
USR_ADOLF="192.168.10.107"
USR_GUILHERME="192.168.10.108 192.168.10.109"
USR_LACERDA="192.168.10.111"
# ***************
# Usuarios vpn
# ***************
# -----
# Local
# -----
IP_INT="192.168.10.1" # IP da interface IF_INT
IP_DMZ="201.45.151.66" # IP da interface IF_DMZ
IP_EXT="200.214.226.130" # IP da interface IF_EXT
IP_VLX="10.1.1.5" # IP Velox
# ---
# NAT
# ---
IP_NAT_LOCAL=$IP_EXT # IP de saida geral
# *****************
# Maquinas Internet
# *****************
SRV_LANDESIGNERS1="200.173.219.49"
SRV_LANDESIGNERS2="200.173.219.53"
SRV_METAFRAME="193.162.34.219"
SRV_BIGPAINEL="200.155.15.10"
SRV_VLX="201.17.0.12"
#SRV_BIGHOST="200.155.11.82"
SRV_BIGHOST="200.219.210.5"
SRV_AISLIVE="62.189.172.12"
IP_META_EXT="201.45.151.6"
IP_MEGA="200.250.218.43/32"
IP_CAIXA="200.201.174.204/32"
IP_CAIXA2="200.201.174.207/32"
IP_ROUTER="200.214.226.131" # IP do Roteador
IP_ROUTER2="201.45.151.65" # IP do Roteador
DNS_EMB1="200.255.242.4"
DNS_EMB2="200.255.242.5"
MODPROBE=modprobe
# ********************
# Portas Port-Knocking
# ********************
PORTA1="2010"
PORTA2="1809"
##################################
# S C R I P T S
##################################
unload_filter() {
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -F INPUT
$IPTABLES -t mangle -F MANGLE_FIREWALL_N_INTERNET
$IPTABLES -t mangle -X MANGLE_FIREWALL_N_INTERNET
$IPTABLES -F
$IPTABLES -X
}
unload_nat() {
$IPTABLES -t nat -F
$IPTABLES -t nat -X
}
unload_all() {
unload_filter
unload_nat
}
chains_load() {
# CHAINS DE CONTROLE DE estado e flasg no ACCEPT
$IPTABLES -N SERVER_ACCEPT
$IPTABLES -N CLIENT_ACCEPT
$IPTABLES -N RELATED_ACCEPT
# INPUT E OUTPUT
$IPTABLES -t mangle -N MANGLE_FIREWALL_N_INTERNET
$IPTABLES -N FIREWALL_N_INTERNET
$IPTABLES -N FIREWALL_N_DMZ
$IPTABLES -N FIREWALL_N_INTRANET
$IPTABLES -N FIREWALL_N_VPN
$IPTABLES -N FIREWALL_N_GERAL
# FORWARD
$IPTABLES -N INTRANET_N_INTERNET
$IPTABLES -N INTRANET_N_DMZ
$IPTABLES -N DMZ_N_INTERNET
$IPTABLES -N VPN_N_INTRANET
$IPTABLES -N VPN_N_DMZ
# NETBIOS CHAINS
$IPTABLES -N NETBIOS
# CHAINS DE DROP SEM LOG
$IPTABLES -N DROPNOTLOG
# CHAINS DE DROP NAS PORTAS CONHECIDAS POR TROJANS
$IPTABLES -N TROJANS_CHECK # VERIFICA
$IPTABLES -N TROJANS_END # DROP E LOG
# LOGWATCH
$IPTABLES -N LOGWATCH
# BLACKLIST CHAINS
#$IPTABLES -N BLACKLIST
#$IPTABLES -N LW_BLACKLIST
#PORTSCAN CHAIN
$IPTABLES -N PORTSCAN
}
#nat_chains_load() {
#}
filter_rules_load() {
state_n_flag # regras de controle de accept com estado e flags
input # regras basicas direcionais do input
output # regras basicas direcionais do output
forward # regras basicas direcionais do forward
#logwatch # lista de ips que foram adicionados para entrar na blacklist
#lw_blacklist # lista negra do logwatch
netbios # regras para permitir netbios, melhorar!!
