michelrbc
(usa Red Hat)
Enviado em 18/08/2011 - 09:50h
Segue meus arquivos.
Outra coisa que pude perceber, é que alguns sites (banco principalmente) só funciona do https de estiver com o proxy configurado no IE.
##########Firewall#############
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Acerta hora do servidor
ntpdate -u pool.ntp.org
iptables -X
iptables -F
iptables -t nat -F
#==========================PROTECOES=============================
#Contra pactoes danificados ou suspeitos
iptables -A FORWARD -m unclean -j DROP
#Contra Ping
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
#Contra Ping da Morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Contra ataque SMURF
iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
#Contra Ataques SYN-FLOOD
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
#Contra Scanners avancados (namp)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_conntrack
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# Aceita conexões da Conectividade Social
iptables -A FORWARD -s 192.168.0.0/24 -d obsupgdp.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s obsupgdp.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d cmt.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s cmt.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.160/20 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
#Redireciona trafego www para squid
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128
#Bloqueando acessos externos ao squid
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP
######Redireciona acesso remoto para computadores da rede
#Redireciona Acesso ao micro Braz
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8000 -j DNAT --to-destination 192.168.0.53:3389
#Redireciona Acesso ao micro Alberto
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.29:3389
#BLOQUEAR ACESSO AO ORKUT POR HTTPS
iptables -t filter -A INPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d orkut.com -p tcp --dport 433 -j DROP
iptables -t filter -A OUTPUT -d orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP
#BLOQUEAR ACESSO AO YAHOO POR HTTPS
iptables -t filter -A INPUT -d login.yahoo.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d login.yahoo.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d login.yahoo.com -p tcp --dport 443 -j DROP
#BLOQUEIA FACEBOOK POR HTTPS
FACEBOOK_ALLOW="192.168.0.1"
iptables -N FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK
## FACEBOOK ALLOW
for face in $FACEBOOK_ALLOW; do
iptables -A FACEBOOK -s $face -j ACCEPT
done
iptables -A FACEBOOK -j REJECT
##########################################
# ULTRASURF BLOQUEADO ATE A VERSAO 10.10 #
##########################################
iptables -I FORWARD -p tcp --dport 19769 -j DROP
iptables -I FORWARD -p tcp --dport 55433 -j DROP
iptables -I FORWARD -p tcp --dport 33190 -j DROP
iptables -I FORWARD -p tcp --dport 19769 -j DROP
iptables -I FORWARD -p tcp --dport 23620 -j DROP
iptables -I FORWARD -p tcp --dport 3103 -j DROP
iptables -I FORWARD -p tcp --dport 3162 -j DROP
iptables -I FORWARD -p tcp --dport 2000:3000 -j DROP
iptables -I FORWARD -p tcp -d 65.49.2.0/24 -j DROP
iptables -I FORWARD -p tcp -s 65.49.2.0/24 -j DROP
iptables -I FORWARD -p tcp -d 65.49.14.0/24 -j DROP
iptables -I FORWARD -p tcp -s 65.49.14.0/24 -j DROP
iptables -I FORWARD -p tcp -d 208.43.202.0/24 -j DROP
iptables -I FORWARD -p tcp -s 208.43.202.0/24 -j DROP
iptables -I FORWARD -d 114.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 114.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 112.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 112.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 59.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 59.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 118.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 118.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 61.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 61.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 1.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 1.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 122.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 122.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 124.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 124.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 111.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 111.0.0.0/8 -p tcp --destination-port 443 -j DROP
#BLOQUEAR MSN
#Essa regra libera host especifico ao acesso
#Usuário
# Tmax Michel
iptables -A FORWARD -s 192.168.0.3/32 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.3/32 -d loginnet.passport.com -j ACCEPT
# Tmax Michel
iptables -A FORWARD -s 192.168.0.10/32 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.10/32 -d loginnet.passport.com -j ACCEPT
# Esta regra bloqueia qualquer host da rede ao conectar no MSN:
#iptables -t filter -A FORWARD -d col110.mail.live.com -p tcp --dport 443 -j DROP
#iptables -A Filter -d gateway.messenger.hotmail.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d config.messenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d 200.46.110.0/24 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d 64.4.13.0/24 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.ca -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d webmessenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d c.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d tkfiles.storage.msn.com -j REJECT
#iptables -A filter -d gateway.messenger.hotmail.com -j REJECT
#iptables -A filter -d gw.msnmessenger.akadns.net -j REJECT
#iptables -t filter -A INPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A OUPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A FORWARD -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A INPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
#iptables -t filter -A OUPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
#iptables -t filter -A FORWARD -d urs.microsoft.com -p tcp --dport 443 -j DROP
############Squid 3.1.4#################
http_port 3128 transparent
visible_hostname proxyserver
dns_nameservers 8.8.8.8
# Configuração do cache
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
# Localização do log de acessos do Squid
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Libera acessos na hora do almoço
acl almoco time 11:45-12:45
http_access allow almoco
# Filtros por palavras, dominios, MSN e download
acl sites_bloqueados dstdom_regex "/etc/squid/sites_proibidos.txt"
acl bloqueia_msn dstdom_regex "/etc/squid/bloqueia_msn.txt"
acl palavras_bloqueadas url_regex -i "/etc/squid/palavras_block.txt"
acl bloqueia_downloads url_regex -i .exe$ .iso$ .mp3$ .msi$ .mjpg$ .mpeg$ .mp4$ .rom$
#Libera micro para acesso a sites bloqueados e MSN
acl ips_liberados src "/etc/squid/ips_liberados.txt"
acl ips_msn_liberado src "/etc/squid/ips_msn_liberado.txt"
# Libera para a rede local
acl rede_local src 192.168.0.0/24
#Controla acesso a usuários com acesso restrito
acl ips_restritos src "/etc/squid/ips_restritos.txt"
acl restricoes_adicionais dstdom_regex "/etc/squid/restricoes_adicionais.txt"
#http_access deny sites_bloqueados !ips_liberados
#http_access deny bloqueia_msn !ips_liberados !ips_msn_liberado
#http_access deny palavras_bloqueadas !ips_liberados
#http_access deny bloqueia_downloads !ips_liberados
http_access allow localhost
http_access allow rede_local !ips_restritos
http_access allow ips_restritos !restricoes_adicionais !sites_bloqueados !palavras_bloqueadas !bloqueia_downloads
# Bloqueia acessos externos
http_access deny all