Firewall com controle de acessos (firewall)
Bom, esta é a minha primeira contribuiçãoo de .conf, então decidi que seria para aumentar segurança do seu Linux.
Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar a segurança da minha rede de 20 computadores unidos por wireless encontrei.
Espero de seja proveitoso para todos que passam por aqui.
Observacao: O arquivo netfur.txt aqui usado possui a seguinte
nomenclatura
,,
Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar a segurança da minha rede de 20 computadores unidos por wireless encontrei.
Espero de seja proveitoso para todos que passam por aqui.
Observacao: O arquivo netfur.txt aqui usado possui a seguinte
nomenclatura
#!/bin/sh
#
# /etc/rc.d/init.d/firewall
# chkconfig: - 60 95
# description: Este script controla o start/stop do servico de \
# firewall baseado no iptables.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Habilita ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# Parametros
case "$1" in
start)
echo "Starting Firewalling Services: "
touch /var/lock/subsys/firewall
# -----------------------------------------------------------------
# Define o default como DROP
# -----------------------------------------------------------------
# Remove todas as regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
# -----------------------------------------------------------------
# Definicao de variaveis
# -----------------------------------------------------------------
EXTERNAL_IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | cut -dP -f1`
# colocar a linha para buscar o ip da ppp0
EXTERNAL_INTERFACE="ppp0"
# colocar aqui o dispositivo pppo
EXTERNAL_NET="192.168.0.0/255.255.255.0"
INTERNAL_IP="192.168.1.1"
INTERNAL_INTERFACE="eth1"
INTERNAL_NET="192.168.1.0/255.255.255.224"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# -----------------------------------------------------------------
# Define o default como DROP
# -----------------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# -----------------------------------------------------------------
# Carrega modulos
# -----------------------------------------------------------------
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_REJECT
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_MARK
modprobe iptable_nat
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tos
modprobe iptable_mangle
# modprobe ipt_unclean
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "5 4 1 7" > /proc/sys/kernel/printk
# -----------------------------------------------------------------
# Habilita trafego loopback
# -----------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# -----------------------------------------------------------------
# Anti-Spoofing
# -----------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
# ligando proteç para SYN flood. Deve ser feita em todos os servidores
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# -----------------------------------------------------------------
# Habilita trafego na rede interna
# -----------------------------------------------------------------
# Libera tr�ego entre redes 192.168.1.0
# ##Abrindo trafego IPSEC
# iptables -A INPUT -p udp --dport 5000 -s 0/0 -d 0/0 -j ACCEPT
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
# iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
##Permitir acesso a subrede
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
## Bloquear Multiquest
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
##Permitir trafego entre as redes
#iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
# iptables -A FORWARD -s 192.168.1.3 -m mac --mac-source 00:0F:B0:3C:A6:6E -d 192.168.1.0/27 \
# -j ACCEPT
# Portas Para Rede Windows!!!! OBS:. 192.168.1.0/27 e o mesmo que 192.168.1.0/255.255.255.224
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 2121 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 2121 -j ACCEPT
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
# -p tcp --dport 5900 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
# -p tcp --sport 5900 -j ACCEPT
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/16 \
# -p tcp --dport 47151 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/16 \
# -p tcp --sport 47151 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 20 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 9920 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 9920 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 1863 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 137 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 137 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 138 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 138 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 139 -j ACCEPT
# Libera acesso ao proxy e DNS e icmp para todas as maquinas
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p icmp -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p icmp -j ACCEPT
##############################################################
# LIBERA O PROXY INTERMO NA REDE
###############################################################
# iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
# -p tcp --dport 3128 -j ACCEPT
# iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
# -p tcp --sport 3128 -j ACCEPT
##############################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
-p udp -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p udp -j ACCEPT
# Libera acesso total ao firewall para algumas (REDE LOCAL)
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.1 -j ACCEPT
#######################################################################
# A REGRA ABAIXO SERVE PARA LIBERAR O ACESSO TOTAL PARA O IP APONTADO
#######################################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.2 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.2 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.3 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.3 -j ACCEPT
############Liberados para os Aps #####################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.29 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.29 -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.30 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.30 -j ACCEPT
########################################################################
# Libera ping do firewall para a internet
########################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 0 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 3 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 4 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 11 -d $EXTERNAL_IP -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 12 -d $EXTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $EXTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT
###########################################################################
# Libera ping do firewall para a rede local
##########################################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 0 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 3 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 4 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 11 -d $INTERNAL_IP -j ACCEPT
iptables -A INPUT -i $INTERNAL_INTERFACE -p icmp \
-s 0/0 --icmp-type 12 -d $INTERNAL_IP -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
