rage against
(usa CentOS)
Enviado em 17/12/2009 - 08:32h
Prezados, bom dia,
Andei vasculhando nos "pai" google e não encontrei a solução para o meu caso.
Possuo algumas máquinas da produção que não gostaria que tivesse acesso a navegação internet, mas continuasse com acesso a e-mails e spark (msn interno).
Utilizou o centOS e abaixo segue meu arqvio iptables. Não fui eu quem montou esse servidor, pois não tenho conhecimento para tal. Já efetuei os comentários nas linhas onde teoricamente libera a internet para as estações mas até agora nada. Já utilizei outros comandos como:
IPTABLES -A INPUT -P TCP -I ETH1 -S 192.168.0.45 --DPORT 3128 -J DROP
E também nada...
se puderem me ajudar eu agradeço, abraços...
#!/bin/sh
# description: iptables
# chkconfig: 2345 80 30
# processname: iptables
# pidfile: /var/run/iptables.pid
#
. /etc/init.d/functions
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
case "$1" in
start)
gprintf "Iniciando o Serviço de %s: " "iptables"
echo
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_nat_ftp
## Definindo a Politica default
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
## Limpando as regras existentes
iptables -t filter -F
iptables -t nat -F
## Liberando ACESSO A INTERNET Faixa de IP
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/24 -mstate --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -j MASQUERADE # FINANCEIRO
iptables -t nat -A POSTROUTING -s 192.168.0.2 -d 0/0 -j MASQUERADE # DIRETORIA
iptables -t nat -A POSTROUTING -s 192.168.0.3 -d 0/0 -j MASQUERADE # SEGURANCA
iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 0/0 -j MASQUERADE # PRODUCAO
iptables -t nat -A POSTROUTING -s 192.168.0.5 -d 0/0 -j MASQUERADE # PRODUCAO
iptables -t nat -A POSTROUTING -s 192.168.0.6 -d 0/0 -j MASQUERADE # PRODUCAO
iptables -t nat -A POSTROUTING -s 192.168.0.7 -d 0/0 -j MASQUERADE # PRODUCAO
iptables -t nat -A POSTROUTING -s 192.168.0.8 -d 0/0 -j MASQUERADE # PRODUCAO
iptables -t nat -A POSTROUTING -s 192.168.0.9 -d 0/0 -j MASQUERADE # FINANCEIRO
iptables -t nat -A POSTROUTING -s 192.168.0.10 -d 0/0 -j MASQUERADE # DIRETORIA
#redireciona proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A PREROUTING -t nat -s 192.168.0.0/24 -d ! 65.54.183.202 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A PREROUTING -t nat -s 192.168.0.0/24 -d ! 65.54.183.202 -p tcp --dport 3128 -j REDIRECT --to-ports 3128
# Antivirus AVG
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d akamai.grisoft.cz -j MASQUERADE
## Bloqueando Spoof
iptables -A INPUT -i eth1 -s 192.168.0.1/24 -j DROP
# Bloqueando squid externo
iptables -A INPUT -p TCP -i eth1 -d 189.X.X.X --dport 3128 -j DROP
# Bloqueando portscan
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
#bloqueios de ataque dos
iptables -A FORWARD -m unclean -j DROP
# bloqueio das portas UDP
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 7777:7779 -j DNAT --to-dest 192.168.0.254
iptables -A FORWARD -p udp -i eth1 --dport 7777:7779 -d 192.168.0.254 -j ACCEPT
#Bloqueando parte das portas udp:
iptables -A INPUT -i eth1 -p udp --dport 0:30000 -j DROP
#Bloqueando ssh
#iptables -A INPUT -p tcp --destination-port 22 -j DROP
#Bloqueando AIM:
iptables -A FORWARD -d login.oscar.aol.com -j REJECT
#Bloqueando ICQ:
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
#Bloqueando MSN:
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -p udp --dport 1863 -j REJECT
iptables -A FORWARD -p tcp --dport 7000 -j REJECT
iptables -A FORWARD -p tcp --dport 7001 -j REJECT
iptables -A FORWARD -p udp --dport 7000 -j REJECT
iptables -A FORWARD -p udp --dport 7001 -j REJECT
iptables -A FORWARD -d 64.4.9.0/24 -j REJECT
iptables -A FORWARD -d 65.54.239.0/24 -j REJECT
iptables -A FORWARD -d 64.4.35.0/24 -j REJECT
iptables -A FORWARD -d 65.55.197.0/24 -j REJECT
iptables -A FORWARD -d 207.0.0.0/8 -j REJECT
iptables -A FORWARD -d 204.0.0.0/8 -j REJECT
iptables -A FORWARD -d 216.151.187.0/24 -j REJECT
iptables -A FORWARD -d 63.0.0.0/8 -j REJECT
iptables -A FORWARD -d 64.0.0.0/8 -j REJECT
iptables -A FORWARD -d 65.0.0.0/8 -j REJECT
iptables -A FORWARD -p tcp --dport 1214:1215 -j DROP
iptables -A FORWARD -p udp --dport 1214:1215 -j DROP
iptables -A FORWARD -p tcp --dport 1981 -j DROP
iptables -A FORWARD -p udp --dport 1981 -j DROP
iptables -A FORWARD -p tcp --dport 2037 -j DROP
iptables -A FORWARD -p udp --dport 2037 -j DROP
iptables -A FORWARD -p tcp --dport 3501 -j DROP
iptables -A FORWARD -p udp --dport 3501 -j DROP
iptables -A FORWARD -p tcp --dport 3531 -j DROP
iptables -A FORWARD -p udp --dport 3531 -j DROP
iptables -A FORWARD -p tcp --dport 3587 -j DROP
iptables -A FORWARD -p udp --dport 3587 -j DROP
