souzacarlos
(usa Outra)
Enviado em 21/02/2017 - 16:35h
renatodamasio escreveu:
souzacarlos escreveu:
Bom dia
Como assim quando seta na placa?
O squid e teu Firewall são a mesma máquina?
Network Analyst - Consultor para empresas
contact skype: carlossouzainfo
21 99180-8165 (WhattsApp)
Amigo resumindo configurei tudo e o firewall só funciona se eu dar um:
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
meu firewall esta assim
#!/bin/bash -x
#
# /etc/rc.d/rc.firewall
#
# Start/stop/restart Firewall
#
# To make Firewall start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.firewall
#
################
## Variáris ##
################
# Rede externa eth1 off-board
LanExt=187.49.235.140
# Rede interna eth0 on-board
LanInt=192.168.0.240
Rede=192.168.0.0/24
#############
## Modulos ##
#############
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
####################
### Funç START ###
####################
firewall_start() {
echo "Iniciando o Firewall"
#####################
## Limpa as regras ##
#####################
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
######################
## Politicas padrao ##
######################
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
## Manter conexoes jah estabelecidas para nao parar ##
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Aceita todo o trafego vindo do loopback e indo pro loopback ##
iptables -t filter -A INPUT -i lo -j ACCEPT
###############################
# Proteçs #
###############################
# Configurando a Protecao anti-spoofing
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Protecao contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Habilita o forward
echo 1 > /proc/sys/net/ipv4/ip_forward
# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
# Protege contra port scanners avanços (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 6/m -j ACCEPT
# Bloqueando tracertroute
#iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
###############################
# TABELA Input #
###############################
# Liberando dhcpd
#iptables -A INPUT -i eth1 -p udp --sport 67:68 -j LOG --log-level 6 --log-prefix "FIREWALL: DHCPD"
#iptables -A INPUT -s $Rede_lib -p udp --sport 67:68 -j ACCEPT
#######################
### Destino Externo ###
#######################
# Liberando Porta 6622 (SSH)
#iptables -A INPUT -d $LanExt -p tcp --dport 6622 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 6622"
iptables -A INPUT -d $LanExt -p tcp --dport 6622 -j ACCEPT
# Liberando porta 3000 (ntop)
iptables -A INPUT -d $LanExt -p tcp --dport 3000 -j ACCEPT
# Liberando Porta 80 (http)
#iptables -A INPUT -d $LanExt -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP EXT 80"
iptables -A INPUT -d $LanExt -p tcp --dport 80 -j ACCEPT
# Liberando Porta 81 (http Genexis)
#iptables -A INPUT -d $LanExt -p tcp --dport 81 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP EXT 81"
iptables -A INPUT -d $LanExt -p tcp --dport 81 -j ACCEPT
# Liberando porta 53 (DNS)
iptables -A INPUT -d $LanExt -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -d $LanExt -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -d 200.194.238.51 -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -d 200.194.238.51 -p udp --dport 53 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
iptables -A INPUT -d $LanExt -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -d $LanExt -p tcp --dport 20 -j ACCEPT
#######################
### Destino Interno ###
#######################
# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
iptables -A INPUT -d $LanInt -p tcp --dport 6622 -j ACCEPT
# Liberando Porta 53 (DNS)
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
iptables -A INPUT -d $LanInt -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -d $LanInt -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -d $Rede_lib -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -d $Rede_lib -p udp --dport 53 -j ACCEPT
# Liberando Porta 80 (http)
#iptables -A INPUT -d $LanInt -p tcp --dport 80 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80"
iptables -A INPUT -d $LanInt -p tcp --dport 80 -j ACCEPT
# Liberando Porta 81 (http Genexis)
#iptables -A INPUT -d $LanInt -p tcp --dport 81 -j LOG --log-level 6 --log-prefix "FIREWALL: HTTP INT 80"
