Script de Firewall com redirecionamento de portas em Linux Debian
Redirecionar seu firewall Debian para acessar seu servidor estando fora da sua empresa. Redirecionamento do firewall para Terminal Server, Radmin, VNC e SSH.
Criando o arquivo de Firewall
Logado como root, digite:
# vi firewall.sh
Edite com as seguintes linhas:
# vi firewall.sh
Edite com as seguintes linhas:
#!/bin/bash
# Ativa roteamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# Módulos de mascaramento
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
echo ""
# Variáveis
IPTABLES="/sbin/iptables"
EXT_IF="eth1" # placa de rede com conexão com a internet
INT_IF="eth0"# placa de rede da sua rede interna
EXT_IP="200.203.196.100"# seu ip externa distribuído pela sua operadora da Internet.
INT_IP="192.168.1.254" # seu ip do seu firewall na rede interna
INT_NET="192.168.1.0/255.255.255.0"# Defina aqui a máscara e a sua rede interna
EXT_NET="200.203.196.96/255.255.255.224"# Defina aqui a máscara e rede da sua operadora de Internet.
echo "Interface externa ($EXT_IF): $EXT_IP"
echo "Interface interna ($INT_IF): $INT_IP"
echo "Rede externa ($EXT_IF): $EXT_NET"
echo "Rede interna ($INT_IF): $INT_NET"
echo ""
# Limpando todas as regras e removendo todos as chains de usuários
echo -n "Limpando regras..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -Z
$IPTABLES -Z -t nat
echo "ok!"
# Políticas padrão
echo -n "Política padrão..."
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
echo "ok!"
######## PREROUTING #########
echo -n "Spoofing..."
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 10.0.0.0/8 -j DROP
echo "ok!"
echo -n "Destination NAT..."
# REDIRECIONAMENTO DE PORTAS -NAT
#TROQUE O IP DE ACORDO COMO SEU SERVIDOR
# REDIRECIONANDO PARA RADMIN
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 4899 -j DNAT --to 192.168.1.12:4899
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.12 --dport 4899 -j ACCEPT
# REDIRECIONANDO PARA TERMINAL SERVER
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 3389 -j DNAT --to 192.168.1.253:3389
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.253 --dport 3389 -j ACCEPT
# REDIRECIONADO PARA VNC
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 5900 -j DNAT --to 192.168.1.12:5900
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.12 --dport 5900 -j ACCEPT
echo "ok!"
echo -n "Spoofing..."
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 10.0.0.0/8 -j DROP
echo "ok!"
############## POSTROUTING ##############
echo -n "Source NAT..."
# Rede Interna
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $INT_NET -j SNAT --to $EXT_IP
echo "ok!"
############### FORWARD #################
echo -n "Políticas de FORWARD..."
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ok!"
################ INPUT ##################
echo -n "Políticas de INPUT..."
# Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# LIBERANDO ALGUMAS PORTAS
$IPTABLES -A INPUT -p udp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1239 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 5226 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 700 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 700 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 2473 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 2473 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 8017 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 8017 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 2345 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1204 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ok!"
################ OUTPUT #################
# DNS
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
# FTP
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
# Loopback
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: output - "
echo "ok!"
echo ""
echo " ---- done ----"
echo ""
# Ativa roteamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# Módulos de mascaramento
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
echo ""
# Variáveis
IPTABLES="/sbin/iptables"
EXT_IF="eth1" # placa de rede com conexão com a internet
INT_IF="eth0"# placa de rede da sua rede interna
EXT_IP="200.203.196.100"# seu ip externa distribuído pela sua operadora da Internet.
INT_IP="192.168.1.254" # seu ip do seu firewall na rede interna
INT_NET="192.168.1.0/255.255.255.0"# Defina aqui a máscara e a sua rede interna
EXT_NET="200.203.196.96/255.255.255.224"# Defina aqui a máscara e rede da sua operadora de Internet.
echo "Interface externa ($EXT_IF): $EXT_IP"
echo "Interface interna ($INT_IF): $INT_IP"
echo "Rede externa ($EXT_IF): $EXT_NET"
echo "Rede interna ($INT_IF): $INT_NET"
echo ""
# Limpando todas as regras e removendo todos as chains de usuários
echo -n "Limpando regras..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -Z
$IPTABLES -Z -t nat
echo "ok!"
# Políticas padrão
echo -n "Política padrão..."
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
echo "ok!"
######## PREROUTING #########
echo -n "Spoofing..."
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 10.0.0.0/8 -j DROP
echo "ok!"
echo -n "Destination NAT..."
# REDIRECIONAMENTO DE PORTAS -NAT
#TROQUE O IP DE ACORDO COMO SEU SERVIDOR
# REDIRECIONANDO PARA RADMIN
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 4899 -j DNAT --to 192.168.1.12:4899
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.12 --dport 4899 -j ACCEPT
# REDIRECIONANDO PARA TERMINAL SERVER
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 3389 -j DNAT --to 192.168.1.253:3389
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.253 --dport 3389 -j ACCEPT
# REDIRECIONADO PARA VNC
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXT_IF -d $EXT_IP --dport 5900 -j DNAT --to 192.168.1.12:5900
$IPTABLES -A FORWARD -p tcp -i $EXT_IF -d 192.168.1.12 --dport 5900 -j ACCEPT
echo "ok!"
echo -n "Spoofing..."
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -s 10.0.0.0/8 -j DROP
echo "ok!"
############## POSTROUTING ##############
echo -n "Source NAT..."
# Rede Interna
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $INT_NET -j SNAT --to $EXT_IP
echo "ok!"
############### FORWARD #################
echo -n "Políticas de FORWARD..."
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ok!"
################ INPUT ##################
echo -n "Políticas de INPUT..."
# Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# LIBERANDO ALGUMAS PORTAS
$IPTABLES -A INPUT -p udp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1239 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 5226 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 700 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 700 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 2473 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 2473 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 8017 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p udp --dport 8017 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 2345 -j ACCEPT
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 1204 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "ok!"
################ OUTPUT #################
# DNS
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
# FTP
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
# DNS
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
# Loopback
$IPTABLES -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: output - "
echo "ok!"
echo ""
echo " ---- done ----"
echo ""
Abraço!