#blacklist # regras da blacklist
#portscan # regras contra portscan
drop_not_log # regras de drop sem log
trojans # regras contra portas conhecidas de trojan
local_policy # regras efetivas para o trafico local
rpolicy_firewall_vpn # regras efetivas para o trafico local e VPN
rpolicy_intranet_n_internet # regras efetivas para o trafego entre intranet e internet
rpolicy_intranet_n_dmz # regras efetivas para o trafego entre intranet e dmz
rpolicy_dmz_n_internet # regras efetivas para o trafego entre dmz e internet
rpolicy_vpn_int # regras efetivas para o trafego entre vpn e intranet
rpolicy_vpn_dmz # regras efetivas para o trafego entre vpn e DMZ
}
nat_rules_load() {
prerouting
postrouting
}
pdefault_load() {
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
}
load_filter() {
chains_load
filter_rules_load
pdefault_load
}
load_nat() {
# nat_chains_load
nat_rules_load
}
load_all() {
load_filter
load_nat
}
modules_load() {
$MODPROBE ip_tables
$MODPROBE ipt_LOG
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE -r ip_conntrack_ftp
$MODPROBE -r iptable_nat
$MODPROBE -r ip_conntrack
$MODPROBE -r iptable_filter
$MODPROBE -r ipt_LOG
$MODPROBE -r ip_tables
}
state_n_flag() {
#####################
# ACCEPT DE REQUEST
#####################
$IPTABLES -A SERVER_ACCEPT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
#####################
# ACCEPT DE RETORNO
#####################
$IPTABLES -A CLIENT_ACCEPT -p tcp -m state --state ESTABLISHED -j ACCEPT
###################################
# ACCEPT DE CONEXOES RELACIONADAS
###################################
$IPTABLES -A RELATED_ACCEPT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
}
##################################
# R E G R A S NAT
##################################
# *******************
# POSTROUTING ou SNAT
# *******************
# $PSR = /usr/local/sbin/iptables -t nat -A POSTROUTING
postrouting() {
# NAT geral
$PSR -o $IF_EXT -s $NET_INT -j MASQUERADE
# NAT VIRTUA
$PSR -o $IF_VLX -j MASQUERADE
}
# ******************
# PREROUTING ou DNAT
# ******************
# $PRR = /usr/local/sbin/iptables -t nat -A PREROUTING
prerouting() {
$PRR -p tcp -s $NET_ANY --sport 1024: -d $IP_EXT --dport 80 -j DNAT --to $SRV_MAIL
$PRR -p tcp -s $NET_ANY --sport 1024: -d $IP_EXT --dport 443 -j DNAT --to $SRV_MAIL
$PRR -p tcp -s $NET_ANY --sport 1024: -d $IP_EXT --dport 1723 -j DNAT --to $SRV_MAIL
$PRR -p gre -d $IP_EXT -j DNAT --to $SRV_MAIL
}
##################################
# R E G R A S FILTROS
##################################
# ***********************
# REGRAS BASICAS DE INPUT
# ***********************
# $INPUT = /usr/local/sbin/iptables -t filter -A INPUT
input() {
$INPUT -i $IF_EXT -j MANGLE_FIREWALL_N_INTERNET
# REGRAS DE SEGURANCA (portscan,blacklist,strings,etc).
#$INPUT -m recent --rcheck --name blacklist --seconds 5400 -j BLACKLIST
#$INPUT -m recent --rcheck --name lw_blacklist --seconds 7200 -j LW_BLACKLIST
#$INPUT -j LOGWATCH
#$INPUT -m psd -j PORTSCAN # VERIFICA PORTSCAN
