01 02

Redirecionamento de portas

13. Re: Redirecionamento de portas

dbcazon
(usa Ubuntu)

Enviado em 03/04/2014 - 10:28h

Bom dia,

Caros, aproveitando o tópico e já agradecendo pela ajuda!

Conheço pouco desse mundo mas desde que entrei na empresa tenho me virado na utilização do IpTables e Squid.

Minha dúvida em questão é a seguinte:
Tenho um redirecionamento feito nas regras do Firewall que está normal, mas quando reiniciava o servidor por queda de energia ou qq outra coisa eu tinha que voltar no terminal e dar o comando novamente.

Após um pouco de pesquisa eu vi que deveria salvar a regra dando o comando iptables-save.

O problema é que segundo quem acessa esse redirecionamento depois das 19h não consegue mais acessar e meu conhecimento até aqui não me mostra nas regras alguma que defina esse horário.
Enfim, o comando:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8887 -j DNAT --to-destination 192.168.0.3:8887

Tem mais algum comando ou neste mesmo que eu deveria adicionar ou modificar para ele não ter esse problema?
Tem algum modo de colocar esse redirecionamento para não aderir a mais nada, para ficar FULL e não ter mais dor de cabeça?

Obrigado

0 0

Quote

14. Re: Redirecionamento de portas

removido
(usa Nenhuma)

Enviado em 03/04/2014 - 10:43h

Bom dia Colega,

Você esta usando aplicação em HTTP? Esta utilizando o squid para tratar esta requisição ? Descreva melhor o cenaŕio!

Att

Tiago Eduardo Zacarias
LPIC-1

0 0

Quote

15. Re: Redirecionamento de portas

dbcazon
(usa Ubuntu)

Enviado em 03/04/2014 - 11:15h

thiago304 escreveu:

Bom dia Colega,

Você esta usando aplicação em HTTP? Esta utilizando o squid para tratar esta requisição ? Descreva melhor o cenaŕio!

Att

Tiago Eduardo Zacarias
LPIC-1

Bom dia,

Então, é um site hospedado em um servidor WS2008 na rede interna para testes.

A pessoa acessa o endereço com a porta(8887) e tem acesso a este site.
Nenhuma regra que ligue esta linha com o Squid, pelo menos não que eu consiga associar.
É simplesmente um redirecionamento feito no firewall para a estação em específico.
A unica coisa que tem, ai sim, no squid relacionada ao horário 19h em questão é para liberar o uso interno para qq site externo que vai das 19h as 23h59.. fora isso não tem mais nada.

0 0

Quote

16. Re: Redirecionamento de portas

removido
(usa Nenhuma)

Enviado em 03/04/2014 - 11:24h

Publique seu Script de Firewall para dar uma analisada.

Tiago Eduardo Zacarias
LPIC-1

0 0

Quote

17. Re: Redirecionamento de portas

dbcazon
(usa Ubuntu)

Enviado em 03/04/2014 - 11:50h

thiago304 escreveu:

Publique seu Script de Firewall para dar uma analisada.

Tiago Eduardo Zacarias
LPIC-1

#!/bin/bash
##################################################################
#################### Inicio Firewall ############################
##################################################################
/sbin/modprobe ip_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_queue

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_tables

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_nat

/sbin/modprobe iptable_mangle

/sbin/modprobe ipt_state

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_multiport

/sbin/modprobe ipt_mac

/sbin/modprobe ipt_string

## Limpando as Regras existentes #######

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -t mangle -F

/sbin/iptables -X

/sbin/iptables -Z

## Definindo politica padr..o (Nega entrada e permite saida)

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD ACCEPT

##################################################################
################# LOG de acesso externo para a rede interna ######
##################################################################

## Log SSH e Proxy

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24778 -j LOG

--log-prefix="Acesso RDP server003 " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24779 -j LOG

--log-prefix="Acesso SSH Firewall " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24777 -j LOG

--log-prefix="Acesso SSH Zimbra " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 25111 -j LOG

--log-prefix="Acesso Proxy " --log-level 4

### Ultra-surf

/sbin/iptables -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "

/sbin/iptables -A FORWARD -d 65.49.2.0/24 -j LOG --log-prefix "=UltraSurf= "

## Log HTTP porta 8888
(mudar para 8887)
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8888 -j LOG --

log-prefix="SERVER004 " --log-level 4

## acesso Local porta 80

/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 -d 192.168.0.1 --

dport 80 -j ACCEPT

##################################################################
######################## Protege contra ataques diversos #########
##################################################################
###### Protege contra synflood

/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###### Protecao contra ICMP Broadcasting

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

###### Prote.. Contra IP Spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes

danificados e etc.
#
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s

-j ACCEPT

#/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j

ACCEPT

#/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j

DROP

/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit

1/s -j ACCEPT

/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL

FIN,URG,PSH -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

## Limitando conex..es na porta 80 #######

/sbin/iptables -I INPUT -p tcp --dport 80 -i eth1 -m state --state NEW -m recent

--set

/sbin/iptables -I INPUT -p tcp --dport 80 -i eth1 -m state --state NEW -m recent

--update --seconds 1 --hitcount 10 -j DROP

#TeamViewer
#
/sbin/iptables -I FORWARD -m string --algo bm --string "teamviewer" -j DROP

#/sbin/iptables -I OUTPUT -m string --algo bm --string "teamviewer" -j DROP

##################################################################
######################### Fim da regras de contra ataques ########
##################################################################

