Script de Firewall não funciona algumas regras
1. Script de Firewall não funciona algumas regras
felipetitto
(usa Outra)
Enviado em 13/04/2016 - 11:49h
Bom dia a todos,Estou tentando resolver esse problema já faz alguns dias sem sucesso.
Tenho conhecimento bem intermediário sobre iptables e preciso da ajuda de vocês para verificar se meu script do firewall está tudo ok, se eu posso tirar algumas regras que não estão fazendo nada, etc...
Meu problema é que eu preciso bloquear o Spotify na empresa porém tenho algumas máquinas que precisam estar com o programa liberado... A parte de bloquear consegui, porém bloqueia para a rede toda mesmo esses IP's liberados estarem com nat.
O bloqueio é: $IPT -I FORWARD -p tcp -d $spot --dport 1:65535 -j REJECT
A liberação é: x=`cat /Empresa/firewall/ipsliberados` / $IPT -t nat -A PREROUTING -i $REDE -p tcp -s $x -j RETURN
Segue abaixo meu script:
#!/bin/sh
#Configuracao de Variaveis.
IPT=/sbin/iptables
NET=eth0
LIFE=eth1
REDE=eth2
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#Setando o kernel para dinamico IP masquerado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
#Flushing all e criando chains.
$IPT -F
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_tables
modprobe sch_htb
modprobe nf_conntrack_pptp
modprobe ip_conntrack_ftp
modprobe nf_conntrack_ftp
modprobe nf_conntrack
modprobe ip_nat_ftp ports=21
modprobe ip_nat_pptp
modprobe pptp
$IPT --flush
$IPT --table nat --flush
$IPT --table mangle --flush
$IPT --table filter --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT --table mangle --delete-chain
$IPT --table filter --delete-chain
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp -m multiport --dports 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 65500:65535 -j ACCEPT
$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 35555 -j TRINOO
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 16660 -j TROJAN
$IPT -A FORWARD -p tcp --dport 1214 -j REJECT
$IPT -A FORWARD -p udp --dport 1214 -j REJECT
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -N SCANNER
#VPN
$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -o $REDE -j MASQUERADE
$IPT -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1356
$IPT -A INPUT -i $REDE -s 0/0 -d 0/0 -p tcp --sport 1:65535 --dport 1723 --syn -j ACCEPT
$IPT -A INPUT -i $REDE -s 0/0 -d 0/0 -p 47 -j ACCEPT
# Liberando as PORTAS
pi=`cat /Empresa/firewall/portasinternas`
pe=`cat /Empresa/firewall/portasexternas`
#TELEFONIA
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $LIFE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $LIFE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 191.5.164.122
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $NET -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p tcp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 15.217.0.0/16
$IPT -A INPUT -p udp -m multiport --dport 1:65535 -i $REDE -j ACCEPT -s 15.217.0.0/16
#INTERNAS E EXTERNAS
$IPT -A INPUT -p tcp -m multiport --dport $pe -i $NET -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pe -i $NET -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --dport $pe -i $LIFE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pe -i $LIFE -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --dport $pi -i $REDE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $pi -i $REDE -j ACCEPT
# Compartilha a Internet
$IPT --table nat --append POSTROUTING --out-interface $NET -j MASQUERADE
$IPT --table nat --append POSTROUTING --out-interface $LIFE -j MASQUERADE
$IPT --table nat --append POSTROUTING --out-interface $REDE -j MASQUERADE
#PROVISÓRIO CLIENTE MILLENNIUM#
#$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 3391 -j DNAT --to-destination 192.168.0.40:3389
#$IPT -t nat -A PREROUTING -p udp -i $NET --dport 3391 -j DNAT --to-destination 192.168.0.40:3389
# desvios quando a internet e imf
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 20 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 20 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 81 -j DNAT --to-destination 192.168.0.203
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 81 -j DNAT --to-destination 192.168.0.203
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 6036 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 6036 -j DNAT --to-destination 192.168.0.3
#---Webserver NodeJS Beast---#
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 1338 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 1338 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p tcp -i $NET --dport 1339 -j DNAT --to-destination 192.168.0.202
