Enviado em 09/06/2015 - 13:46h
Bom dia.
########################### FIREWALL #####################
##############################################################
#Interpretador de comandos
#!/bin/bash
# Carrega os moulos
echo Modulos do firewall
modprobe ipt_string
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
#zerando as regras;
echo Regras default
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
#Alterando a politica das Chains
#Alterando a politica das Chains
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,58215,110,465,587,995 -j MASQUERADE
#skype incoming connections
#iptables -A INPUT -p udp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 39856 -j ACCEPT
#iptables -I FORWARD -m string --algo bm --string "skype.com" -j ACCEPT
#Nat da rede
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#liberando encaminhamento de pacotes;
echo "1" > /proc/sys/net/ipv4/ip_forward
# Libera o acesso SSH de qualquer origem
echo Liberando acesso SSH
iptables -A INPUT -p tcp --dport 7351 -j ACCEPT
# Libera o squid a partir da rede interna
#echo Liberando rede interna
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
#Acesso externo Cameras
echo "acesso as cameras"
iptables -A INPUT -i eth0 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 37777 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 37777 -j DNAT --to-destination 192.168.10.90:37777
iptables -A FORWARD -p udp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777
#liberar acesso externo siga
echo Acesso externo Siga
iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257
iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299
iptables -A INPUT -i eth0 -p tcp --dport 1256 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1256 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1256 -j DNAT --to-destination 192.168.10.90:1256
echo Acesso ao Sql Server
iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433
#acesso aos servidores via TS
echo Liberando acesso via TS
iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389
iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389
#acesso ao BI
echo Liberando Acesso ao BI
iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 7980 -j DNAT --to 192.168.10.91:7980
#*************************** BLOQUEIO DO FACEBOOK ***********************************************************
echo "Acesso Facebook"
#BLOQUEIOS FACEBOOK:
hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "2359" ] `; then
op=1;
else
op=2;
fi
permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb)
##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK
## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done
FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO #Aqui libera os permitidos.
for MSR_LIBERADO in $FACEBOOK_ALLOW; do
iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done
if [ $op -eq "1" ]; then
echo "Bloqueando"
iptables -A FACEBOOK -j REJECT
fi
if [ $op -eq "2" ]; then #E caso esteja fora do horáo de serviçéiberado
echo "Liberando"
iptables -A FACEBOOK -j ACCEPT
fi
#****************************************************************************************************************
# Portas padrao
acl SSL_ports port 443
acl Safe_ports port 443
#acl Safe_ports port 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow connect SSL_Ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
acl redelocal src 192.168.10.0/24
#http_access allow redelocal
#http_access deny all
#controle de cache do proxy
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
minimum_object_size 0 KB
maximum_object_size 4096 MB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log
#Controle do arquivo de Log
logfile_rotate 10
ftp_user Squid@
#protocolos
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
######Block Video and Audio Streaming##############
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$
#********************************* GERAL *****************************************
acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"
acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"
acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"
acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"
#************************************************************************************
#********************************* COMERCIAL *****************************************
acl comercial src "/etc/squid3/regras/comercial/ips_comercial"
acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"
#********************************* COMPRAS *****************************************
acl compras src "/etc/squid3/regras/compras/ips_compras"
acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"
#********************************* CTP *****************************************
acl ctp src "/etc/squid3/regras/ctp/ips_ctp"
acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"
#********************************* FINANCEIRO *****************************************
acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"
acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"
#********************************* INSPECAO *****************************************
acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"
acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"
#********************************* PRODUCAO *****************************************
acl producao src "/etc/squid3/regras/producao/ips_producao"
acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"
#********************************* PCP *****************************************
acl pcp src "/etc/squid3/regras/pcp/ips_pcp"
acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"
#********************************* RH *****************************************
acl rh src "/etc/squid3/regras/rh/ips_rh"
acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"
#********************************* TI *****************************************
acl TI src "/etc/squid3/regras/TI/ips_TI"
acl ips_gestores src "/etc/squid3/regras/geral/ips_gestores"
acl almoco time MTWHF 12:30-13:30
#CONFIGURACAO DAS ACLS
http_access allow TI
http_access allow ips_geral
http_access allow almoco
http_access allow rh
http_access deny sites_bloqueados_geral
http_access deny mediapr
http_reply_access deny media !TI
http_access allow financeiro
http_access allow compras
http_access allow ctp
http_access allow sites_liberados_geral
http_access allow ips_gestores
http_access allow comercial sites_comercial
http_access allow inspecao sites_inspecao
http_access allow producao sites_producao
http_access allow pcp sites_pcp
#http_access allow redelocal
http_access deny all
log_mime_hdrs on
http_port 3128
#coredump_dir /var/spool/squid3
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern . 0 20% 4320
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Flatpak: remover runtimes não usados e pacotes
Mudar o gerenciador de login (GDM para SDDM e vice-versa) - parte 2
Como atualizar o Debian 8 para o 10 (10)
Dica sobre iptables ACCEPT e DROP (6)
NGNIX - Aplicar SNAT para evitar roteamento assimetrico (29)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta