Erro IPTABLES

1. Erro IPTABLES

Fernando
VioixxElite

(usa CentOS)

Enviado em 22/04/2014 - 15:10h

Pessoal de um tempo para cá ao reiniciar o firewall esta dando o erro abaixo

MAN
PRE3
PRE
Bad argument `http'
Try `iptables -h' or 'iptables --help' for more information.
PRE2
POS
IN
OUT
FW
Bad argument `22'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `8787'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `5432'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `9191'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `9192'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `9193'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `9194'
Try `iptables -h' or 'iptables --help' for more information.


Abaixo segue toda a conf do firewall


# Outras definicoes para controle de spoofing
#
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
TRACERT_S_PORTS="32769:65535"
TRACERT_D_PORTS="33434:33523"
WINDOWS_PORTS="135:139"
XWINDOWS_PORTS="6000:6063"
NFS_PORT="2049"
SOCKS_PORT="1080"
#
# Define nivel de log padrao como KERN_DEBUG
#
loglevel="7"

# remove modulos indesejados
#
# Need to initially load modules
#
/sbin/depmod -a

#
# Load all required IPTables modules
#
/sbin/modprobe ip_tables
# Adds some iptables targets like LOG, REJECT and MASQUERADE
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_unclean

#
# Support for connection tracking of FTP and IRC
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc

# CRITICAL: Enable IP forwarding since it is disabled by default.
#
# RedHat Users: you may try changing the options in /etc/sysconfig/network
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
#
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done

# Disable ICMP redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done

# desabilita suporte a ECN
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Flush all chains
iptables -F
iptables -F -t nat
iptables -F -t mangle

# Remove any existing user-defined chains
iptables -X

# Define default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Create user defined chains

# LOG and DROP chain
#
iptables -N log_drop
iptables -A log_drop -j LOG --log-level $loglevel --log-prefix "DROPPED::"
iptables -A log_drop -j DROP

# LOG and REJECT chain
#
iptables -N log_reject
iptables -A log_reject -j LOG --log-level $loglevel --log-prefix "REJECTED::"
iptables -A log_reject -j REJECT

# LOG and DROP spoofed packets
#
iptables -N log_spoofed
iptables -A log_spoofed -j LOG --log-level $loglevel --log-prefix "SPOOFED::"
iptables -A log_spoofed -j DROP

# LOG and DROP invalid packets
#
iptables -N log_invalid
iptables -A log_invalid -j LOG --log-level $loglevel --log-prefix "END.INVALIDO::"
iptables -A log_invalid -j DROP

# LOG and DROP trojan packets
#
iptables -N log_trojan
iptables -A log_trojan -j LOG --log-level $loglevel --log-prefix "TROJAN ALERT::"
iptables -A log_trojan -j DROP

#
# ICMP incoming rules
#
# 0: echo-reply
# 3: destination-unreachable,port-unreachable,fragmentation-needed, etc
# 4: source-quench
# 5: redirect
# 8: echo-request
# 11: time-exceeded
# 12:parameter-problem
iptables -N icmp_packets

# Ping of death protection
iptables -A icmp_packets -p ICMP --icmp-type 0 -m limit --limit 3/s -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 3 -m limit --limit 3/s -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 8 -m limit --limit 3/s -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 11 -m limit --limit 3/s -j ACCEPT

#
# TCP incoming rules
#
iptables -N tcp_packets
iptables -A tcp_packets -p TCP --dport ftp-data -j ACCEPT
iptables -A tcp_packets -p TCP --dport ftp -j ACCEPT
iptables -A tcp_packets -p TCP --dport ssh -j ACCEPT
iptables -A tcp_packets -p TCP --sport ftp --dport 1024: -j ACCEPT
# Permite trafego de correio eletronico
iptables -A tcp_packets -p TCP --sport smtp -j ACCEPT
iptables -A tcp_packets -p TCP --dport smtp -j ACCEPT
iptables -A tcp_packets -p TCP --dport pop3 -j ACCEPT
iptables -A tcp_packets -p TCP --dport 995 -j ACCEPT
iptables -A tcp_packets -p TCP --dport 587 -j ACCEPT
iptables -A tcp_packets -p TCP --sport 587 -j ACCEPT
# Permite trafego web e auth
iptables -A tcp_packets -p TCP --dport http -j DROP
iptables -A tcp_packets -p TCP --dport https -j DROP
# Permite trafego auth
iptables -A tcp_packets -p TCP --sport auth -j ACCEPT
iptables -A tcp_packets -p TCP --dport auth -j ACCEPT
# Demais pacotes sao logados e ignorados
iptables -A tcp_packets -j log_drop