$IPT -t nat -A PREROUTING -p udp -i $NET --dport 1339 -j DNAT --to-destination 192.168.0.202
# quando a internet e life
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 3393 -j DNAT --to-destination 192.168.0.239:3389
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 21 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 65500:65535 -j DNAT --to-destination 192.168.0.237
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 80 -j DNAT --to-destination 192.168.0.253
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 99 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p tcp -i $LIFE --dport 6036 -j DNAT --to-destination 192.168.0.3
$IPT -t nat -A PREROUTING -p udp -i $LIFE --dport 6036 -j DNAT --to-destination 192.168.0.3
# IPS liberados
#Servidor PDC
x=`cat /Empresa/firewall/ipsliberados`
$IPT -t nat -A PREROUTING -i $REDE -p tcp -s $x -j RETURN
#BLOQUEAR SPOTIFY #$IPT -I FORWARD -p tcp -d 0.0.0.0/0.0.0.0 --dport 4070 -j REJECT
spot=`cat /Empresa/firewall/ipspotify`
#$IPT -A FORWARD -s 192.168.0.161 -p tcp --dport 1:65535 -j RETURN
#$IPT -I FORWARD -p tcp -d $spot --dport 1:65535 -j REJECT
#$IPT -A FORWARD -p tcp -d $spot --dport 4070 -j REJECT
# Exemplo de como fazer com mc
#$IPT -t nat -A PREROUTING -i $REDE -m mac --mac-source 00:18:8b:e7:1c:a2 -j RETURN # servidor kiss
# Bloqueio do Facebook
f=`cat /Empresa/firewall/ipfacebook`
y=`cat /Empresa/firewall/ipyoutube`
iptables -I FORWARD -i $REDE -m string --algo bm --string "facebook.com" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "connect.facebook.net" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "twitter.com" -j DROP
# Ips Liberados no Facebook
iptables -I FORWARD -s $f -m string --string 'facebook' --algo bm -j ACCEPT
iptables -I FORWARD -s $f -m string --string 'twitter' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'facebook' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'twitter' --algo bm -j ACCEPT
# Bloqueio Youtube
iptables -I FORWARD -i $REDE -m string --algo bm --string "youtube.com.br" -j DROP
iptables -I FORWARD -i $REDE -m string --algo bm --string "youtube.com" -j DROP
# Ips Liberados no Youtube
iptables -I FORWARD -s $y -m string --string 'youtube' --algo bm -j ACCEPT
iptables -I FORWARD -s $x -m string --string 'youtube' --algo bm -j ACCEPT
#########################################################
#########################################################
####### #######
####### Liberação de Aplicativos de Uso Interno #######
####### #######
#########################################################
#########################################################
#Sicoob
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 187.72.5.134 --dport 80 -j RETURN
#Tnex IP Gerencial
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 200.229.5.13 --dport 80 -j RETURN
#Cobian Backup
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 195.74.38.14 --dport 80 -j RETURN
#Millennium
$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 200.162.48.232 --dport 80 -j RETURN
#########################################################
#NCSI - Não aparecer sem conexão windows
#$IPT -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m string --algo bm --string "decvale" -j RETURN
# Obriga proxy
$IPT -t nat -A PREROUTING -i $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128
# Compartilha a Internet
#$IPT --table nat --append POSTROUTING --out-interface $NET -j MASQUERADE
#$IPT --table nat --append POSTROUTING --out-interface $REDE -j MASQUERADE
echo "============================="
echo "Empresa"
echo "Firewall 2.0"
echo "============================="
Obrigado desde já!
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Servidor de Backup com Ubuntu Server 24.04 LTS, RAID e Duplicati (Dell PowerEdge T420)
Visualizar câmeras IP ONVIF no Linux sem necessidade de instalar aplicativos
Atualizar Debian Online de uma Versão para outra
Dicas
Instalar driver Nvidia no Debian 13
Redimensionando, espelhando, convertendo e rotacionando imagens com script
Debian 13 Trixie para Iniciantes
Convertendo pacotes DEB que usam ZSTD (Padrão Novo) para XZ (Padrão Antigo)
Tópicos
Top 10 do mês
-
Xerxes
1° lugar - 62.241 pts -
Fábio Berbert de Paula
2° lugar - 38.419 pts -
Buckminster
3° lugar - 22.447 pts -
Sidnei Serra
4° lugar - 13.815 pts -
Alberto Federman Neto.
5° lugar - 13.340 pts -
Mauricio Ferrari
6° lugar - 13.446 pts -
Daniel Lara Souza
7° lugar - 12.117 pts -
Andre (pinduvoz)
8° lugar - 12.013 pts -
edps
9° lugar - 11.855 pts -
Samuel Leonardo
10° lugar - 11.449 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
