Regra Iptables

1. Regra Iptables

emerson2703
(usa CentOS)

Enviado em 13/01/2011 - 11:22h

bom dia

tenho 2 firewall um em cada unidade, matriz e filial, quero acessa um servidor na filial via terminal server, mas não estou conseguindo, pingo normal para o servidor que quero acessar. já liberei a porta do terminal 3389.

firewall matriz: 172.12.10.1
firewall filial: 172.12.14.1
servidor no qual quero acessar: 172.16.14.100

obs: pingo normalmente para o servidor que quero acessar mas não consigo acesar via TS.

0 0

Quote

2. Re: Regra Iptables

renato_pacheco
(usa Debian)

Enviado em 13/01/2011 - 11:27h

Como vc liberou essas regras? Poste-as aki.

0 0

Quote

3. Re: Regra Iptables

emerson2703
(usa CentOS)

Enviado em 13/01/2011 - 12:17h

-A FORWARD -p tcp --dport 3389 -j ACCEPT

tenho outro firewall e estou acessando normalmente somente esse que não acesso o servidor via ts

0 0

Quote

4. Re: Regra Iptables

renato_pacheco
(usa Debian)

Enviado em 13/01/2011 - 14:17h

Kra, vc deve por todas as suas regras aki pra gente saber. Liste tb as q já estão implementadas:

# iptables -nL
# iptables -t nat -nL

0 0

Quote

5. Re: Regra Iptables

emerson2703
(usa CentOS)

Enviado em 13/01/2011 - 15:34h

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpts:25000:30000
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:754

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 200.223.0.0
ACCEPT tcp -- 0.0.0.0/0 200.201.0.0/16
ACCEPT tcp -- 0.0.0.0/0 200.201.0.0/16
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
DROP tcp -- 0.0.0.0/0 74.125.45.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 64.233.163.189 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.45.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.67.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.65.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.157.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.159.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.47.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.45.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 209.85.157.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 209.85.229.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 209.85.227.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.93.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.91.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.113.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.115.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.39.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.43.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.95.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.45.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.45.125 tcp dpt:443
DROP tcp -- 0.0.0.0/0 74.125.45.125
DROP tcp -- 0.0.0.0/0 74.125.67.125
DROP tcp -- 0.0.0.0/0 74.125.65.125
DROP tcp -- 0.0.0.0/0 74.125.157.125
DROP tcp -- 0.0.0.0/0 74.125.159.125
DROP tcp -- 0.0.0.0/0 74.125.47.125
DROP tcp -- 0.0.0.0/0 74.125.45.125
DROP tcp -- 0.0.0.0/0 209.85.157.125
DROP tcp -- 0.0.0.0/0 209.85.229.125
DROP tcp -- 0.0.0.0/0 209.85.227.125
DROP tcp -- 0.0.0.0/0 74.125.93.125
DROP tcp -- 0.0.0.0/0 74.125.91.125
DROP tcp -- 0.0.0.0/0 74.125.113.125
DROP tcp -- 0.0.0.0/0 74.125.115.125
DROP tcp -- 0.0.0.0/0 74.125.39.125
DROP tcp -- 0.0.0.0/0 74.125.43.125
DROP tcp -- 0.0.0.0/0 74.125.95.125
DROP tcp -- 0.0.0.0/0 64.233.169.0/24 tcp dpt:443
DROP tcp -- 0.0.0.0/0 209.85.137.0/24 tcp dpt:443
DROP tcp -- 0.0.0.0/0 72.14.253.0/24 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1571
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4000
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2631
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8672
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9670
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:809
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1665
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7799
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8017
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2681
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:945
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:161
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
ACCEPT all -- 0.0.0.0/0 10.101.0.0/24
ACCEPT all -- 0.0.0.0/0 10.102.0.0/24
ACCEPT all -- 0.0.0.0/0 10.103.0.0/24
ACCEPT all -- 0.0.0.0/0 10.104.0.0/24
ACCEPT all -- 0.0.0.0/0 10.105.0.0/24
ACCEPT all -- 0.0.0.0/0 10.106.0.0/24
ACCEPT all -- 0.0.0.0/0 10.107.0.0/24
ACCEPT all -- 0.0.0.0/0 192.168.254.0/24
ACCEPT all -- 0.0.0.0/0 172.16.0.0/22
ACCEPT all -- 0.0.0.0/0 172.16.8.0/22
ACCEPT all -- 0.0.0.0/0 172.16.12.0/22
ACCEPT all -- 0.0.0.0/0 172.16.16.0/22
ACCEPT all -- 0.0.0.0/0 172.16.20.0/22
ACCEPT all -- 0.0.0.0/0 172.16.24.0/22
ACCEPT all -- 0.0.0.0/0 172.16.11.100
ACCEPT all -- 0.0.0.0/0 172.16.11.121
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4901
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:754