#
# UDP incoming rules
#
iptables -N udp_packets
iptables -A udp_packets -p UDP --dport smtp -j ACCEPT
iptables -A udp_packets -p UDP --sport domain -j ACCEPT
iptables -A udp_packets -p UDP --dport domain -j ACCEPT
iptables -A udp_packets -p UDP --dport pop3 -j ACCEPT
iptables -A udp_packets -p UDP --dport 995 -j ACCEPT
iptables -A udp_packets -p UDP --dport 587 -j ACCEPT
iptables -A udp_packets -p UDP --dport auth -j ACCEPT
iptables -A udp_packets -p UDP --sport ntp -j ACCEPT
# Demais pacotes sao logados e ignorados
iptables -A udp_packets -j log_drop

### TROJANS
# Alguns trojans, os mais comuns
# N▒o ▒ necess▒rio checar por trojans se voc▒ adota a pol▒tica de
# tudo fechado, abrem-se as excess▒es. Mas, voc▒ pode querer verificar
# mesmo assim, para poder registrar um log mais espec▒fico (nosso caso).
iptables -N TROJAN_CHECK
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 555 # phAse zero
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 555 # phAse zero
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 1243 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 1243 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 6670 # DeepThroat
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 6670 # DeepThroat
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 6711 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 6711 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 6969 # GateCrasher
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 6969 # GateCrasher
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 12345 # NetBus
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 12345 # NetBus
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 21544 # GirlFriend
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 21544 # GirlFriend
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 23456 # EvilFtp
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 23456 # EvilFtp
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 27374 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 27374 # Sub-7, SubSeven
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 30100 # NetSphere
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 30100 # NetSphere
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 31789 # Hack'a'Tack
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 31789 # Hack'a'Tack
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 31337 # BackOrifice, and many others
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 31337 # BackOrifice, and many others
iptables -A TROJAN_CHECK -j log_trojan -p tcp --dport 50505 # Sockets de Troie
iptables -A TROJAN_CHECK -j log_trojan -p udp --dport 50505 # Sockets de Troie

#
# PREROUTING mangle CHAIN
#
echo "MAN"
# N▒o deixa smtp sair com prioridade para n▒o matar o link
iptables -t mangle -A PREROUTING -p tcp --dport smtp -j TOS --set-tos Normal-Service
# Melhora thoughput de http que sai
iptables -t mangle -A PREROUTING -p tcp --dport http -j TOS --set-tos Maximize-Throughput
# Melhora thoughput de ssh que sai
iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Maximize-Throughput
# marca as conexoes externas entrantes para que saiam pelo link correto
iptables -t mangle -A PREROUTING -i $spdint -j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i $vrtint -j CONNMARK --set-mark 0x2
# marco as conexoes que saem para que usem o mesmo link que receberam as conexoes
iptables -t mangle -A PREROUTING -i $intint -m connmark --mark 0x1 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i $intint -m connmark --mark 0x2 -j MARK --set-mark 0x2

iptables -t mangle -A PREROUTING -p tcp --dport 3495 -j MARK --set-mark 0x12
iptables -t mangle -A OUTPUT -p tcp --dport 3495 -j MARK --set-mark 0x12
#
# PREROUTING nat CHAIN
#
# habilita comunica▒▒o com a Camicado
iptables -t nat -A PREROUTING -i $intint -d $camicado -p tcp --dport ftp -j ACCEPT
iptables -t nat -A PREROUTING -i $intint -d $camicado -p tcp --dport ftp-data -j ACCEPT
iptables -t nat -A PREROUTING -i $intint -d $camicado -p tcp --dport http -j ACCEPT
iptables -t nat -A POSTROUTING -d $camicado -j SNAT --to 172.21.24.2
iptables -A FORWARD -d $camicado -j ACCEPT
#
# Direciona acesso externo do Jaime para o servidor do Sistema AEM
iptables -t nat -A PREROUTING -i ! $intint -s $jaime -p tcp --dport ssh -j DNAT --to $servidor
iptables -t nat -A PREROUTING -i $intint -d $libermac -p tcp --dport http -j DNAT --to $servidor
iptables -t nat -A POSTROUTING -o $intint -s $intnet -d $servidor -p tcp --dport http -j SNAT --to $intip
iptables -t nat -A PREROUTING -i $intint -d $libermac -p tcp --dport https -j DNAT --to $servidor
iptables -t nat -A POSTROUTING -o $intint -s $intnet -d $servidor -p tcp --dport https -j SNAT --to $intip