$INPUT -j DROPNOTLOG # DEFAULT DROP SEM LOG
$INPUT -j TROJANS_CHECK # TESTA POR PORTAS CONHECIDAS POR TROJANS
$INPUT -i $IF_LOC -j ACCEPT
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS LOGANDO E DROPANDO O QUE NAO DER MATCH
$INPUT -i $IF_EXT -j FIREWALL_N_INTERNET # input na if externma
$INPUT -i $IF_EXT -j LOG --log-prefix "INPUT ext2fw: "
$INPUT -i $IF_EXT -j DROP
$INPUT -i $IF_VLX -j FIREWALL_N_INTERNET # input na if externma
$INPUT -i $IF_VLX -j LOG --log-prefix "INPUT vrt2fw: "
$INPUT -i $IF_VLX -j DROP
$INPUT -i $IF_DMZ -j FIREWALL_N_DMZ # input na if dmz
$INPUT -i $IF_DMZ -j LOG --log-prefix "INPUT dmz2fw: "
$INPUT -i $IF_DMZ -j DROP
$INPUT -i $IF_INT -j FIREWALL_N_INTRANET # input na if interna
$INPUT -i $IF_INT -j LOG --log-prefix "INPUT int2fw: "
$INPUT -i $IF_INT -j DROP
$INPUT -i $IF_VPN -j FIREWALL_N_VPN # vpn2fw
$INPUT -i $IF_VPN -j LOG --log-prefix "INPUT, vpn2fw: "
$INPUT -i $IF_VPN -j DROP
# LOGAR O QUE NAO DEU MATCH ATE AQUI
$INPUT -j LOG --log-prefix "INPUT geral: "
}
# ***********************
# REGRAS BASICAS DE OUTPUT
# ***********************
# $OUTPUT = /usr/local/sbin/iptables -t filter -A OUTPUT
output() {
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS LOGANDO E DROPANDO O QUE NAO DER MATCH
$OUTPUT -p icmp -d $NET_INT -j ACCEPT
$OUTPUT -o $IF_LOC -j ACCEPT
$OUTPUT -o $IF_EXT -j FIREWALL_N_INTERNET # output na if externa
$OUTPUT -o $IF_EXT -j LOG --log-prefix "OUTPUT fw2ext: "
$OUTPUT -o $IF_EXT -j DROP
$OUTPUT -o $IF_VLX -j FIREWALL_N_INTERNET # output na if externa
$OUTPUT -o $IF_VLX -j LOG --log-prefix "OUTPUT fw2vrt: "
$OUTPUT -o $IF_VLX -j DROP
$OUTPUT -o $IF_DMZ -j FIREWALL_N_DMZ # output na if dmz
$OUTPUT -o $IF_DMZ -j LOG --log-prefix "OUTPUT fw2dmz: "
$OUTPUT -o $IF_DMZ -j DROP
$OUTPUT -o $IF_INT -j FIREWALL_N_INTRANET # output na if interna
$OUTPUT -o $IF_INT -j LOG --log-prefix "OUTPUT fw2int: "
$OUTPUT -o $IF_INT -j DROP
$OUTPUT -o $IF_VPN -j FIREWALL_N_VPN # fw2vpn
$OUTPUT -o $IF_VPN -j LOG --log-prefix "OUTPUT, fw2vpn: "
$OUTPUT -o $IF_VPN -j DROP
# LOGAR O QUE NAO DEU MATCH ATE AQUI
$OUTPUT -j LOG --log-prefix "OUTPUT geral: "
}
# *************************
# REGRAS BASICAS DE FORWARD
# *************************
# $FORWARD = /usr/local/sbin/iptables -t filter -A FORWARD
forward() {
iptables -I FORWARD -p tcp -m tcp --dport 1863 -j DROP
# REGRAS DE SEGURANCA (portscan,blacklist,strings,etc).
#$FORWARD -m recent --rcheck --name blacklist --seconds 5400 -j BLACKLIST
#$FORWARD -m recent --rcheck --name lw_blacklist --seconds 7200 -j LW_BLACKLIST
$FORWARD -j LOGWATCH
#$FORWARD -m psd -j PORTSCAN # VERIFICA PORTSCAN
$FORWARD -j DROPNOTLOG # DEFAULT DROP SEM LOG
$FORWARD -i $IF_EXT -j TROJANS_CHECK # TESTA POR PORTAS CONHECIDAS POR TRJOANS
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS LOGANDO E DROPANDO O QUE NAO DEU MATCH
$FORWARD -i $IF_INT -o $IF_EXT -j INTRANET_N_INTERNET # int2ext
$FORWARD -i $IF_INT -o $IF_EXT -j LOG --log-prefix "FORWARD, int2ext: "