## Impede navega....o sem proxy definido no navegador ##########
#

# Ignora redirecionamento para os enderecos da Amazon e xgen (Chat e Gerenciador

SOL)
#
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s 192.168.0.77 -j

RETURN

# Webmail

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 -j RETURN

# Xgen

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 186.202.60.208 -j RETURN

# DB Sol

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 50.19.231.222 --dport 80

-j REDIRECT --to-port 25111

# Watz
#
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 170.20.249.224 --dport 80

-j REDIRECT --to-port 25111

# Xgen Chat

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 187.61.5.194 --dport 80

-j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 186.202.60.208 --dport 80

-j REDIRECT --to-port 25111

## Impede o uso de outro proxy externo que use a porta 3128

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --

to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --

to-port 25111

/sbin/iptables -A FORWARD -p tcp --dport 8080 -j DROP

/sbin/iptables -A OUTPUT -p tcp --dport 8080 -j DROP

## Estabelece rela....o de confian..a entre maquinas da rede local eth0(rede

local)

/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## liberando o INPUT externo para o firewall ##

#

# Portas ##
# 80 443 Sarg/webhtb

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8181 -j DNAT

--to-destination 192.168.0.1:80

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8182 -j DNAT

--to-destination 192.168.0.1:443

# SSH

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

24779,24777,1177,27777 -j ACCEPT

# Server005 (HTTP)

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 24778 -j ACCEPT

# Server004 (HTTP)

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

443,1313,8887,8889,8075 -j ACCEPT

# Srv004 (HTTP)

#/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 8888 -j ACCEPT

# vpn server

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 1723 -j ACCEPT

/sbin/iptables -A FORWARD -p 47 -i eth1 -j ACCEPT

# Cups web

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 3305 -j ACCEPT

## Mail Server

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

25,110,7071,143,993,995,80 -j ACCEPT

# Proxy Externo

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.249.224 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.249.227 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.243.218 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 50.19.231.222 --dport 25111 -j

ACCEPT

## DNS ##
#
/sbin/iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

#/sbin/iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT

#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 777 -j DNAT --to-

destination 200.221.2.45:80

##################################################################
########## Redirecionamento para maquinas de rede interna ########
##################################################################
# Server004(HTTP)

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8889

-j DNAT --to-destination 192.168.0.3:80

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1313 -j DNAT

--to-destination 192.168.0.3:1313

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --

to-destination 192.168.0.3:443

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8075

-j DNAT --to-destination 192.168.0.3:8075

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8887 -j DNAT

--to-destination 192.168.0.3:8887

# Srv004(HTTP)

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8888 -j DNAT

--to-destination 192.168.0.106:80

## VPN

/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 1723 -j DNAT --to

192.168.0.3:1723

/sbin/iptables -A PREROUTING -t nat -p 47 -i eth1 -j DNAT --to 192.168.0.3

# Cups web

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3305

-j DNAT --to-destination 192.168.0.100:631

# Andre

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 27777 -j DNAT

--to-destination 192.168.0.7:22

## SSH Zimbra

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport

24777 -j DNAT --to-destination 192.168.0.112:22

## RDP

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1177 -j DNAT

--to-destination 192.168.0.2:3389

############## Testes ############################################

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1433 -j DNAT

--to-destination 192.168.0.4:1433

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to-

destination 192.168.0.112:53

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to-

destination 192.168.0.112:53

## Mail Server

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport

25,110,7071,80,143,993,995 -j DNAT --to-dest 192.168.0.112

##################################################################
########################### Bloqueio Messenger e Proxy ###########
##################################################################
/sbin/iptables -A FORWARD -d 64.13.161.61 -p tcp --dport 443 -j DROP

/sbin/iptables -A FORWARD -d 213.13.146.15 -p tcp --dport 443 -j DROP

/sbin/iptables -A FORWARD -d 65.98.25.145 -p tcp --dport 443 -j DROP

### Messenger #######

## Karen

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:23:ae:b8:f2:ef

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Everton

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:0f:ea:9f:02:5a

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Caio

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:1a:4d:a9:21:21

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Gabriela

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:1a:4d:a5:55:e6

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Beatriz

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source b8:ac:6f:61:86:f6

-p tcp --dport 1863 -j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source F0:7B:CB:35:D0:9C

-p tcp --dport 1863 -j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:08:54:69:9B:28

-p tcp --dport 1863 -j REDIRECT --to-port 25111

##################################################################
################################ Bloqueio de entrada #############
##################################################################

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j ACCEPT

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -j REJECT

## Liberar ping ##

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >

/proc/sys/net/ipv4/icmp_echo_ignore_all

##################################################################
############################ Compartilhamento Internet ###########
##################################################################

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 >

/proc/sys/net/ipv4/ip_forward

echo "Firewall Basico Ativado"

##################################################################
######################################## Fim #####################
##################################################################

0 0

Quote

18. Re: Redirecionamento de portas

dbcazon
(usa Ubuntu)

Enviado em 04/04/2014 - 10:26h

thiago304 escreveu:

Publique seu Script de Firewall para dar uma analisada.

Tiago Eduardo Zacarias
LPIC-1

Bom dia,

Tem algum log do IpTables que dê para analisar algum evento que tenha ocorrido? como por exemplo essa queda do redirecionamento da porta 8887 após as 19h.

0 0

Quote