# LIBERA IP LOGMEIN
iptables -t nat -A PREROUTING -s 74.201.74.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 216.52.233.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 69.25.20.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 64.94.18.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 77.242.192.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 212.118.234.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 64.74.103.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 64.94.46.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 69.25.20.0/24 -p ALL -j ACCEPT
iptables -t nat -A PREROUTING -s 108.162.232.0/24 -p ALL -j ACCEPT

# Redireciona trafego web para servidor
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport http -j DNAT --to $servidor
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport https -j DNAT --to $servidor
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7750 -j DNAT --to $sophyxweb:80
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 8083 -j DNAT --to $sophyxcrm:8083
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 8200 -j DNAT --to $suportecli:9393
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 3390 -j DNAT --to $tsfernando:3389
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 9090 -j DNAT --to $sdti:8080

iptables -t nat -A POSTROUTING -p tcp -d $sophyxweb --dport http -j SNAT --to $intip
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7765 -j DNAT --to $beastcall:22
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7761 -j DNAT --to $beastcall:9191
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7762 -j DNAT --to $beastcall:9192
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7763 -j DNAT --to $beastcall:9193
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7764 -j DNAT --to $beastcall:9194
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 5432 -j DNAT --to $beastcall:5432
echo "PRE3"
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7755 -j DNAT --to $sophyxcont:90
iptables -t nat -A POSTROUTING -p tcp -d $sophyxcont --dport http -j SNAT --to $intip
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7756 -j DNAT --to $oasis:80
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7757 -j DNAT --to $oasis:3306
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7758 -j DNAT --to $oasis:3389
echo "PRE"
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7770 -j DNAT --to $oasis:3389
iptables -t nat -A POSTROUTING -p tcp -d $oasis --dport http -j SNAT --to $intip
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 7760 -j DNAT --to $beastcall:8787
iptables -t nat -A POSTROUTING -p tcp -d $beastcall --dport http -j SNAT --to $intip
iptables -t nat -A POSTROUTING -p tcp -d $km --dport http -j SNAT --to $intip
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 8100 -j DNAT --to $km:9292
# Redireciona trafego ftp para servidor windows
echo "PRE2"
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport ftp -j DNAT --to $srvdc
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport ftp-data -j DNAT --to $srvdc

iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 3389 -j DNAT --to $ts
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 3389 -j DNAT --to $tsfernando

iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 1020 -j DNAT --to $cameras
iptables -t nat -A PREROUTING -i ! $intint -p tcp --dport 6036 -j DNAT --to $cameras

iptables -t nat -A PREROUTING -i $intint -s $gw1 -p tcp --dport http -j ACCEPT
iptables -t nat -A PREROUTING -i $intint -s $gw2 -p tcp --dport http -j ACCEPT
# Libera acesso Caixa Economica Federal
iptables -t nat -A PREROUTING -i $intint -d 200.201.174.0/24 -p tcp --dport http -j ACCEPT


#
# POSTROUTING CHAIN (NAT DE SAIDA)
#
echo "POS"
# Inicia o IP MASQUERADE para pacotes vindos da interface interna
iptables -t nat -A POSTROUTING -s $intnet -d 10.100.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -s $intnet -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o $vrtint -j MASQUERADE
iptables -t nat -A POSTROUTING -o $spdint -j MASQUERADE


# INPUT chain
#
echo "IN"
# pacotes vindos de interfaces locais sao permitidos
iptables -A INPUT -i $LOOPBACK -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -i $intint -s $intnet -j ACCEPT
iptables -A INPUT -i $vrtint -s $vrtnet -j ACCEPT
iptables -A INPUT -i $spdint -s $spdnet -j ACCEPT
iptables -A INPUT -s $maxihelp -j ACCEPT
iptables -A INPUT -s $maxihelp2 -j ACCEPT

