Firewall com controle de acessos (firewall)
Firewall completo para você implantar em sua rede wireless ou provedor
Categoria: Init
Software: Firewall com controle de acessos
[ Hits: 12.382 ]
Por: Rodrigo Rodrigues de mattos
Bom, esta é a minha primeira contribuiçãoo de .conf, então decidi que seria para aumentar segurança do seu Linux.
Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar a segurança da minha rede de 20 computadores unidos por wireless encontrei.
Espero de seja proveitoso para todos que passam por aqui.
Observacao: O arquivo netfur.txt aqui usado possui a seguinte
nomenclatura
, ,
#!/bin/sh # # /etc/rc.d/init.d/firewall # chkconfig: - 60 95 # description: Este script controla o start/stop do servico de \ # firewall baseado no iptables. # # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Habilita ip forward echo 1 > /proc/sys/net/ipv4/ip_forward # Check that networking is up. if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/iptables ]; then exit 0 fi # Parametros case "$1" in start) echo "Starting Firewalling Services: " touch /var/lock/subsys/firewall # ----------------------------------------------------------------- # Define o default como DROP # ----------------------------------------------------------------- # Remove todas as regras iptables -F iptables -X iptables -F -t nat iptables -X -t nat # ----------------------------------------------------------------- # Definicao de variaveis # ----------------------------------------------------------------- EXTERNAL_IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | cut -dP -f1` # colocar a linha para buscar o ip da ppp0 EXTERNAL_INTERFACE="ppp0" # colocar aqui o dispositivo pppo EXTERNAL_NET="192.168.0.0/255.255.255.0" INTERNAL_IP="192.168.1.1" INTERNAL_INTERFACE="eth1" INTERNAL_NET="192.168.1.0/255.255.255.224" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # ----------------------------------------------------------------- # Define o default como DROP # ----------------------------------------------------------------- iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # ----------------------------------------------------------------- # Carrega modulos # ----------------------------------------------------------------- modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_REJECT modprobe ipt_LOG modprobe ipt_MASQUERADE modprobe ipt_state modprobe ipt_mac modprobe ipt_mark modprobe ipt_MARK modprobe iptable_nat modprobe ipt_multiport modprobe ipt_owner modprobe ipt_state modprobe ipt_tos modprobe iptable_mangle # modprobe ipt_unclean echo 1 > /proc/sys/net/ipv4/ip_forward echo "5 4 1 7" > /proc/sys/kernel/printk # ----------------------------------------------------------------- # Habilita trafego loopback # ----------------------------------------------------------------- iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ----------------------------------------------------------------- # Anti-Spoofing # ----------------------------------------------------------------- echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter # ligando proteç para SYN flood. Deve ser feita em todos os servidores echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # ----------------------------------------------------------------- # Habilita trafego na rede interna # ----------------------------------------------------------------- # Libera tr�ego entre redes 192.168.1.0 # ##Abrindo trafego IPSEC # iptables -A INPUT -p udp --dport 5000 -s 0/0 -d 0/0 -j ACCEPT # iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT # iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT ##Permitir acesso a subrede # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT ## Bloquear Multiquest iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP ##Permitir trafego entre as redes #iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT # iptables -A FORWARD -s 192.168.1.3 -m mac --mac-source 00:0F:B0:3C:A6:6E -d 192.168.1.0/27 \ # -j ACCEPT # Portas Para Rede Windows!!!! OBS:. 192.168.1.0/27 e o mesmo que 192.168.1.0/255.255.255.224 iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 2121 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 2121 -j ACCEPT # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ # -p tcp --dport 5900 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ # -p tcp --sport 5900 -j ACCEPT # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/16 \ # -p tcp --dport 47151 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/16 \ # -p tcp --sport 47151 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 20 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 20 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 9920 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 9920 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 1863 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 1863 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 137 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 137 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 138 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 138 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 139 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 139 -j ACCEPT # Libera acesso ao proxy e DNS e icmp para todas as maquinas iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p icmp -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p icmp -j ACCEPT ############################################################## # LIBERA O PROXY INTERMO NA REDE ############################################################### # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ # -p tcp --dport 3128 -j ACCEPT # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ # -p tcp --sport 3128 -j ACCEPT ############################################################## iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 53 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \ -p udp -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p udp -j ACCEPT # Libera acesso total ao firewall para algumas (REDE LOCAL) iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.1 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.1 -j ACCEPT ####################################################################### # A REGRA ABAIXO SERVE PARA LIBERAR O ACESSO TOTAL PARA O IP APONTADO ####################################################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.2 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.2 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.3 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.3 -j ACCEPT ############Liberados para os Aps ##################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.29 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.29 -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.30 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.30 -j ACCEPT ######################################################################## # Libera ping do firewall para a internet ######################################################################## iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 0 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 3 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 4 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 11 -d $EXTERNAL_IP -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 12 -d $EXTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \ -s $EXTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT ########################################################################### # Libera ping do firewall para a rede local ########################################################################## iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 0 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 3 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 4 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 11 -d $INTERNAL_IP -j ACCEPT iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \ -s 0/0 --icmp-type 12 -d $INTERNAL_IP -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \ -s $INTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT # ================================================================= # As linhas a seguir liberam o acesso de m�uinas da internet # a acessar recursos deste computador como servidor, as regras # servem para liberar as portas para o meio esterno. # ================================================================= # ----------------------------------------------------------------- # HTTP Server (porta 80 e 8080 para o Apache) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 80 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 80 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 8080 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 8080 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT ################################################################## # Libera SSH >>>>>>>>>>>>>>3420 ################################################################## iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 3420 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 3420 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT ################################################################# # FECHANDO A PORTA 3128 PARA O MUNDO EXTERNO ################################################################# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 3128 -j DROP ################################################################# # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport $UNPRIVPORTS \ # -d $EXTERNAL_IP --dport 22 -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport 22 \ # -d 0/0 --dport $UNPRIVPORTS -j ACCEPT # # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport $UNPRIVPORTS \ # -d $EXTERNAL_IP --dport 5000:5200 -j ACCEPT ################################################################# # HTTTPS :443 Acesso EXTERNO # ################################################################# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 443 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 443 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT #################################################################################### # Regras para Impedir ataques do Tipo DoS, NetBus,Ping, Port Scaner, Back Orifice #################################################################################### # >>>>>> Back Orifice iptables -A INPUT -p tcp --dport 31337 -j DROP iptables -A INPUT -p udp --dport 31337 -j DROP # >>>>>>>> NetBus iptables -A INPUT -p tcp --dport 12345:12346 -j DROP iptables -A INPUT -p udp --dport 12345:12346 -j DROP # >>>>>>> Bloqueando tracertroute iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL_INTERFACE --dport 33435:33525 -j DROP #>>>>>>>> Proteç contra Syn-floods #iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #>>>>>>> Proteç contra ping da morte iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #>>>>>>> Proteç contra port scanners ocultos iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT ##################################################################################### # ----------------------------------------------------------------- # AUTH Server (porta 113) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 113 -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 113 \ -d 0/0 --dport $UNPRIVPORTS -j REJECT #################################################################### # Esta linha esta liberando o acesso para o servidor PROftpd ################################################################### iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 2121 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 2121 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP --sport 20 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 20 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 20 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport $UNPRIVPORTS \ -d $EXTERNAL_IP --dport 40000:65535 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport 40000:65535 \ -d 0/0 --dport $UNPRIVPORTS -j ACCEPT # ================================================================ # iptables -A INPUT -j ACCEPT -p tcp --dport 2121 # iptables -A OUTPUT -j ACCEPT -p tcp --dport 2121 # ================================================================= # As linhas a seguir liberam o acesso desta m�uina para recur- # na internet. # ================================================================= # Permite que esta maquina acesse qualquer servidor na internet # Linhas obrigatorias ter para o funcionamento do firewall ################################################################### iptables -A INPUT -m state --state ESTABLISHED,RELATED \ -i $EXTERNAL_INTERFACE -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \ -o $EXTERNAL_INTERFACE -j ACCEPT # ----------------------------------------------------------------- # DNS Client (porta 53) Usado para servidor de DNS # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -s 0/0 --sport 53 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 53 -j REJECT # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 53 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 53 -j ACCEPT # ----------------------------------------------------------------- # Finger Client (porta 79) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 79 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 79 -j ACCEPT # ----------------------------------------------------------------- # AUTH Client (porta 113) # ----------------------------------------------------------------- # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 113 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 113 -j ACCEPT #>>>porta para os radios # # iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ # -s 0/0 --sport 772 \ # -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT # # iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ # -s $EXTERNAL_IP --sport $UNPRIVPORTS \ # -d 0/0 --dport 772 -j