Script de Firewall não funciona algumas regras
1. Script de Firewall não funciona algumas regras
felipetitto
(usa Outra)
Enviado em 13/04/2016 - 11:49h
Bom dia a todos,Estou tentando resolver esse problema já faz alguns dias sem sucesso.
Tenho conhecimento bem intermediário sobre iptables e preciso da ajuda de vocês para verificar se meu script do firewall está tudo ok, se eu posso tirar algumas regras que não estão fazendo nada, etc...
Meu problema é que eu preciso bloquear o Spotify na empresa porém tenho algumas máquinas que precisam estar com o programa liberado... A parte de bloquear consegui, porém bloqueia para a rede toda mesmo esses IP's liberados estarem com nat.
O bloqueio é: $IPT -I FORWARD -p tcp -d $spot --dport 1:65535 -j REJECT
A liberação é: x=`cat /Empresa/firewall/ipsliberados` / $IPT -t nat -A PREROUTING -i $REDE -p tcp -s $x -j RETURN
Segue abaixo meu script:
#!/bin/sh
#Configuracao de Variaveis.
IPT=/sbin/iptables
NET=eth0
LIFE=eth1
REDE=eth2
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#Setando o kernel para dinamico IP masquerado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
#Flushing all e criando chains.
$IPT -F
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_tables
modprobe sch_htb
modprobe nf_conntrack_pptp
modprobe ip_conntrack_ftp
modprobe nf_conntrack_ftp
modprobe nf_conntrack
modprobe ip_nat_ftp ports=21
modprobe ip_nat_pptp
modprobe pptp
$IPT --flush
$IPT --table nat --flush
$IPT --table mangle --flush
$IPT --table filter --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT --table mangle --delete-chain
$IPT --table filter --delete-chain
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp -m multiport --dports 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 65500:65535 -j ACCEPT
$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 35555 -j TRINOO
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 16660 -j TROJAN
$IPT -A FORWARD -p tcp --dport 1214 -j REJECT
$IPT -A FORWARD -p udp --dport 1214 -j REJECT
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -N SCANNER
#VPN
$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -o $REDE -j MASQUERADE
$IPT -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1356
$IPT -A INPUT -i $REDE -s 0/0 -d 0/0 -p tcp --sport 1:65535 --dport 1723 --syn -j ACCEPT
$IPT -A INPUT -i $REDE -s 0/0 -d 0/0 -p 47 -j ACCEPT
# Liberando as PORTAS
pi=`cat /Empresa/firewall/portasinternas`
pe=`cat /Empresa/firewall/portasexternas`
#TELEFONIA
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $LIFE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $LIFE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 15.217.0.0/16
#INTERNAS E EXTERNAS
$IPT -A INPUT -p tcp -m multiport --dport $pe -i $NET -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pe -i $NET -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --dport $pe -i $LIFE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pe -i $LIFE -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --dport $pi -i $REDE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pi -i $REDE -j ACCEPT
# Compartilha a Internet
$IPT --table nat --append POSTROUTING --out-interface $NET -j MASQUERADE
$IPT --table nat --append POSTROUTING --out-interface $LIFE -j MASQUERADE
$IPT --table nat --append POSTROUTING --out-interface $REDE -j MASQUERADE
#PROVISÓRIO CLIENTE MILLENNIUM#
#$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 3391 -j DNAT --to-destination 192.168.0.40:3389
#$IPT -t nat -A PREROUTING -p udp -i $NET --dport 3391 -j DNAT --to-destination 192.168.0.40:3389
# desvios quando a internet e imf
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 20 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 20 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 81 -j DNAT --to-destination 192.168.0.203
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 81 -j DNAT --to-destination 192.168.0.203
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 6036 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 6036 -j DNAT --to-destination 192.168.0.3
#---Webserver NodeJS Beast---#
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 1338 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 1338 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 1339 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 1339 -j DNAT --to-destination 192.168.0.202