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 200.223.0.0
ACCEPT tcp -- 0.0.0.0/0 200.201.0.0/16
ACCEPT tcp -- 0.0.0.0/0 192.168.0.107
ACCEPT tcp -- 0.0.0.0/0 192.168.0.138
ACCEPT tcp -- 0.0.0.0/0 172.16.7.107
ACCEPT tcp -- 0.0.0.0/0 172.16.0.228
ACCEPT tcp -- 0.0.0.0/0 172.16.11.121
ACCEPT tcp -- 0.0.0.0/0 172.16.4.181
ACCEPT tcp -- 0.0.0.0/0 192.168.0.137
ACCEPT tcp -- 0.0.0.0/0 192.168.0.139
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 redir ports 1863
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 redir ports 1863
REDIRECT tcp -- 0.0.0.0/0 !200.201.174.207 tcp dpt:80 redir ports 3128
RETURN tcp -- 172.16.0.0 200.201.174.207 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 200.201.0.0/16
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

0 0

Quote

6. Re: Regra Iptables

renato_pacheco
(usa Debian)

Enviado em 13/01/2011 - 16:14h

Uai, o OUTPUT tá com a política DROP. Nesse caso, vc teria q autorizar a saída dele tb...

0 0

Quote

7. Re: Regra Iptables

fs.schmidt
(usa CentOS)

Enviado em 13/01/2011 - 17:00h

Olá emerson, você está utilizando vpn? Se sim, qual procotolo?

0 0

Quote

8. Re: Regra Iptables

removido
(usa Nenhuma)

Enviado em 14/01/2011 - 10:43h

Bom Dia ,

Seu Firewall esta com muitas regras repetidas, como esta abaixo que libera OUTPUT para qualquer ip.

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

De uma revisada neste firewall seu e confira depois se realmente o TS esta ativo no servidor, se o firewall do próprio servidor não esta bloqueando a porta 3389.

0 0

Quote

9. Re: Regra Iptables

emerson2703
(usa CentOS)

Enviado em 14/01/2011 - 11:45h

segue abaixo minhas regras da Matriz iptables:

# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*nat
:PREROUTING ACCEPT [247:25323]
:POSTROUTING ACCEPT [7:415]
:OUTPUT ACCEPT [7:415]

# Liberacao do Sistema
-A PREROUTING -p tcp -d 192.168.0.107 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.138 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.7.107 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.0.228 -j ACCEPT

-A PREROUTING -p tcp -d 172.16.11.121 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.4.181 -j ACCEPT

# Bloqueio de acesso ao Sitema
-A PREROUTING -p tcp -d 192.168.0.137 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.139 -j ACCEPT

# Direcionando para msn-proxy
-A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 1863
-A PREROUTING -i eth2 -p tcp --dport 1863 -j REDIRECT --to-port 1863

# Caixa conectividade

-A PREROUTING -i eth0 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
-I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
-I PREROUTING -p tcp -d 200.223.0.0 -j ACCEPT
-A PREROUTING -p tcp -s 172.16.0.0 --dport 80 -d 200.201.174.207 -j RETURN
-A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
#-A PREROUTING -i eth2 -p tcp --dport 22 -j REDIRECT --to-port 754

==============================================================

Iptable da filias

Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*nat
:PREROUTING ACCEPT [247:25323]
:POSTROUTING ACCEPT [7:415]
:OUTPUT ACCEPT [7:415]

# Liberacao do Sistema
-A PREROUTING -p tcp -d 172.16.7.139 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.140 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.7.140 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.139 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.137 -j DROP
-A PREROUTING -p tcp -d 172.16.7.137 -j DROP
-A PREROUTING -p tcp -d 192.168.0.138 -j DROP
-A PREROUTING -p tcp -d 172.16.7.138 -j DROP
-A PREROUTING -p tcp -d 192.168.0.142 -j DROP
-A PREROUTING -p tcp -d 172.16.7.142 -j DROP
-A PREROUTING -p tcp -d 192.168.0.141 -j DROP
-A PREROUTING -p tcp -d 172.16.7.141 -j DROP
-A PREROUTING -p tcp -d 172.16.7.180 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.4.181 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.11.121 -j ACCEPT

# Direcionando tudo para o Squid
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Direcionando para o MSN-Proxy
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1863 -j REDIRECT --to-ports 1863

# Compartilhando a Internet
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE

COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*filter

:INPUT DROP [3:287]
:FORWARD DROP [216:10833]
:OUTPUT DROP [14:1170]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Rede Local
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT

# Internet
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# MSN-Proxy
-A INPUT -p tcp -m tcp --dport 25000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 -j ACCEPT

# Ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Ping
-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

# Liberacao de Internet e Sistema

# MSN
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT

# Internet
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

# Sistema Login
-A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1433 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 9090 -j ACCEPT

# DNS Firewall
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT

# Bancos e Financeiras
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5190 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20000 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 809 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1665 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 4445 -j ACCEPT

# Liberacao de Envio e Recebimento de E-mail
# Recebimento
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
# Envio
-A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT

# Liberacao Conexao Remota (Teminal Server, VNC e Puty)
# Acesso e Mapeamento Remoto
-A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 137 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 138 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 139 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 9090 -j ACCEPT

# Liberacao dae Redes Externas
-A FORWARD -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -d 172.16.4.0/22 -j ACCEPT