iptables -A FORWARD -p tcp --dport 3955 -j DROP
iptables -A FORWARD -p udp --dport 3955 -j DROP
iptables -A FORWARD -p tcp --dport 4242 -j DROP
iptables -A FORWARD -p udp --dport 4242 -j DROP
iptables -A FORWARD -p tcp --dport 4661:4672 -j DROP
iptables -A FORWARD -p udp --dport 4661:4672 -j DROP
iptables -A FORWARD -p tcp --dport 4688 -j DROP
iptables -A FORWARD -p udp --dport 4688 -j DROP
iptables -A FORWARD -p tcp --dport 5121 -j DROP
iptables -A FORWARD -p udp --dport 5121 -j DROP
iptables -A FORWARD -p tcp --dport 5662 -j DROP
iptables -A FORWARD -p udp --dport 5662 -j DROP
iptables -A FORWARD -p tcp --dport 6085:6086 -j DROP
iptables -A FORWARD -p udp --dport 6085:6086 -j DROP
iptables -A FORWARD -p tcp --dport 6346:6347 -j DROP
iptables -A FORWARD -p udp --dport 6346:6347 -j DROP
iptables -A FORWARD -p tcp --dport 6699 -j DROP
iptables -A FORWARD -p udp --dport 6699 -j DROP
iptables -A FORWARD -p udp --dport 6881:6889 -j DROP
iptables -A FORWARD -p tcp --dport 6881:6889 -j DROP
iptables -A FORWARD -p tcp --dport 8473 -j DROP
iptables -A FORWARD -p udp --dport 8473 -j DROP
iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -I FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
#iptables -I FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.28.93/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.28.94/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.113.0/24 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.216.0/24 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.26.253/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.26.254/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.107.0/24 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.106.0/24 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.216.62/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.27.0/24 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.108.69/32 -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -d 207.46.109.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.28.93/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.28.94/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.113.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.216.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.26.253/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.26.254/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.107.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.106.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.216.62/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.27.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.108.69/32 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 207.46.109.0/24 -j DROP
#Bloqueando Yahoo Messenger:
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
# Bloqueando Emule
iptables -A FORWARD -p tcp -m multiport --dport 4661,4711,4662,4665,4672 -j DROP
iptables -A FORWARD -p udp -m multiport --dport 4662,4672,4665 -j DROP
#Bittorrent:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i eth1 --dport 6881:6889 -d 192.168.0.2 -j REJECT
#iMesh:
iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
#BearShare:
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#ToadNode:
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#WinMX:
iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
#Napigator:
iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
#Morpheus:
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#KaZaA:
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
#Limewire:
iptables -A FORWARD -p TCP --dport 6346 -j REJECT
#Audiogalaxy:
iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
# Liberando PING
iptables -t nat -A POSTROUTING -p ICMP -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
# Liberando Portas
#iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 5190 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 4000 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 211.1.188.0/24 -d icq.com -j MASQUERADE
# Liberando live-update Norton Antivirus
#iptables -t nat -A POSTROUTING -s 211.1.188.0/24 -d akamai.grisoft.cz -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d liveupdate.symantecliveupdate.com -j MASQUERADE
#######################################
# Abrindo para os programas Bancários #
#######################################
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 443 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 444 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 447 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 0/0 --dport 7443 -j MASQUERADE
################################