iptables -A INPUT -d $LanInt -p tcp --dport 81 -j ACCEPT
# Liberando Porta 21 (ftp)
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
iptables -A INPUT -d $LanInt -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -d $LanInt -p tcp --dport 20 -j ACCEPT
# Libera o proxy 3128 (teste)
iptables -A INPUT -d $LanInt -p tcp --dport 3128 -j ACCEPT
#iptables -A INPUT -s $Rede_lib -j ACCEPT
###############################
# TABELA Forward #
###############################
#iptables -A FORWARD -i eth1 -p tcp --dport 443 -j DROP
###LIBERA CAIXA MAQUINA LOBINHO###2012-06-06
iptables -A FORWARD -s 192.168.0.14 --protocol tcp --dport 2631 -j ACCEPT
###LIBERA CAGED MAQUINA LOBINHO###2012-06-06
iptables -A FORWARD -s 192.168.0.14 --protocol tcp --dport 2500 -j ACCEPT
# Micro do Renato passa direto
iptables -A FORWARD -s 192.168.0.19 -j ACCEPT
# Micro do VMTI passa direto
iptables -A FORWARD -s 192.168.0.244 -j ACCEPT
# Micro do RH passa Direto 17/09/2014
iptables -A FORWARD -s 192.168.0.14 -j ACCEPT
# Liberando Porta 110 (pop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 110 -j ACCEPT
# Liberando Porta 995 (spop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 995 -j ACCEPT
# Liberando Porta 25 (smtp)
iptables -A FORWARD -s $Rede -p tcp --dport 25 -j ACCEPT
# Liberando Porta 81 (Genexis)
iptables -A FORWARD -s $Rede -p tcp --dport 81 -j ACCEPT
# Liberando Porta 465 (smtp-s)
iptables -A FORWARD -s $Rede -p tcp --dport 465 -j ACCEPT
# Liberando Porta 443 (http-s)
#iptables -A FORWARD -s $Rede -p tcp --dport 443 -j ACCEPT
# Liberando porta 53 (DNS)
iptables -A FORWARD -s $Rede -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 53 -j ACCEPT
# Liberando acesso a Rede 192.168.1.0/24 #
#iptables -A FORWARD -s $Rede_lib -j ACCEPT
# Regrat forward para o funcionamento de redirecionamento de portas (NAT)
# Redirecionando porta 5900 (VNC)
iptables -A FORWARD -s 201.14.191.172 -i eth0 -p tcp --dport 5900 -j ACCEPT
# Redirecionamento para o FTP da maquina local servidora dos PALMS
iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
# Redirecionamento WTS
iptables -A FORWARD -i eth1 -p tcp --dport 3352 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3353 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3354 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3356 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3357 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3359 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3340 -j ACCEPT# Redirecionamento lavendereweb - Carrus
iptables -A FORWARD -i eth1 -p tcp --dport 7070 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 6060 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 7070 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 6060 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 8080 -j ACCEPT
# Redirecionamento carrus
#iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
# Redirecionamento cameras
# WEB
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
# Descobrir
iptables -A FORWARD -i eth1 -p tcp --dport 554 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 664 -j ACCEPT
# Celular
iptables -A FORWARD -i eth1 -p tcp --dport 3777 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3888 -j ACCEPT
###############################
######### TABELA NAT ## #######
###############################
# Acesso ao conexao segura da caixa
iptables -t nat -A PREROUTING -p tcp -d 200.201.174.207 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.174.207 -j ACCEPT
# Redireconamento de portas
# VNC Para algum micro (192.168.0.203 = Renato)
#iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 5900 -j DNAT --to 192.168.0.203:5900
# Proxy transparente #
iptables -t nat -A PREROUTING -s $Rede -d srvwebmet.genexis.com -p tcp --dport 81 -j ACCEPT
#iptables -t nat -A PREROUTING -s $Rede_lib -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s $Rede -d srvwebmet.genexis.com -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -s $Rede -p tcp --dport 80 -j REDIRECT --to-ports 3128
#iptables -t nat -A PREROUTING -s $Rede -p tcp --dport 443 -j REDIRECT --to-port 3128
