Firewall
Publicado por Fabio Tezzei 23/02/2006
[ Hits: 6.388 ]
FIz mais um firewall, para a galera testar.
no caso do Debian, coloque o script no /bin
e crie um link simbolico para o rc2.d.
No caso de red hat e seus derivados, coloque no no /bin, com uma chamada no rc.local.
#!/bin/bash echo echo " Ativando o Firewall" IP_SERVER= IP_SERVER_interno= ANY="0/0" LOOPBACK="127.0.0.1" INTERFACE_EXTERNA="eth0" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_ORI="0.0.0.0" BROADCAST_DEST="255.255.255.255" echo "Carregando Modulos" modprobe iptable_filter modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp # Bloquea Geral Policy = DROP ## Caso for fazer compartilhamento de Internet, mudar FORWARD para ACCEPT iptables -F iptables -Z iptables -t nat -F iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD ACCEPT echo "Protecao contra ataques de spoof ativada " ## Protecao contra ATAQUES DE SPOOF com ip's invalidos # Recusa pacotes para/dizendo ser de uma Classe A privada e loga. iptables -A INPUT -i $INTERFACE_EXTERNA -s $CLASS_A -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -d $CLASS_A -j DROP # Recusa pacotes para/dizendo ser de uma Classe B privada e loga. iptables -A INPUT -i $INTERFACE_EXTERNA -s $CLASS_B -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -d $CLASS_B -j DROP #iptables -A OUTPUT -s $CLASS_B -j DROP #iptables -A OUTPUT -d $CLASS_B -j DROP # Recusa pacotes para/dizendo ser de uma Classe C privada e loga. #iptables -A INPUT -i $INTERFACE_EXTERNA -s $CLASS_C -j DROP #iptables -A OUTPUT -s $CLASS_C -j DROP #iptables -A OUTPUT -d $CLASS_C -j DROP # Recusa pacotes dizendo ser da interface de loopback e loga. iptables -A INPUT -i $INTERFACE_EXTERNA -s $LOOPBACK -j DROP #iptables -A OUTPUT -s $LOOPBACK -j DROP # Recusa enderecos de ORIGEM da broadcast iptables -A INPUT -i $INTERFACE_EXTERNA -s $BROADCAST_DEST -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -d $BROADCAST_ORI -j DROP # Recusa uma classe D de enderecos multicast (in.h) (NET-3-HOWTO) # Multicast eh ilegal como endereco de origem. # Multicast usa UDP. iptables -A INPUT -i $INTERFACE_EXTERNA -s $CLASS_D_MULTICAST -j DROP # Recusa uma classe E de enderecos reservados iptables -A INPUT -i $INTERFACE_EXTERNA -s $CLASS_E_RESERVED_NET -j DROP #Enderecos Reservados Pelo IANA # recusa enderecos definidos como reservados pela IANA # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.* iptables -A INPUT -i $INTERFACE_EXTERNA -s 1.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 2.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 5.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 7.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 23.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 27.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 31.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 37.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 39.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 41.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 42.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 58.0.0.0/7 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 70.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 71.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 72.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 73.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 74.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 75.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 76.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 77.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 78.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 79.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 80.0.0.0/4 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 96.0.0.0/4 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 112.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 113.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 114.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 115.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 116.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 117.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 118.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 119.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 120.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 121.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 122.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 123.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 124.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 125.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 126.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 217.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 218.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 219.0.0.0/8 -j DROP iptables -A INPUT -i $INTERFACE_EXTERNA -s 220.0.0.0/6 -j DROP #Fechamento de bakdoor que possam ser abertas por trojans #BackOrifice (logged) iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 31337 -j DROP iptables -A INPUT -p udp -s $ANY -d $ANY --dport 31337 -j DROP #NetBus iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 12345:12346 -j DROP iptables -A INPUT -p udp -s $ANY -d $ANY --dport 12345:12346 -j DROP #teste LOG NetBus #iptables -A INPUT -s $ANY -m limit --limit 1/s -j LOG #iptables -A FORWARD -p tcp --dport 12345:12346 -s $ANY -d $ANY -j LOG --log-prefix 'NetBus Lammer Attack' #TrinOO iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 1542 -j DROP iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 27665 -j DROP iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 27444 -j DROP iptables -A INPUT -p tcp -s $ANY -d $ANY --dport 31335 -j DROP #Habilitar Por Mac #iptables -A INPUT -p icmp -m mac --mac-source 00:00:21:FA:B3:02 -j ACCEPT #iptables -A OUTPUT -p icmp -d $ANY -j ACCEPT #echo "Liberado FTP" # Liberar FTP / IP (SERVIDOR) # Portas 20/21 - #iptables -A INPUT -p tcp -s $ANY --sport 1024:65535 -d $IP_SERVER --dport 21 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 21 -d $ANY --dport 1024:65535 -j ACCEPT #iptables -A INPUT -p tcp -s $ANY --sport 1024:65535 -d $IP_SERVER --dport 20 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 20 -d $ANY --dport 1024:65535 -j ACCEPT #Libera Cliente SSH (22) iptables -A INPUT -p tcp -s $ANY --sport 22 -j ACCEPT iptables -A OUTPUT -p tcp -d $ANY --dport 22 -j ACCEPT #Libera Servidor SSH (22) iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 22 -d $ANY -j ACCEPT iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 22 -d $ANY -j ACCEPT #Libera Cliente Telnet (23) #iptables -A INPUT -p tcp -s $ANY --sport 23 -j ACCEPT #iptables -A OUTPUT -p tcp -d $ANY --dport 23 -j ACCEPT #Libera Servidor Telnet (23) #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 23 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 23 -d $ANY -j ACCEPT #Liberar Porta 25 (SMTP) #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 25 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 25 -d $ANY -j ACCEPT #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 25 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 25 -d $ANY -j ACCEPT #iptables -A INPUT -p tcp -s $ANY -d 127.0.0.1 --dport 25 -j ACCEPT #iptables -A OUTPUT -p tcp -s 127.0.0.1 --sport 25 -d $ANY -j ACCEPT #Liberar Porta 80 (SERVIDOR) iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 80 -d $ANY -j ACCEPT #iptables -A INPUT -p tcp -s $ANY -d 200.150.245.51 --dport 80 -j ACCEPT #iptables -A OUTPUT -p tcp -s 200.150.245.51 --sport 80 -d $ANY -j ACCEPT #Liberar Portas 110 (POP3) #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 110 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 110 -d $ANY -j ACCEPT #Identd ( Problemas de Delay com NAT + DROP no Identd (Forum Firewall - LinuxSecurity) #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 113 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 113 -d $ANY -j ACCEPT #iptables -A INPUT -p tcp -d $IP_SERVER --dport 113 -j REJECT --reject-with tcp-reset #iptables -A FORWARD -p tcp -d $IP_SERVER --dport 113 -j REJECT --reject-with tcp-reset #Cliente DNS iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --sport 53 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT #Servidor DNS iptables -A INPUT -p udp -s $ANY -d $IP_SERVER_interno --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -s $IP_SERVER_interno --sport 53 -d $ANY -j ACCEPT iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER_interno --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -s $IP_SERVER_interno --sport 53 -d $ANY -j ACCEPT #Liberar Servidor IMAP (143) #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 143 -j ACCEPT #iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 143 -d $ANY -j ACCEPT #Bloquear MYSQL Externo #ptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 3306 -j DROP #ptables -A OUTPUT -p tcp -s $IP_SERVER --sport 3306 -d $ANY -j DROP iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 3128 -j DROP #Liberar Acesso FILE SERVER #echo "Liberado acesso as portas 135,137,139" #iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 135:139 -j ACCEPT #iptables -A OUTPUT -p tcp -d $ANY -s $IP_SERVER --sport 135:139 -j ACCEPT #iptables -A INPUT -p udp -s $ANY -d $IP_SERVER --dport 135:139 -j ACCEPT #iptables -A OUTPUT -p udp -s $IP_SERVER --sport 135:139 -d $ANY -j ACCEPT echo "Liberado portas nao privilegiadas" #Liberar Portas nao Privilegiadas (1024 -> 65535 ) (Clientes HTTP/MAIL etc) #Sempre Deixar aberta iptables -A INPUT -p tcp -s $ANY -d $IP_SERVER --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp -s $IP_SERVER --sport 1024:65535 -d $ANY -j ACCEPT #Protecoes Gerais ##Protecao com Syn-flood DoS iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT ##Protecao contra stealth scan iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT ##Protecao contra Furtive port scanner iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT ##Protecao conta Ping of Death iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #Bloquear Pacotes Desfragmentados (headers) iptables -A FORWARD -f -j DROP iptables -A INPUT -f -j DROP #Proteger Contra Scan, so deixar que Habilitado para ip especificado #iptables -A INPUT -p tcp -s $ANY --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset ################ #REGRAS DE PING# ################ #Habilitar Pacotes ICMP #Echo Reply - Habilita responder ping, se mudar pra INPUT ele deixa pingar iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 0 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 0 -j ACCEPT #Destination Unreachable iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 3 -j ACCEPT #Redirect iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 5 -j ACCEPT #Echo Request - Receber PING iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 8 -j ACCEPT iptables -A INPUT -p ICMP -s $ANY --icmp-type 8 -j ACCEPT #Time Exceeded iptables -A OUTPUT -p ICMP -s $ANY --icmp-type 11 -j ACCEPT ############################################## #REGRAS DE NAT que cliente pode acessar o que# ############################################## #Caso queiro que um client nat nao use telnet, por exemplo #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 23 -j DROP #Bloquear Algumas Portas PAra maquinas Internas no Compartilhamento #SSH #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 22 -j DROP #HTTP #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80 -j DROP #SMTP (Externo) #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP #POP3 (Externo) #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 110 -j DROP #ICQ #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 4000 -j DROP #iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 4001 -j DROP ################################### #REGRAS DE NAT e REDIRECIONAMENTOS# ################################### #### Compartilhamento como Masquerading do ipchains #Habilitando IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Usando Masquerading ppp0 / ethX iptables -t nat -A POSTROUTING -o $INTERFACE_EXTERNA -j MASQUERADE ### #FTP - Software Tech For Win iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 20 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 20 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 21 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 21 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #Libera POP/SMTP Externos iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 25 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 25 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 110 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 110 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT ##### Liberado Geral - Servidores iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.1 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.1 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -s 192.168.0.1 -j ACCEPT iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -d 192.168.0.1 -j ACCEPT iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.2 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.2 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -s 192.168.0.2 -j ACCEPT iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -d 192.168.0.2 -j ACCEPT iptables -A FORWARD -p icmp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.253 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.253 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s 192.168.0.254 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -d 192.168.0.254 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT ##################################### #iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT #iptables -A FORWARD -p udp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED --dport 53 -j ACCEPT #iptables -A FORWARD -p udp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT #iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 53 -j ACCEPT #iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #Redirecionamento de pacotes Exchange iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 25 -j DNAT --to 192.168.0.2:25 #Redirecionamento Pop iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 110 -j DNAT --to 192.168.0.2:110 #Redirecionamento Http iptables -A PREROUTING -t nat -p tcp -d $IP_SERVER --dport 80 -j DNAT --to 192.168.0.2:80 #Terminal Service iptables -A PREROUTING -t nat -p tcp -d 200.150.245.51 --dport 3389 -j DNAT --to 192.168.0.1:3389 iptables -A PREROUTING -t nat -p tcp -d 200.150.245.52 --dport 3389 -j DNAT --to 192.168.0.2:3389 #Receita Federal #iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --sport 3456 -j ACCEPT #iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED --dport 3456 -j ACCEPT #iptables -A FORWARD -p tcp -m state --state NEW -i $INTERFACE_EXTERNA -j ACCEPT #IP Interno saindo pelo Externo (Colocar aqui o ip da placa que esta na rede interna) #iptables -t nat -A POSTROUTING -s 192.168.0.2/255.255.255.0 -j SNAT --to $IP_SERVER #Proxy Transparente #iptables -t nat -A PREROUTING -i $INTERFACE_EXTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128 #Liberar Localhost iptables -A INPUT -i lo -s $ANY -j ACCEPT iptables -A OUTPUT -o lo -d $ANY -j ACCEPT #Liberar LAN iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -j ACCEPT #SMTP para o Exchange iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
Scripts recomendados
Mantendo hora do servidor atualizada com NTP
Calculadora para eletrodomésticos
Comentários
[1] Comentário enviado por LUIS_FERNANDO em 23/02/2006 - 16:46h
Gostaria se puderem me ajudar tenho q fazer um artigo sobre o sistema operacional coyote,mas preciso enfatizar mais o FIREWALL do q o LINUX.Qualquer ajuda sera bem vinda.
Gostaria se puderem me ajudar tenho q fazer um artigo sobre o sistema operacional coyote,mas preciso enfatizar mais o FIREWALL do q o LINUX.Qualquer ajuda sera bem vinda.
[2] Comentário enviado por _cabelo_ em 30/07/2007 - 21:35h
Cara se arrebentou com esse script
ta creto que não vou colocar isso ai no firewall mais é um abaita referencia pra estudo na hora da implementação não tenha duvida que vai pro favoritos
Parabéns
Cara se arrebentou com esse script
ta creto que não vou colocar isso ai no firewall mais é um abaita referencia pra estudo na hora da implementação não tenha duvida que vai pro favoritos
Parabéns
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Instalação e Configuração do Void com Cinnamon
Porque Gentoo semi-binário atualmente (desabafo)
A combinação de WMs com compositores feitos por fora
Audacious, VLC e QMMP - que saudades do XMMS
SUNO OpenSource: Crie um servidor de gerador de música com IA
Dicas
[Resolvido] Jogo Portal fechando
Como configurar cores no prompt do Bash para usuário e root no Arch Linux
Tópicos
Top 10 do mês
-
Xerxes
1° lugar - 133.261 pts -
Fábio Berbert de Paula
2° lugar - 64.529 pts -
Buckminster
3° lugar - 43.220 pts -
Alberto Federman Neto.
4° lugar - 30.770 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
5° lugar - 21.641 pts -
Daniel Lara Souza
6° lugar - 20.848 pts -
edps
7° lugar - 20.618 pts -
Mauricio Ferrari (LinuxProativo)
8° lugar - 19.993 pts -
Sidnei Serra
9° lugar - 17.449 pts -
Andre (pinduvoz)
10° lugar - 15.207 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
