tokomk
(usa Kurumin)
Enviado em 08/08/2012 - 15:32h
### Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
### Exclui todas as regras
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
### Exclui cadeias customizadas
iptables -X
### Zera os contadores das cadeias
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -Z
echo "Limpando as regras .................[ OK ]"
### Carregando os modulos do iptables ###
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe iptable_filter
modprobe iptable_mangle
echo "Carregando modulos do IPTABLES .....[ OK ]"
### compartilhando a conexao com a internet ###
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
### Liberando porta FTP 20 E 21
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 0.0.0.0/0.0.0.0 -d 174.120.158.107 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -s 0.0.0.0/0.0.0.0 -d 174.120.158.107 --dport 21 -j ACCEPT
### libera ips Conectividade Social ###
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.214.44.204 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.252.47.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp -d cmt.caixa.gov.br -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp -d 200.152.32.148 --dport 5017 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.94 -p tcp --dport 80 -j ACCEPT
### DATASUS e CADSUS
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 189.28.143.114 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 189.28.143.181 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 189.28.143.168 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 50002 -j ACCEPT
iptables -A FORWARD -p tcp --sport 50002 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 65000 -j ACCEPT
iptables -A FORWARD -p tcp --sport 50002 -d 192.168.1.0/24 -j ACCEPT
#Bloqueando MSN
#iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -s 192.168.1.125 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.1.125 -d loginnet.passport.com -j REJECT
# redirecionando o acesso a internet para o squid ###
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
### Evitando scans do tipo "porta origem=porta destino" ###
#iptables -A INPUT -p tcp --sport $i --dport $i -j DROP
### Programas de mensagens ###
# bloqueando icq
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
# bloqueando yahoo messenger
#iptables -A FORWARD -d cs.yahoo.com -j REJECT
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
# bloqueando msn
#iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
# liberando msn para alguns ip
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j ACCEPT
### Programas p2p ###
# liberando emule para alguns ip
iptables -A FORWARD -s 192.168.1.93 -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -s 192.168.1.93 -p udp --dport 4672 -j ACCEPT
# bloqueando bittorrent
iptables -A FORWARD -p tcp --dport 6881:6889 -j REJECT
# bloqueando imesh
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
# bloqueando bearshare
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
# bloqueando toadnode
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
# bloqueando winmx
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
# bloqueando napigator
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
# bloqueando morpheus
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT
# bloqueando kazaa
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p tcp --dport 1214 -j REJECT
# bloqueando limewire
iptables -A FORWARD -p tcp --dport 6346 -j REJECT
# bloqueando audiogalaxy
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
# bloqueando emule
iptables -A FORWARD -p tcp --dport 4662 -j REJECT
iptables -A FORWARD -p udp --dport 4672 -j REJECT
### Protegendo contra pacotes danificados (usados em ataques DoS) ###
iptables -A FORWARD -m unclean -j DROP
### ip bloqueado
iptables -A FORWARD -d 208.69.32.132/24 -j REJECT