$FORWARD -i $IF_INT -o $IF_EXT -j DROP
$FORWARD -i $IF_INT -o $IF_VLX -j INTRANET_N_INTERNET # int2ext
$FORWARD -i $IF_INT -o $IF_VLX -j LOG --log-prefix "FORWARD, int2vrt: "
$FORWARD -i $IF_INT -o $IF_VLX -j DROP
$FORWARD -i $IF_INT -o $IF_DMZ -j INTRANET_N_DMZ # int2dmz
$FORWARD -i $IF_INT -o $IF_DMZ -j LOG --log-prefix "FORWARD, int2dmz: "
$FORWARD -i $IF_INT -o $IF_DMZ -j DROP
$FORWARD -i $IF_DMZ -o $IF_INT -j INTRANET_N_DMZ # dmz2int
$FORWARD -i $IF_DMZ -o $IF_INT -j LOG --log-prefix "FORWARD, dmz2int: "
$FORWARD -i $IF_DMZ -o $IF_INT -j DROP
$FORWARD -i $IF_DMZ -o $IF_EXT -j DMZ_N_INTERNET # dmz2ext
$FORWARD -i $IF_DMZ -o $IF_EXT -j LOG --log-prefix "FORWARD, dmz2ext: "
$FORWARD -i $IF_DMZ -o $IF_EXT -j DROP
$FORWARD -i $IF_DMZ -o $IF_VLX -j DMZ_N_INTERNET # dmz2ext
$FORWARD -i $IF_DMZ -o $IF_VLX -j LOG --log-prefix "FORWARD, dmz2vrt: "
$FORWARD -i $IF_DMZ -o $IF_VLX -j DROP
$FORWARD -i $IF_EXT -o $IF_INT -j INTRANET_N_INTERNET # ext2int
$FORWARD -i $IF_EXT -o $IF_INT -j LOG --log-prefix "FORWARD, ext2int: "
$FORWARD -i $IF_EXT -o $IF_INT -j DROP
$FORWARD -i $IF_VLX -o $IF_INT -j INTRANET_N_INTERNET # ext2int
$FORWARD -i $IF_VLX -o $IF_INT -j LOG --log-prefix "FORWARD, vrt2int: "
$FORWARD -i $IF_VLX -o $IF_INT -j DROP
$FORWARD -i $IF_EXT -o $IF_DMZ -j DMZ_N_INTERNET # ext2dmz
$FORWARD -i $IF_EXT -o $IF_DMZ -j LOG --log-prefix "FORWARD, ext2dmz: "
$FORWARD -i $IF_EXT -o $IF_DMZ -j DROP
$FORWARD -i $IF_VLX -o $IF_DMZ -j DMZ_N_INTERNET # ext2dmz
$FORWARD -i $IF_VLX -o $IF_DMZ -j LOG --log-prefix "FORWARD, vrt2dmz: "
$FORWARD -i $IF_VLX -o $IF_DMZ -j DROP
$FORWARD -i $IF_VPN -o $IF_INT -j VPN_N_INTRANET # vpn2int
$FORWARD -i $IF_VPN -o $IF_INT -j LOG --log-prefix "FORWARD, vpn2int: "
$FORWARD -i $IF_VPN -o $IF_INT -j DROP
$FORWARD -i $IF_INT -o $IF_VPN -j VPN_N_INTRANET # int2vpn
$FORWARD -i $IF_INT -o $IF_VPN -j LOG --log-prefix "FORWARD, int2vpn: "
$FORWARD -i $IF_INT -o $IF_VPN -j DROP
$FORWARD -i $IF_VPN -o $IF_DMZ -j VPN_N_DMZ # vpn2dmz
$FORWARD -i $IF_VPN -o $IF_DMZ -j LOG --log-prefix "FORWARD, vpn2dmz: "
$FORWARD -i $IF_VPN -o $IF_DMZ -j DROP
$FORWARD -i $IF_DMZ -o $IF_VPN -j VPN_N_DMZ # dmz2vpn
$FORWARD -i $IF_DMZ -o $IF_VPN -j LOG --log-prefix "FORWARD, dmz2vpn: "
$FORWARD -i $IF_DMZ -o $IF_VPN -j DROP
$FORWARD -i $IF_LOC -j DROP
$FORWARD -o $IF_LOC -j DROP
# LOGANDO O QUE NAO DEU MATCH ATE AQUI
$FORWARD -j LOG --log-prefix "FORWARD geral: "
}
# ********************************
# LOGWATCH
# ********************************
# $LW = /usr/local/sbin/iptables -A LOGWATCH
#logwatch() {
#$LW -j LOG --log-prefix "LOGWATCH dropped: "
#}
# ********************************
# BLACKLIST
# ********************************
# $BL = /usr/local/sbin/iptables -A BLACKLIST
#blacklist() {
#$BL -m limit --limit 1/min --limit-burst 5 -j LOG --log-prefix "BLACKLIST: "
#$BL -j DROP
#}
# ********************************
# LW_BLACKLIST
# ********************************
# $LWBL = /usr/local/sbin/iptables -A LW_BLACKLIST
#lw_blacklist() {