iptables -A OUTPUT -o $INTERNAL_INTERFACE -p icmp \
-s $INTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT
# =================================================================
# As linhas a seguir liberam o acesso de m�uinas da internet
# a acessar recursos deste computador como servidor, as regras
# servem para liberar as portas para o meio esterno.
# =================================================================
# -----------------------------------------------------------------
# HTTP Server (porta 80 e 8080 para o Apache)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 80 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 8080 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 8080 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
##################################################################
# Libera SSH >>>>>>>>>>>>>>3420
##################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 3420 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 3420 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
#################################################################
# FECHANDO A PORTA 3128 PARA O MUNDO EXTERNO
#################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 3128 -j DROP
#################################################################
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport $UNPRIVPORTS \
# -d $EXTERNAL_IP --dport 22 -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport 22 \
# -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport $UNPRIVPORTS \
# -d $EXTERNAL_IP --dport 5000:5200 -j ACCEPT
#################################################################
# HTTTPS :443 Acesso EXTERNO #
#################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 443 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 443 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
####################################################################################
# Regras para Impedir ataques do Tipo DoS, NetBus,Ping, Port Scaner, Back Orifice
####################################################################################
# >>>>>> Back Orifice
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p udp --dport 31337 -j DROP
# >>>>>>>> NetBus
iptables -A INPUT -p tcp --dport 12345:12346 -j DROP
iptables -A INPUT -p udp --dport 12345:12346 -j DROP
# >>>>>>> Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL_INTERFACE --dport 33435:33525 -j DROP
#>>>>>>>> Proteç contra Syn-floods
#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#>>>>>>> Proteç contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#>>>>>>> Proteç contra port scanners ocultos
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#####################################################################################
# -----------------------------------------------------------------
# AUTH Server (porta 113)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 113 -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 113 \
-d 0/0 --dport $UNPRIVPORTS -j REJECT
####################################################################
# Esta linha esta liberando o acesso para o servidor PROftpd
###################################################################
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 2121 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 2121 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 20 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $EXTERNAL_IP --sport 20 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 20 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 20 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport $UNPRIVPORTS \
-d $EXTERNAL_IP --dport 40000:65535 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport 40000:65535 \
-d 0/0 --dport $UNPRIVPORTS -j ACCEPT
# ================================================================
# iptables -A INPUT -j ACCEPT -p tcp --dport 2121
# iptables -A OUTPUT -j ACCEPT -p tcp --dport 2121
# =================================================================
# As linhas a seguir liberam o acesso desta m�uina para recur-
# na internet.
# =================================================================
# Permite que esta maquina acesse qualquer servidor na internet
# Linhas obrigatorias ter para o funcionamento do firewall
###################################################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
-o $EXTERNAL_INTERFACE -j ACCEPT
# -----------------------------------------------------------------
# DNS Client (porta 53) Usado para servidor de DNS
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s 0/0 --sport 53 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 53 -j REJECT
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 53 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 53 -j ACCEPT
# -----------------------------------------------------------------
# Finger Client (porta 79)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 79 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 79 -j ACCEPT
# -----------------------------------------------------------------
# AUTH Client (porta 113)
# -----------------------------------------------------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 113 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 113 -j ACCEPT
#>>>porta para os radios
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# -s 0/0 --sport 772 \
# -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $EXTERNAL_IP --sport $UNPRIVPORTS \
# -d 0/0 --dport 772 -j ACCEPT
# -----------------------------------------------------------------
# WHOIS Client (porta 43)
# -----------------------------------------------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s 0/0 --sport 43 \
-d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $EXTERNAL_IP --sport $UNPRIVPORTS \
-d 0/0 --dport 43 -j ACCEPT
#####################################################################################
# >>> Libera Acesso livre externo para alguem da minha rede interna SEM PROXY <<<
#####################################################################################