# Redirecionamento para o FTP da maquina local servidora dos PALMS
#iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 21 -j DNAT --to 192.168.0.101:21
#### Redirecionamento WTS ###
#Direcionamento hv03
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3352 -j DNAT --to 192.168.0.252:3389
#Direcionamento HV01
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3353 -j DNAT --to 192.168.0.242:3389
#Direcionamento SRVTI
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3354 -j DNAT --to 192.168.0.244:3389
#Direcionamento HV02
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3356 -j DNAT --to 192.168.0.241:3389
#Direcionamento SRVDB
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3357 -j DNAT --to 192.168.0.251:3389
#Direcionamento SANDRO
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3359 -j DNAT --to 192.168.0.5:3389
#Direcionamento Maquina programador
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3340 -j DNAT --to 192.168.0.17:3389
#### Redirecionamento WTS ###
### Redirecionamento lavendereweb ###
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 7070 -j DNAT --to 192.168.0.252:7070
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 6060 -j DNAT --to 192.168.0.252:6060
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 8080 -j DNAT --to 192.168.0.252:8080
iptables -t nat -A PREROUTING -d $LanExt -p udp --dport 7070 -j DNAT --to 192.168.0.252:7070
iptables -t nat -A PREROUTING -d $LanExt -p udp --dport 6060 -j DNAT --to 192.168.0.252:6060
iptables -t nat -A PREROUTING -d $LanExt -p udp --dport 8080 -j DNAT --to 192.168.0.252:8080
#Direcionamento intelbras 01
# WEB
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 8081 -j DNAT --to 192.168.0.199:80
# Descobrir
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 554 -j DNAT --to 192.168.0.199:554
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 664 -j DNAT --to 192.168.0.198:664
# Celular
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3777 -j DNAT --to 192.168.0.199:3777
iptables -t nat -A PREROUTING -d $LanExt -p tcp --dport 3888 -j DNAT --to 192.168.0.198:3888
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
### Bloqueia todo o resto ###
#iptables -A INPUT -p tcp -j LOG --log-level 6 --log-prefix "FIREWALL: GERAL "
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
}
###################
### Funcao stop ##
###################
firewall_stop() {
echo "Parando firewall e funcionando apenas com mascaramento"
# Limpa as regras #
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Politicas padrao #
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
###############################
# Proteçs #
###############################
# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
# Protege contra os ataques do tipo "Syn-flood, DoS, etc"
iptables -A INPUT -p tcp -m limit --limit 20/m -j ACCEPT
# Logar os pacotes mortos por inatividade ...
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 6 --log-prefix "FIREWALL: Pacotes mortos"
# Protege contra port scanners avanços (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 20/m -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j REJECT
# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
###############################
######### TABELA NAT ## #######
###############################
# Proxy transparente #
#iptables -t nat -A PREROUTING -s $Rede -p tcp --dport 80 -j REDIRECT --to 3128
# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo "Regras Limpas e Firewall desabilitado"
}
firewall_restart() {
echo "Reiniciando Firewall"
firewall_stop
sleep 3
firewall_start
echo "Firewall Reiniciado"
}
case "$1" in
'start')
firewall_start
echo "Firewall Iniciado"
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "Opçs possÃis:"
echo "firewall.sh start"
echo "firewall.sh stop"
echo "firewall.sh restart"
esac
Boa tarde
Olhei teu firewall superficialmente, vi bastante coisas desnecessária ou errada então nem continuei vendo, mas vamos lá"
Essa regra < # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > vc sabe pra que é né?
Porque pra mim ela faz todo sentido, não entendo onde está o problema
Explane por favor teu problema
Network Analyst - Consultor para empresas
contact skype: carlossouzainfo
21 99180-8165 (WhattsApp)