#$LWBL -m limit --limit 1/min --limit-burst 5 -j LOG --log-prefix "LW_BLACKLIST: "
#$LWBL -j DROP
#}
# ********************************
# PORTSCAN
# ********************************
# $PSCAN = /usr/local/sbin/iptables -A PORTSCAN
portscan() {
#$PSCAN -i $IF_EXT -m recent --set --rsource --name blacklist
#$PSCAN -i $IF_DMZ -j LOG --log-prefix "PORTSCAN-dmz: "
#$PSCAN -i $IF_INT -j LOG --log-prefix "PORTSCAN-int: "
$PSCAN -i $IF_EXT -j LOG --log-prefix "PORTSCAN-ext: "
$PSCAN -i $IF_EXT -j DROP
$PSCAN -o $IF_EXT -j DROP
}
# ********************************
# DROP SEM LOG
# ********************************
# $DROPNL = /usr/local/sbin/iptables -A DROPNOTLOG
drop_not_log() {
# drop pacotes com estado invalido
$DROPNL -m state --state INVALID -j DROP
# drop broadcast
$DROPNL -d $BRO_INT -j DROP
$DROPNL -d $BRO_EXT -j DROP
#$DROPNL -d $BRO_DMZ -j DROP
$DROPNL -d $BRO_ALL -j DROP
# drop ident com retorno de rst para nao ter que esperar por timeout
$DROPNL -p tcp --dport 113 -j REJECT --reject-with tcp-reset
# Brodcast messenger
$DROPNL -o $IF_EXT -p tcp --dport 1900 -j DROP
}
# *************************************
# TROJANS CONHECIDOS
# *************************************
# $TROJCHK = /usr/local/sbin/iptables -A TROJANS_CHECK
# $TROJEND = /usr/local/sbin/iptables -A TROJANS_END
trojans() {
$TROJCHK -p tcp --dport 555 -j TROJANS_END # trojan phAse zero
$TROJCHK -p udp --dport 555 -j TROJANS_END # trojan phAse zero
$TROJCHK -p tcp --dport 1243 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p udp --dport 1243 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p tcp --dport 3129 -j TROJANS_END # trojan Masters Paradise
$TROJCHK -p udp --dport 3129 -j TROJANS_END # trojan Masters Paradise
$TROJCHK -p tcp --dport 6670 -j TROJANS_END # trojan DeepThroat
$TROJCHK -p udp --dport 6670 -j TROJANS_END # trojan DeepThroat
$TROJCHK -p tcp --dport 6711 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p udp --dport 6711 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p tcp --dport 6969 -j TROJANS_END # trojan GateCrasher
$TROJCHK -p udp --dport 6969 -j TROJANS_END # trojan GateCrasher
$TROJCHK -p tcp --dport 12345 -j TROJANS_END # trojan NetBus
$TROJCHK -p udp --dport 12345 -j TROJANS_END # trojan NetBus
$TROJCHK -p tcp --dport 21544 -j TROJANS_END # trojan GirlFriend
$TROJCHK -p udp --dport 21544 -j TROJANS_END # trojan GirlFriend
$TROJCHK -p tcp --dport 23456 -j TROJANS_END # trojan EvilFtp
$TROJCHK -p udp --dport 23456 -j TROJANS_END # trojan EvilFtp
$TROJCHK -p tcp --dport 27374 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p udp --dport 27374 -j TROJANS_END # trojan Sub-7, SubSeven
$TROJCHK -p tcp --dport 30100 -j TROJANS_END # trojan NetSphere
$TROJCHK -p udp --dport 30100 -j TROJANS_END # trojan NetSphere
$TROJCHK -p tcp --dport 31789 -j TROJANS_END # trojan Hack'a'Tack
$TROJCHK -p udp --dport 31789 -j TROJANS_END # trojan Hack'a'Tack
$TROJCHK -p tcp --dport 31337 -j TROJANS_END # BackOrifice, n others