ACCEPT # ----------------------------------------------------------------- # WHOIS Client (porta 43) # ----------------------------------------------------------------- iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -s 0/0 --sport 43 \ -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $EXTERNAL_IP --sport $UNPRIVPORTS \ -d 0/0 --dport 43 -j ACCEPT ##################################################################################### # >>> Libera Acesso livre externo para alguem da minha rede interna SEM PROXY <<< ##################################################################################### #>>>>> list=`cat /etc/netfuture/firewall/netfur.txt` for rede in `echo $list`;do #laco Capturando dados do netfur.txt ip_cliente=`echo $rede | cut -d , -f1` mac_cliente=`echo $rede | cut -d , -f2` mark_cliente=`echo $ip_cliente | cut -d. -f4` # Pega o mark pre definido em netfur.txt #>>> linha contendo a regra de iptables iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s $ip_cliente -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s $ip_cliente -m mac --mac-source $mac_cliente -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d $ip_cliente -j ACCEPT ######## Marca os pacotes com 10 que vem da ppp0 ######################## iptables -t mangle -A FORWARD -s $ip_cliente -j MARK --set-mark $mark_cliente iptables -t mangle -A FORWARD -s $ip_cliente -j ACCEPT iptables -t mangle -A FORWARD -d $ip_cliente -j MARK --set-mark $mark_cliente iptables -t mangle -A FORWARD -d $ip_cliente -j ACCEPT # iptables -t mangle -A POSTROUTING -j RETURN # iptables -t mangle -A PREROUTING -s $ip_cliente -j MARK --set-mark $mark_cliente # iptables -t mangle -A PREROUTING -j RETURN ################################# Marcas nos pacotes ############################## # iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ # -d $ip_cliente -j MARK --set-mark $mark_cliente ############################################################### # LIBERA O PROXY INTERMO NA REDE ############################################################### iptables -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j ACCEPT # iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j MARK --set-mark $mark_cliente iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \ -p tcp --sport 3128 -j ACCEPT ################################################################# #>>> Proxy Trasparente para rede ################################################################# iptables -t nat -A PREROUTING -p tcp -s $ip_cliente -m mac --mac-source $mac_cliente --dport 80 -j REDIRECT --to-port 3128 done # fim do loop # ================================================================= # Source NAT (POSTROUTING) e FORWARD # # Tratamento de casos espec�icos, onde m�uinas precisam de portas # liberadas ou acesso direto a internet. # ================================================================= # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE : 8089 iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ --dport 8029 -j DNAT --to 192.168.1.29:80 iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s 192.168.1.29 -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s 192.168.1.29 -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d 192.168.1.29 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ================================================================= # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE_1 ; 8088 iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ --dport 8030 -j DNAT --to 192.168.1.30:80 iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ -s 192.168.1.30 -j MASQUERADE iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ -s 192.168.1.30 -j ACCEPT iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ -d 192.168.1.30 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ================================================================= # Source NAT (POSTROUTING) e FORWARD # # Tratamento de casos espec�icos, onde m�uinas precisam de portas # liberadas ou acesso direto a internet. # ================================================================= # iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \ # --dport 5900 -j DNAT --to 192.168.1.1:5900 # iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \ # -s 192.168.1.1 -j MASQUERADE # iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \ # -s 192.168.1.1 -j ACCEPT # iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \ # -d 192.168.1.1 -j ACCEPT #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # ----------------------------------------------------------------- # LOG # ----------------------------------------------------------------- iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p tcp \ --dport 80 -j LOG --log-prefix "WEB-SEM-PROXY:" \ --log-level info -m limit --limit 5/minute iptables -A INPUT -j LOG --log-prefix "BAD INPUT:" \ --log-level info -m limit --limit 5/minute iptables -A OUTPUT -j LOG --log-prefix "BAD OUTPUT:" \ --log-level info -m limit --limit 5/minute iptables -A FORWARD -j LOG --log-prefix "BAD FORWARD:" \ --log-level info -m limit --limit 5/minute #>>>Controle de acesso ao servico baixo iptables -A INPUT -p tcp --dport 2121 -j LOG --log-prefix "Acesso ao Proftpd" iptables -A INPUT -p tcp --dport 3420 -j LOG --log-prefix "Acesso ao SSH" iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "WEB segura" #>>>>>>Gerando log de Backdoors iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash" iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus" iptables -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus" iptables -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice" ##################### LOG PACOTES EXTERN MARCADOS ########################## # iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j LOG --log-prefix "marcado FORWARD" # iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j LOG --log-prefix "Marcado do squid " # iptables -t mangle -A POSTROUTING -s $ip_cliente -j LOG --log-prefix "Marcado POSTROUTING" ;; stop) echo "Shutting Firewalling Services: " rm -rf /var/lock/subsys/firewall # ----------------------------------------------------------------- # Remove all existing rules belonging to this filter # ----------------------------------------------------------------- iptables -F iptables -X iptables -t mangle -F # ----------------------------------------------------------------- # Reset the default policy of the filter to accept. # ----------------------------------------------------------------- iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) status firewall ;; restart|reload) $0 stop $0 start ;; *) echo "Usage: firewall {start|stop|status|restart|reload}" exit 1 esac exit 0
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Toda vez que tento atualizar o clamav me deparo com erros ao atualizar... (0)
Meu notebook não está funcionando no monitor secundário (2)
Queria saber se existe alguma forma de desistalar programa no ubuntu s... (2)
Quero saber sobre os melhores aplicativos de office para usar em 2024 ... (1)