Enviado em 09/06/2015 - 13:46h
Bom dia.
########################### FIREWALL #####################
##############################################################
#Interpretador de comandos
#!/bin/bash
# Carrega os moulos
echo Modulos do firewall
modprobe ipt_string
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
#zerando as regras;
echo Regras default
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
#Alterando a politica das Chains
#Alterando a politica das Chains
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,58215,110,465,587,995 -j MASQUERADE
#skype incoming connections
#iptables -A INPUT -p udp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 39856 -j ACCEPT
#iptables -I FORWARD -m string --algo bm --string "skype.com" -j ACCEPT
#Nat da rede
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#liberando encaminhamento de pacotes;
echo "1" > /proc/sys/net/ipv4/ip_forward
# Libera o acesso SSH de qualquer origem
echo Liberando acesso SSH
iptables -A INPUT -p tcp --dport 7351 -j ACCEPT
# Libera o squid a partir da rede interna
#echo Liberando rede interna
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
#Acesso externo Cameras
echo "acesso as cameras"
iptables -A INPUT -i eth0 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 37777 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 37777 -j DNAT --to-destination 192.168.10.90:37777
iptables -A FORWARD -p udp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777
#liberar acesso externo siga
echo Acesso externo Siga
iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257
iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299
iptables -A INPUT -i eth0 -p tcp --dport 1256 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1256 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1256 -j DNAT --to-destination 192.168.10.90:1256
echo Acesso ao Sql Server
iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433
#acesso aos servidores via TS
echo Liberando acesso via TS
iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389
iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389
#acesso ao BI
echo Liberando Acesso ao BI
iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 7980 -j DNAT --to 192.168.10.91:7980
#*************************** BLOQUEIO DO FACEBOOK ***********************************************************
echo "Acesso Facebook"
#BLOQUEIOS FACEBOOK:
hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "2359" ] `; then
op=1;
else
op=2;
fi
permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb)
##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK
## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done
FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO #Aqui libera os permitidos.
for MSR_LIBERADO in $FACEBOOK_ALLOW; do
iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done
if [ $op -eq "1" ]; then
echo "Bloqueando"
iptables -A FACEBOOK -j REJECT
fi
if [ $op -eq "2" ]; then #E caso esteja fora do horáo de serviçéiberado
echo "Liberando"
iptables -A FACEBOOK -j ACCEPT
fi
#****************************************************************************************************************
# Portas padrao
acl SSL_ports port 443
acl Safe_ports port 443
#acl Safe_ports port 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow connect SSL_Ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
acl redelocal src 192.168.10.0/24
#http_access allow redelocal
#http_access deny all
#controle de cache do proxy
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
minimum_object_size 0 KB
maximum_object_size 4096 MB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log
#Controle do arquivo de Log
logfile_rotate 10
ftp_user Squid@
#protocolos
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
######Block Video and Audio Streaming##############
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$
#********************************* GERAL *****************************************
acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"
acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"
acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"
acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"
#************************************************************************************
#********************************* COMERCIAL *****************************************
acl comercial src "/etc/squid3/regras/comercial/ips_comercial"
acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"
#********************************* COMPRAS *****************************************
acl compras src "/etc/squid3/regras/compras/ips_compras"
acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"
#********************************* CTP *****************************************
acl ctp src "/etc/squid3/regras/ctp/ips_ctp"
acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"
#********************************* FINANCEIRO *****************************************
acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"
acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"
#********************************* INSPECAO *****************************************
acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"
acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"
#********************************* PRODUCAO *****************************************
acl producao src "/etc/squid3/regras/producao/ips_producao"
acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"
#********************************* PCP *****************************************
acl pcp src "/etc/squid3/regras/pcp/ips_pcp"
acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"
#********************************* RH *****************************************
acl rh src "/etc/squid3/regras/rh/ips_rh"
acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"
#********************************* TI *****************************************
acl TI src "/etc/squid3/regras/TI/ips_TI"
acl ips_gestores src "/etc/squid3/regras/geral/ips_gestores"
acl almoco time MTWHF 12:30-13:30
#CONFIGURACAO DAS ACLS
http_access allow TI
http_access allow ips_geral
http_access allow almoco
http_access allow rh
http_access deny sites_bloqueados_geral
http_access deny mediapr
http_reply_access deny media !TI
http_access allow financeiro
http_access allow compras
http_access allow ctp
http_access allow sites_liberados_geral
http_access allow ips_gestores
http_access allow comercial sites_comercial
http_access allow inspecao sites_inspecao
http_access allow producao sites_producao
http_access allow pcp sites_pcp
#http_access allow redelocal
http_access deny all
log_mime_hdrs on
http_port 3128
#coredump_dir /var/spool/squid3
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern . 0 20% 4320
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Criando uma VPC na AWS via CLI
Multifuncional HP imprime mas não digitaliza
Dica básica para escrever um Artigo.
Como Exibir Imagens Aleatórias no Neofetch para Personalizar seu Terminal