$TROJCHK -p udp --dport 31337 -j TROJANS_END # BackOrifice, n others
$TROJCHK -p tcp --dport 50505 -j TROJANS_END # trojan Sockets de Troie
$TROJCHK -p udp --dport 50505 -j TROJANS_END # trojan Sockets de Troie
$TROJEND -j LOG --log-prefix "TROJAN: "
$TROJEND -j DROP
}
##########################
# NETBIOS (SMB) RULES
##########################
# $SMB = /usr/local/sbin/iptables -A NETBIOS
netbios() {
$SMB -p tcp --dport 42 -j ACCEPT
$SMB -p tcp --sport 42 -j ACCEPT
$SMB -p tcp --dport 135 -j ACCEPT
$SMB -p tcp --sport 135 -j ACCEPT
$SMB -p tcp --sport 1024: --dport 139 -j ACCEPT
$SMB -p tcp --sport 139 --dport 1024: -j ACCEPT
$SMB -p tcp --dport 389 -j ACCEPT
$SMB -p tcp --sport 389 -j ACCEPT
$SMB -p tcp --dport 636 -j ACCEPT
$SMB -p tcp --sport 636 -j ACCEPT
$SMB -p tcp --dport 3268:3269 -j ACCEPT
$SMB -p tcp --sport 3268:3269 -j ACCEPT
$SMB -p tcp --dport 53 -j ACCEPT
$SMB -p tcp --sport 53 -j ACCEPT
$SMB -p tcp --dport 88 -j ACCEPT
$SMB -p tcp --sport 88 -j ACCEPT
$SMB -p tcp --dport 445 -j ACCEPT
$SMB -p tcp --sport 445 -j ACCEPT
$SMB -p tcp --sport 1026 -j ACCEPT
$SMB -p tcp --dport 1026 -j ACCEPT
$SMB -p udp --sport 137 --dport 137 -j ACCEPT
$SMB -p udp --sport 138 --dport 138 -j ACCEPT
$SMB -p udp --dport 389 -j ACCEPT
$SMB -p udp --sport 389 -j ACCEPT
$SMB -p udp --sport 53 -j ACCEPT
$SMB -p udp --dport 53 -j ACCEPT
$SMB -p udp --sport 88 -j ACCEPT
$SMB -p udp --dport 88 -j ACCEPT
}
# ##############################
# RULES REAIS PARA TRAFEGO LOCAL
# ##############################
local_policy() {
# *******************
# FIREWALL_N_INTERNET
# *******************
# $FNI = /usr/local/sbin/iptables -t filter -A FIREWALL_N_INTERNET
# LAN DESIGNERS CONECXAO SSH
$FNI -p tcp -s $IP_LANDESIGNERS --sport 1024: --dport 22 -j SERVER_ACCEPT
$FNI -p tcp --sport 22 -d $IP_LANDESIGNERS --dport 1024: -j CLIENT_ACCEPT
$FNI -p tcp --sport 1024: --dport 22 -j SERVER_ACCEPT
$FNI -p tcp --sport 22 --dport 1024: -j CLIENT_ACCEPT
# CONECXAO SSH
$FNI -p tcp -s $NET_ANY --sport 1024: --dport 22 -m mark --mark 3 -j SERVER_ACCEPT
$FNI -p tcp -d $NET_ANY --dport 1024: --sport 22 -j CLIENT_ACCEPT
# Proxy conecta em http
ports="20,21,80,443"
$FNI -p tcp --sport 1024: -d $NET_ANY -m multiport --dports $ports -j SERVER_ACCEPT
$FNI -p tcp -s $NET_ANY --sport 20 -j SERVER_ACCEPT
$FNI -p tcp --dport 1024: -s $NET_ANY -m multiport --sports $ports -j CLIENT_ACCEPT
$FNI -p tcp --sport 1024: -d $SRV_BIGPAINEL --dport 8080 -j SERVER_ACCEPT
$FNI -p tcp --dport 1024: -s $SRV_BIGPAINEL --sport 8080 -j CLIENT_ACCEPT
# Firewall testa Roteador EMBRATEL e VELOX
for srv in 200.209.87.205 201.17.0.12; do
$FNI -p icmp -d $srv -j ACCEPT
$FNI -p icmp -s $srv -j ACCEPT
done
# Firewwall faz pesquisa DNS
$FNI -p udp --dport 53 -j ACCEPT
$FNI -p udp --sport 53 -j ACCEPT
# *******************
# MANGLE_FIREWALL_N_INTERNET
# *******************
# $MFNI = /usr/local/sbin/iptables -t mangle -A MANGLE_FIREWALL_N_INTERNET
$MFNI -p tcp --dport $PORTA1 -m recent --name FASE1 --set -j ACCEPT