# Serv. Notas Espatodeas
-A FORWARD -d 172.16.4.181 -j ACCEPT

# VNC
-A FORWARD -p tcp -m tcp --dport 4901 -j ACCEPT

#FTp

-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Rma Microsiga
-A FORWARD -p tcp -m tcp --dport 2024 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2034 -j ACCEPT

# Puty
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -o eth0 -j ACCEPT

# Rede Local
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT

# Internet
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

# Ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

COMMIT
# Completed on Sat Jul 11 14:45:48 2009

# Direcionando tudo para o Squid
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Compartilhando a Internet
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE

COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*filter

:INPUT DROP [3:287]
:FORWARD DROP [216:10833]
:OUTPUT DROP [14:1170]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Rede Local
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
#-A INPUT -i ppp0 -j ACCEPT

# Internet
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#Liberacao do msn-proxy
-A INPUT -p tcp --dport 25000:30000 -s 192.168.0.0/24 -j ACCEPT

#Conectividade social

-I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
-I FORWARD -p tcp -d 200.223.0.0 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.204 --dport 2631 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.204 --dport 80 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.207 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

#Bloqueio de Ataques

#Ping da Morte
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Contra syp floop
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Ping
-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

# Liberando MSN
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT

#-A FORWARD -d 67.215.65.132 -p tcp --dport 443 -j ACCEPT
#-A FORWARD -i eth0 -d wwwss.bradesco.com.br -p tcp --dport 443 -j

# Liberacao de Internet e Sistema

# Internet
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

# Sistema Login
-A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 9090 -j ACCEPT

# DNS Firewall
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT

# Google Talk

-A FORWARD -d talk.l.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d chatenabled.mail.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d talk.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d talkx.l.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d talk.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d talk.l.google.com -p tcp --dport 443 -j DROP
-A FORWARD -d talk.l.google.com -p tcp -j DROP
-A FORWARD -d talkx.l.google.com -p tcp -j DROP
-A FORWARD -d 64.233.169.0/24 -p tcp --dport 443 -j DROP
-A FORWARD -d 209.85.137.0/24 -p tcp --dport 443 -j DROP
-A FORWARD -d 72.14.253.0/24 -p tcp --dport 443 -j DROP

# Telefonia PABX

-A FORWARD -p udp --dport 1571 -j ACCEPT
-A FORWARD -p udp --dport 5060 -j ACCEPT
-A FORWARD -p udp --dport 4000 -j ACCEPT
-A FORWARD -p udp --dport 2631 -j ACCEPT

# Servidor de cameras

-A FORWARD -p tcp -m tcp --dport 8672
-A FORWARD -p tcp -m tcp --dport 9670

# Bancos e Financeiras

-A FORWARD -p tcp -m tcp --dport 5190 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20000 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 809 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1665 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT

# Liberacao do software da claro
-A FORWARD -p tcp -m tcp --dport 7799 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8017 -j ACCEPT

# Caixa Economica

-A FORWARD -p tcp -m tcp --dport 2681 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2631 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2631 -j ACCEPT

# Liberacao de Envio e Recebimento de E-mail
# Recebimento
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
# Envio
-A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 945 -j ACCEPT

# Liberacao Conexao Remota (Teminal Server, VNC e Puty)
# Acesso e Mapeamento Remoto
-A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -p tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp --dport 3389 -j ACCEPT
-A FORWARD -p udp --dport 161 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A FORWARD -p udp --dport 139 -j ACCEPT
-A FORWARD -p udp --dport 137 -j ACCEPT
-A FORWARD -p udp --dport 138 -j ACCEPT
-A FORWARD -p tcp --dport 139 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -p udp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 138 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 139 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 389 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT

# Liberando Redes Externas
-A FORWARD -d 10.101.0.0/24 -j ACCEPT
-A FORWARD -d 10.102.0.0/24 -j ACCEPT
-A FORWARD -d 10.103.0.0/24 -j ACCEPT
-A FORWARD -d 10.104.0.0/24 -j ACCEPT
-A FORWARD -d 10.105.0.0/24 -j ACCEPT
-A FORWARD -d 10.106.0.0/24 -j ACCEPT
-A FORWARD -d 10.107.0.0/24 -j ACCEPT
-A FORWARD -d 192.168.254.0/24 -j ACCEPT
-A FORWARD -d 172.16.0.0/22 -j ACCEPT
-A FORWARD -d 172.16.8.0/22 -j ACCEPT
-A FORWARD -d 172.16.12.0/22 -j ACCEPT
-A FORWARD -d 172.16.16.0/22 -j ACCEPT
-A FORWARD -d 172.16.20.0/22 -j ACCEPT
-A FORWARD -d 172.16.27.0/22 -j ACCEPT

# Firewall 210
-A FORWARD -d 172.16.11.100 -j ACCEPT
-A FORWARD -d 172.16.11.121 -j ACCEPT

#FTp
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# VNC
-A FORWARD -p tcp -m tcp --dport 4901 -j ACCEPT

# Puty
#-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 754 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 754 -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Rede Local
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
#-A OUTPUT -o ppp0 -j ACCEPT

# Internet
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

# Ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

0 0

Quote