#>>>>>
list=`cat /etc/netfuture/firewall/netfur.txt`
for rede in `echo $list`;do
#laco Capturando dados do netfur.txt
ip_cliente=`echo $rede | cut -d , -f1`
mac_cliente=`echo $rede | cut -d , -f2`
mark_cliente=`echo $ip_cliente | cut -d. -f4` # Pega o mark pre definido em netfur.txt
#>>> linha contendo a regra de iptables
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s $ip_cliente -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s $ip_cliente -m mac --mac-source $mac_cliente -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d $ip_cliente -j ACCEPT
######## Marca os pacotes com 10 que vem da ppp0 ########################
iptables -t mangle -A FORWARD -s $ip_cliente -j MARK --set-mark $mark_cliente
iptables -t mangle -A FORWARD -s $ip_cliente -j ACCEPT
iptables -t mangle -A FORWARD -d $ip_cliente -j MARK --set-mark $mark_cliente
iptables -t mangle -A FORWARD -d $ip_cliente -j ACCEPT
# iptables -t mangle -A POSTROUTING -j RETURN
# iptables -t mangle -A PREROUTING -s $ip_cliente -j MARK --set-mark $mark_cliente
# iptables -t mangle -A PREROUTING -j RETURN
################################# Marcas nos pacotes ##############################
# iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
# -d $ip_cliente -j MARK --set-mark $mark_cliente
###############################################################
# LIBERA O PROXY INTERMO NA REDE
###############################################################
iptables -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j ACCEPT
# iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j MARK --set-mark $mark_cliente
iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
-p tcp --sport 3128 -j ACCEPT
#################################################################
#>>> Proxy Trasparente para rede
#################################################################
iptables -t nat -A PREROUTING -p tcp -s $ip_cliente -m mac --mac-source $mac_cliente --dport 80 -j REDIRECT --to-port 3128
done
# fim do loop
# =================================================================
# Source NAT (POSTROUTING) e FORWARD
#
# Tratamento de casos espec�icos, onde m�uinas precisam de portas
# liberadas ou acesso direto a internet.
# =================================================================
# ACESSO AOS APS PARA CONFIGURACAO NETFUTURE : 8089
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
--dport 8029 -j DNAT --to 192.168.1.29:80
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s 192.168.1.29 -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s 192.168.1.29 -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d 192.168.1.29 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# =================================================================
# ACESSO AOS APS PARA CONFIGURACAO NETFUTURE_1 ; 8088
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
--dport 8030 -j DNAT --to 192.168.1.30:80
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
-s 192.168.1.30 -j MASQUERADE
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
-s 192.168.1.30 -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
-d 192.168.1.30 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# =================================================================
# Source NAT (POSTROUTING) e FORWARD
#
# Tratamento de casos espec�icos, onde m�uinas precisam de portas
# liberadas ou acesso direto a internet.
# =================================================================
# iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
# --dport 5900 -j DNAT --to 192.168.1.1:5900
# iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
# -s 192.168.1.1 -j MASQUERADE
# iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
# -s 192.168.1.1 -j ACCEPT
# iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
# -d 192.168.1.1 -j ACCEPT
#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# -----------------------------------------------------------------
# LOG
# -----------------------------------------------------------------
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p tcp \
--dport 80 -j LOG --log-prefix "WEB-SEM-PROXY:" \
--log-level info -m limit --limit 5/minute
iptables -A INPUT -j LOG --log-prefix "BAD INPUT:" \
--log-level info -m limit --limit 5/minute
iptables -A OUTPUT -j LOG --log-prefix "BAD OUTPUT:" \
--log-level info -m limit --limit 5/minute
iptables -A FORWARD -j LOG --log-prefix "BAD FORWARD:" \
--log-level info -m limit --limit 5/minute
#>>>Controle de acesso ao servico baixo
iptables -A INPUT -p tcp --dport 2121 -j LOG --log-prefix "Acesso ao Proftpd"
iptables -A INPUT -p tcp --dport 3420 -j LOG --log-prefix "Acesso ao SSH"
iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "WEB segura"
#>>>>>>Gerando log de Backdoors
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash"
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus"
iptables -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus"
iptables -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice"
##################### LOG PACOTES EXTERN MARCADOS ##########################
# iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j LOG --log-prefix "marcado FORWARD"
# iptables -t mangle -A INPUT -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j LOG --log-prefix "Marcado do squid "
# iptables -t mangle -A POSTROUTING -s $ip_cliente -j LOG --log-prefix "Marcado POSTROUTING"
;;
stop)
echo "Shutting Firewalling Services: "
rm -rf /var/lock/subsys/firewall
# -----------------------------------------------------------------
# Remove all existing rules belonging to this filter
# -----------------------------------------------------------------
iptables -F
iptables -X
iptables -t mangle -F
# -----------------------------------------------------------------
# Reset the default policy of the filter to accept.
# -----------------------------------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0
list=`cat /etc/netfuture/firewall/netfur.txt`
seria assim o arquivo netfur.txt
ip do cliente,mac do cliente,nome do cliente
t+