$MFNI -p tcp --dport $PORTA2 -m recent --name FASE1 --rcheck --seconds 10 -j MARK --set-mark 1
$MFNI -m mark --mark 1 -m recent --name FASE1 --remove -j MARK --set-mark 2
$MFNI -m mark --mark 2 -m recent --name FASE2 --set -j ACCEPT
$MFNI -m recent --name FASE2 --update --seconds 300 -j MARK --set-mark 3
###################################################################
# **************
# FIREWALL_N_DMZ
# **************
# $FND = /usr/local/sbin/iptables -t filter -A FIREWALL_N_DMZ
# SSH
$FND -p tcp -s $IP_DMZ --sport 1024: -d $NET_DMZ --dport 22 -j SERVER_ACCEPT
$FND -p tcp -s $NET_DMZ --sport 22 -d $IP_DMZ --dport 1024: -j CLIENT_ACCEPT
# HTTP
$FND -p tcp -s $IP_DMZ --sport 1024: -d $SRV_PR --dport 443 -j SERVER_ACCEPT
$FND -p tcp -s $SRV_PR --sport 443 -d $IP_DMZ --dport 1024: -j CLIENT_ACCEPT
# *******************
# FIREWALL_N_INTRANET
# *******************
# $FNA = /usr/local/sbin/iptables -t filter -A FIREWALL_N_INTRANET
# FW aceita conexoes da Rede interna
ports="22,80,3128,1723,8080,3000,10000"
$FNA -p tcp -s $NET_INT --sport 1024: -d $IP_INT -m multiport --dports $ports -j SERVER_ACCEPT
$FNA -p tcp -d $NET_INT --dport 1024: -s $IP_INT -m multiport --sports $ports -j CLIENT_ACCEPT
#Firewall manda email para o exchange
$FNA -p tcp -d $SRV_MAIL --dport 25 -j SERVER_ACCEPT
$FNA -p tcp -s $SRV_MAIL --sport 25 -j CLIENT_ACCEPT
}
rpolicy_firewall_vpn() {
# *******************
# FIREWALL_N_VPN
# *******************
# $FNV = /usr/local/sbin/iptables -t filter -A FIREWALL_N_VPN
# REGRAS DA VPN
$OUTPUT -o $IF_INT -p icmp -j ACCEPT
}
# ################################
# RULES REAIS PARA TRAFEGO ROTEADO
# ################################
rpolicy_intranet_n_internet() {
# *******************
# INTRANET_N_INTERNET
# *******************
# INI = /usr/local/sbin/iptables -t filter -A INTRANET_N_INTERNET
# NET_INT - SMTP, POP3, CEF, Receita, SISBACEN
#temp
#$INI -s $NET_INT -d $NET_ANY -j ACCEPT
#$INI -d $NET_INT -s $NET_ANY -j ACCEPT
# Acesso ao Webmail
$INI -p tcp --sport 1024: -d $SRV_MAIL --dport 80 -j SERVER_ACCEPT
$INI -p tcp --sport 1024: -d $SRV_MAIL --dport 443 -j SERVER_ACCEPT
$INI -p tcp --dport 1024: -s $SRV_MAIL --sport 80 -j SERVER_ACCEPT
$INI -p tcp --dport 1024: -s $SRV_MAIL --sport 443 -j CLIENT_ACCEPT
# Acesso AIS.LIVE
$INI -p tcp --sport 1024: -d $SRV_AISLIVE --dport 7778 -j SERVER_ACCEPT
$INI -p tcp --dport 1024: -s $SRV_AISLIVE --sport 7778 -j CLIENT_ACCEPT
# Exchange envia SMTP e recebe POP
ports="25,110"
$INI -p tcp -s $SRV_MAIL --sport 1024: -d $SRV_BIGHOST -m multiport --dports $ports -j SERVER_ACCEPT
$INI -p tcp -d $SRV_MAIL --dport 1024: -s $SRV_BIGHOST -m multiport --sports $ports -j CLIENT_ACCEPT
$INI -p icmp -s $SRV_BIGHOST -d $SRV_MAIL -j ACCEPT
$INI -p icmp -d $SRV_BIGHOST -s $SRV_MAIL -j ACCEPT
# Exchange pesquisa DNS
$INI -p udp -s $SRV_MAIL --sport 1024: --dport 53 -j ACCEPT
$INI -p udp -d $SRV_MAIL --dport 1024: --sport 53 -j ACCEPT
