Firewall com proxy transparente completo
Publicado por Leonardo Berbert Gomes 21/11/2006
[ Hits: 13.652 ]
Homepage: https://www.linkedin.com/in/leoberbert
Bem pessoal, este foi o script de firewall mais eficaz que já fiz até hoje. Basta adaptá-lo com as suas placas de rede e ser feliz. Recomendo a todos.
#!/bin/bash # ######################################################################### # # # Função do Script: FIREWALL # # Versão: 1.0 # # # # By Leonardo B.G. - 2006 - leoberbert@gmail.com.br # # Copyright (C) 2006 G.B., Leonardo # # # ######################################################################### # EXTERNAL=eth0 INTERNAL=eth1 IP=10.11.110.0/24 WIN=10.11.110.18 #TS=IP_DO_SERVIDOR_TS #--- Set TOS 16 TOS_SERV="80 443" flush_rules() { iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -Z } add_rules() { ######################Habilitando o roteamento e bloqueando alguns de pacotes echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ######################CARREGANDO MODULOS /sbin/modprobe iptable_nat /sbin/modprobe ip_tables /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ipt_multiport /sbin/modprobe ip_nat_ftp /sbin/modprobe iptable_mangle /sbin/modprobe ipt_tos /sbin/modprobe ipt_limit ######################Liberacao do Loopback iptables -A INPUT -i lo -j ACCEPT ######################Priorizar o trafego http/https da rede: for PORT in $TOS_SERV do iptables -t mangle -A OUTPUT -o $EXTERNAL -p tcp --dport $PORT -j TOS --set-tos 16 done ######################REDIRECIONANDO PROXY TRANSPARENTE iptables -t nat -I PREROUTING -i $INTERNAL -p tcp -d ! 200.201.174.0/24 \ --dport 80 -j REDIRECT --to-port 3128 ######################Mascaramento #iptables -t nat -A POSTROUTING -s $IP -d 0/0 -j MASQUERADE #iptables -t nat -A POSTROUTING -s $IP -o $EXTERNAL -j MASQUERADE ######################LIBERANDO SSH #iptables -A INPUT -s 10.11.110.18 -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -s 200.195.1.114 -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -j DROP ######################OUTLOOK iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 25 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 110 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL ######################Fecha fecha conexao squid por interface de rede iptables -A INPUT -i $EXTERNAL -p tcp --dport 3128 -j DROP ######################PORTAS LIBERADAS #FTP iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 21 -o $EXTERNAL # #HTTPS iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 443 -o $EXTERNAL # #SIG/PROAF iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 6969 -o $EXTERNAL # #DCTF CMPF iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8017 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3456 -o $EXTERNAL # #SSH iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 22 -o $EXTERNAL # #BANCO CENTRAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5024 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 1024 -o $EXTERNAL # #VNC iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5900 -o $EXTERNAL # #PcAnyWhere iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5631 -o $EXTERNAL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 5632 -o $EXTERNAL # #Intranets porta 8080 iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8080 -o $EXTERNAL # #Download Direto Suporte iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8527 -o $EXTERNAL # #Painel IDMG iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 19638 -o $EXTERNAL # #Terminal Server iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 3389 -o $EXTERNAL # #CONECTIVIDADE CAIXA ECONOMICA iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp -d 200.201.174.207 --dport 80 -o $EXTERNAL # #CPANEL iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 2082 -o $EXTERNAL ######################REDIRECIONAMENTOS #VNC iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to $WIN # #PcAnyWhere iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5631 -j DNAT --to $WIN iptables -t nat -A PREROUTING -i $EXTERNAL -p udp --dport 5632 -j DNAT --to $WIN # #TS #iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 3389 -j DNAT --to $TS ######################Log a portas proibidas e alguns backdoors #Porta FTP iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico: FTP" # #Porta Wincrash iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash" # #Portas BackOrifice iptables -A INPUT -p tcp --dport 31337 -j LOG --log-prefix "Servico: BackOrifice" iptables -A INPUT -p tcp --dport 31338 -j LOG --log-prefix "Servico: BackOrifice" # #Bloqueando tracertroute iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL --dport 33435:33525 -j DROP # #Precaucao contra BUG's na traducao de enderecos de rede (NAT) iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP # #Bloqueia Pings vindo de fora iptables -A INPUT -i $EXTERNAL -m state --state NEW -p icmp -j ACCEPT ######################Protege contra pacotes danificados #Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP iptables -A FORWARD -m unclean -j DROP # #Allow all connections OUT and only related ones IN iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT } case $1 in start) echo -n Starting Firewall... add_rules echo "Done" ;; stop) echo -n Stoping Firewall... flush_rules echo "Done" ;; restart) echo -n Restarting Firewall... flush_rules add_rules echo "Done" ;; status) echo "============================ Firewall rules:" iptables -L -n echo "============================ Masquerade tables:" iptables -t nat -L -n echo "============================ Mangle table:" iptables -t mangle -L -n ;; *) echo Usar: "$0 { status | start | stop | restart }" ;; esac
Troca de link em caso de queda de Internet (FAILOVER)
Script que identifica na rede a existência de duplicidades de IPs e MACs que utilizam mais de um IP
Nenhum comentário foi encontrado.
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (6)