# Abrindo Conectividade Social #
################################
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.252.47.234 --dport 2631 -j MASQUERADE
# iptables -t nat -A PREROUTING -i eth1 -p -tcp ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
# iptables -t nat -A PREROUTING -i eth1 -p -tcp ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 3128
#############
# CAGED-net #
#############
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.244.113.8 --dport 2500 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.220.45.39 --dport 2500 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.173.68 -j MASQUERADE
############
# RAIS-net #
############
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 161.148.185.0/24 --dport 3007 -j MASQUERADE
###############
# Receita-net #
###############
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 161.148.185.0/24 --dport 3456 -j MASQUERADE
############################
# Sintegra (Valida Paraná) #
############################
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.201.114.3 --dport 1049 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.201.114.3 --dport 80 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -s 192.168.0.0/24 -d 200.189.113.86 --dport 8017 -j MASQUERADE
###################################
# Bloqueando Netbus e B.O. Trinoo #
###################################
iptables -t filter -A OUTPUT -p UDP --dport 31337 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 1234 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 12345 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 12346 -j DROP
iptables -t filter -A OUTPUT -p UDP --dport 2049 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 20034 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 54321 -j DROP
iptables -t filter -A OUTPUT -p TCP --dport 27665 -j DROP
iptables -t filter -A OUTPUT -p UDP --dport 27444 -j DROP
iptables -t filter -A OUTPUT -p UDP --dport 31335 -j DROP
#Liberando Terminal Server
IP_INTERNO=192.168.0.75
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 189.X.X.X --dport 3389 -j DNAT --to 192.168.0.75
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.75 --dport 3389 -j SNAT --to 189.X.X.X
#Liberando Servidor de Msg Openfire / Spark
#IP_INTERNO=192.168.0.1
#iptables -A FORWARD -p tcp --dport 5222 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.1.61 --dport 5222 -j DNAT --to 192.168.0.1
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.1 --dport 5222 -j SNAT --to 192.168.1.61
# Liberando Voip Rede Externa
#IP_INTERNO=192.168.0.2
#iptables -A FORWARD -p tcp --dport 5060 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.1.61 --dport 5060 -j DNAT --to 192.168.0.2
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --dport 5060 -j SNAT --to 192.168.1.61
#iptables -A FORWARD -p tcp --dport 5004 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.1.61 --dport 5004 -j DNAT --to 192.168.0.2
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.2 --dport 5004 -j SNAT --to 192.168.1.61
#pcAnywhere
#iptables -A FORWARD -p tcp --dport 5631 -j ACCEPT
#iptables -A FORWARD -p udp --dport 5632 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 200.163.237.74 --dport 5631 -j DNAT --to 211.1.188.20
#iptables -t nat -A POSTROUTING -p tcp -s 211.1.188.20 --dport 5631 -j SNAT --to 200.163.237.74
#iptables -t nat -A PREROUTING -p udp -d 200.163.237.74 --dport 5632 -j DNAT --to 211.1.188.20
#iptables -t nat -A POSTROUTING -p udp -s 211.1.188.20 --dport 5632 -j SNAT --to 200.163.237.74
#RealVNC
#iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
#iptables -A FORWARD -p udp --dport 5800 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.1.61 --dport 5900 -j DNAT --to 192.168.0.1
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.1 --dport 5900 -j SNAT --to 192.168.1.61
#iptables -t nat -A PREROUTING -p udp -d 192.168.1.61 --dport 5800 -j DNAT --to 192.168.0.1
#iptables -t nat -A POSTROUTING -p udp -s 192.168.0.1 --dport 5800 -j SNAT --to 192.168.1.61
# Listar as Regras
iptables -t filter -L -n
iptables -t nat -L -n
;;
stop)
gprintf "Finalizando o Serviço de %s: " "iptables"
echo
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -t nat -P OUTPUT DROP
iptables -t nat -P POSTROUTING DROP
iptables -t filter -F
iptables -t nat -F
iptables -t filter -L -n
iptables -t nat -L -n
rmmod ipt_state ipt_MASQUERADE iptable_nat ip_conntrack iptable_filter ip_tables
;;
status)
gprintf "Status do Serviço de %s: " "iptables"
echo
iptables -t filter -L -n
iptables -t nat -L -n
;;
*)
gprintf "Uso: iptables (start|stop|status)"
echo
exit 0
;;
esac
exit 0