# ESTACOES ACESSAM CMT.CAIXA.GOV.BR
$INI -p tcp -s $NET_INT --sport 1024: -d $NET_CAIXA --dport 80 -j SERVER_ACCEPT
$INI -p tcp -d $NET_INT --dport 1024: -s $NET_CAIXA --sport 80 -j CLIENT_ACCEPT
# ACESSO FTP
$INI -p tcp -s $NET_INT --sport 1024: -d $NET_ANY -m multiport --dports 20,21 -j SERVER_ACCEPT
$INI -p tcp -d $NET_INT --dport 1024: -s $NET_ANY -m multiport --sports 20,21 -j CLIENT_ACCEPT
$INI -p tcp -d $NET_INT --dport 1024: -s $NET_ANY --sport 20 -j RELATED_ACCEPT
$INI -p tcp -s $NET_INT --sport 1024: -d $NET_ANY --dport 20 -j RELATED_ACCEPT
$INI -p tcp -s $NET_INT -d $SRV_METAFRAME --dport 443 -j SERVER_ACCEPT
$INI -p tcp -d $NET_INT -s $SRV_METAFRAME --sport 443 -j CLIENT_ACCEPT
# VPN Habilitando repasse de conexao para win2k3, 1723 e GRE
$INI -p tcp -d $SRV_MAIL --dport 1723 -j SERVER_ACCEPT
$INI -p tcp -s $SRV_MAIL --sport 1723 -j CLIENT_ACCEPT
$INI -p gre -d $SRV_MAIL -j ACCEPT
$INI -p gre -s $SRV_MAIL -j ACCEPT
}
rpolicy_intranet_n_dmz() {
# *******************
# INTRANET_N_DMZ
# *******************
# $IND = /usr/local/sbin/iptables -t filter -A INTRANET_N_DMZ
#
echo " " >/dev/null
}
rpolicy_dmz_n_internet() {
# *******************
# DMZ_N_INTERNET
# *******************
# $DNI = /usr/local/sbin/iptables -t filter -A DMZ_N_INTERNET
echo " " >/dev/null
}
#
rpolicy_vpn_int() {
# *******************
# VPN_N_INTRANET
# *******************
# $VNA = /usr/local/sbin/iptables -t filter -A VPN_N_INTRANET
# REGRAS DA VPN
$OUTPUT -o $IF_INT -p icmp -j ACCEPT
$VNA -p tcp -s $NET_VPN -d $NET_INT -j SERVER_ACCEPT
$VNA -p tcp -d $NET_VPN -s $NET_INT -j CLIENT_ACCEPT
$VNA -p tcp -d $NET_VPN -s $NET_INT -j SERVER_ACCEPT
$VNA -p tcp -s $NET_VPN -d $NET_INT -j CLIENT_ACCEPT
$VNA -p udp -s $NET_VPN -d $NET_INT -j ACCEPT
$VNA -p udp -d $NET_VPN -s $NET_INT -j ACCEPT
$VNA -p icmp -s $NET_VPN -d $NET_INT -j ACCEPT
$VNA -p icmp -d $NET_VPN -s $NET_INT -j ACCEPT
}
rpolicy_vpn_dmz() {
# *******************
# VPN_N_DMZ
# *******************
# $VND = /usr/local/sbin/iptables -t filter -A VPN_N_DMZ
echo " " >/dev/null
}
##################################
# INIT - P A R A M E T R O S
##################################
case "$1" in
start)
if [ "$2" == "-nat" ]; then
modules_load
load_nat
elif [ "$2" == "-filter" ]; then
modules_load
load_filter
elif [ "$2" == "-all" ]; then
modules_load
load_all
elif [ "$2" == "-sap" ]; then
sap_load
elif [ "$2" == "-lan" ]; then
lds_load
elif [ "$2" == "" ]; then
modules_load
load_all
fi
;;
stop)
if [ "$2" == "-nat" ]; then
unload_nat
elif [ "$2" == "-filter" ]; then
unload_filter
elif [ "$2" == "-all" ]; then
unload_all
elif [ "$2" == "-lan" ]; then
lds_unload
elif [ "$2" == "-sap" ]; then
sap_unload
elif [ "$2" == "" ]; then
unload_all
fi
;;
restart)
if [ "$2" == "-nat" ]; then
unload_nat
load_nat
elif [ "$2" == "-filter" ]; then
unload_filter
load_filter
elif [ "$2" == "-all" ]; then
unload_all
load_all
elif [ "$2" == "" ]; then
unload_all
load_all
fi
;;
*)
printf "usage: $0 start|stop|restart [(-all)|-filter|-nat|-lds]\n";
esac