# quando a internet e life
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 6036 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 6036 -j DNAT --to-destination 192.168.0.3
# IPS liberados
#Servidor PDC
x=`cat /Empresa/firewall/ipsliberados`
$IPT -t nat -A PREROUTING -i $REDE -p tcp -s $x -j RETURN
#BLOQUEAR SPOTIFY #$IPT -I FORWARD -p tcp -d 0.0.0.0/0.0.0.0 --dport 4070 -j REJECT
spot=`cat /Empresa/firewall/ipspotify`
#$IPT -A FORWARD -s 192.168.0.161 -p tcp --dport 1:65535 -j RETURN
#$IPT -I FORWARD -p tcp -d $spot --dport 1:65535 -j REJECT
#$IPT -A FORWARD -p tcp -d $spot --dport 4070 -j REJECT
# Exemplo de como fazer com mc
#$IPT -t nat -A PREROUTING -i $REDE -m mac --mac-source 00:18:8b:e7:1c:a2 -j RETURN # servidor kiss
# Bloqueio do Facebook
f=`cat /Empresa/firewall/ipfacebook`
y=`cat /Empresa/firewall/ipyoutube`
iptables -I FORWARD -i $REDE -m string --algo bm --string "facebook.com" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "connect.facebook.net" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "twitter.com" -j DROP
# Ips Liberados no Facebook
iptables -I FORWARD -s $f -m string --string 'facebook' --algo bm -j ACCEPT
iptables -I FORWARD -s $f -m string --string 'twitter' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'facebook' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'twitter' --algo bm -j ACCEPT
# Bloqueio Youtube
iptables -I FORWARD -i $REDE -m string --algo bm --string "youtube.com.br" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "youtube.com" -j DROP
# Ips Liberados no Youtube
iptables -I FORWARD -s $y -m string --string 'youtube' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'youtube' --algo bm -j ACCEPT
#########################################################
#########################################################
####### #######
####### Liberação de Aplicativos de Uso Interno #######
####### #######
#########################################################
#########################################################
#Sicoob
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 187.72.5.134 --dport 80 -j RETURN
#Tnex IP Gerencial
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 200.229.5.13 --dport 80 -j RETURN
#Cobian Backup
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 195.74.38.14 --dport 80 -j RETURN
#Millennium
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 200.162.48.232 --dport 80 -j RETURN
#########################################################
#NCSI - Não aparecer sem conexão windows
#$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m string --algo bm --string "decvale" -j RETURN
# Obriga proxy
$IPT -t nat -A PREROUTING -i $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128
# Compartilha a Internet
#$IPT --table nat --append POSTROUTING --out-interface $NET -j MASQUERADE
#$IPT --table nat --append POSTROUTING --out-interface $REDE -j MASQUERADE
echo "============================="
echo "Empresa"
echo "Firewall 2.0"
echo "============================="
Obrigado desde já!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Atenção a quem posta conteúdo de dicas, scripts e tal (2)
Artigos
Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg
Melhorando o tempo de boot do Fedora e outras distribuições
Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46
Dicas
Como Atualizar Fedora 39 para 40
Instalar Google Chrome no Debian e derivados
Consertando o erro do Sushi e Wayland no Opensuse Leap 15
Instalar a última versão do PostgreSQL no Lunix mantendo atualizado
Flathub na sua distribuição Linux e comandos básicos de gerenciamento
Tópicos
ASRock H310CM-HG4 vs Linux [RESOLVIDO] (18)
Microfone do meu headset não é recinhecido. Meu notebook é um Acer Asp... (12)
Top 10 do mês
-
Xerxes
1° lugar - 76.027 pts -
Fábio Berbert de Paula
2° lugar - 61.075 pts -
Clodoaldo Santos
3° lugar - 47.169 pts -
Buckminster
4° lugar - 26.814 pts -
Sidnei Serra
5° lugar - 26.989 pts -
Daniel Lara Souza
6° lugar - 18.573 pts -
Alberto Federman Neto.
7° lugar - 18.195 pts -
Mauricio Ferrari
8° lugar - 18.022 pts -
Diego Mendes Rodrigues
9° lugar - 16.162 pts -
edps
10° lugar - 15.612 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