# Recusa pacotes inv▒lidos
iptables -A INPUT -m state --state INVALID -j log_invalid

# pacotes pre-estabelecidos sao permitidos
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# spoofing protection
#
# Ignora solicitacoes de dhcpc
iptables -A INPUT -i eth0 -p UDP -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -A INPUT -p UDP -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j DROP

# Recusa pacotes vindos de endere▒os estranhos ou invalidos
iptables -A INPUT -s $CLASS_A -j log_spoofed
iptables -A INPUT -s $CLASS_B -j log_spoofed
iptables -A INPUT -s $CLASS_C -j log_spoofed
iptables -A INPUT -s $BROADCAST_DEST -j log_spoofed
iptables -A INPUT -s $CLASS_D_MULTICAST -j log_spoofed
iptables -A INPUT -s 0.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 1.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 2.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 5.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 7.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 23.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 27.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 31.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 36.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 37.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 39.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 41.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 42.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 49.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 50.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 58.0.0.0/7 -j log_spoofed
iptables -A INPUT -s 60.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 67.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 68.0.0.0/6 -j log_spoofed
iptables -A INPUT -s 72.0.0.0/5 -j log_spoofed
iptables -A INPUT -s 80.0.0.0/4 -j log_spoofed
iptables -A INPUT -s 96.0.0.0/3 -j log_spoofed
iptables -A INPUT -s 169.254.0.0/16 -j log_spoofed
iptables -A INPUT -s 192.0.2.0/24 -j log_spoofed
iptables -A INPUT -s 197.0.0.0/8 -j log_spoofed
iptables -A INPUT -s 218.0.0.0/7 -j log_spoofed
iptables -A INPUT -s 220.0.0.0/6 -j log_spoofed
iptables -A INPUT -s 224.0.0.0/3 -j log_spoofed

# Rejeita pacotes de broadcast da rede Microsoft
iptables -A INPUT -p TCP --dport $WINDOWS_PORTS -j DROP
iptables -A INPUT -p TCP --dport 445 -j DROP
iptables -A INPUT -p UDP --dport $WINDOWS_PORTS -j DROP
iptables -A INPUT -p UDP --dport 445 -j DROP

# pacotes ICMP
iptables -A INPUT -p ICMP -j icmp_packets

# libero VPN
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A INPUT -p TCP --dport 500 -j ACCEPT
iptables -A INPUT -p UDP --dport 500 -j ACCEPT

# TROJAN_CHECK
iptables -A INPUT -m state --state NEW -j TROJAN_CHECK

# pacotes TCP
# Syn-flood protection
iptables -A INPUT -p TCP --syn -m limit --limit 3/s -j tcp_packets
iptables -A INPUT -p TCP ! --syn -j tcp_packets

# pacotes UDP
iptables -A INPUT -p UDP -j udp_packets

# Demais entradas sao logadas
iptables -A INPUT -j LOG --log-level $loglevel --log-prefix "INPUT UNKNOW::"

#
# OUTPUT CHAIN
#
echo "OUT"
# Pacotes para interfaces locais OK
iptables -A OUTPUT -o $LOOPBACK -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -o $intint -d $intnet -j ACCEPT
iptables -A OUTPUT -o $intint -j ACCEPT
iptables -A OUTPUT -o $vrtint -d $vrtnet -j ACCEPT
iptables -A OUTPUT -o $spdint -d $spdnet -j ACCEPT

# Pacotes indo para a Maxi Help s▒o aceitos
iptables -A OUTPUT -d $maxihelp -j ACCEPT
iptables -A OUTPUT -d $maxihelp2 -j ACCEPT

# pacotes indo para endere▒os IP estranhos ou invalidos s▒o logados e rejeitados
iptables -A OUTPUT -d $CLASS_A -j log_reject
iptables -A OUTPUT -d $CLASS_B -j log_reject
iptables -A OUTPUT -d $CLASS_C -j log_reject
iptables -A OUTPUT -d $BROADCAST_SRC -j log_reject
iptables -A OUTPUT -d $CLASS_D_MULTICAST -j log_reject
iptables -A OUTPUT -d $CLASS_E_RESERVED_NET -j log_reject

# pacotes cujo destino sao para portas perigosas sao rejeitados
# <NFS>
iptables -A OUTPUT -o ! $intint -p TCP --syn --dport $NFS_PORT -j log_reject
iptables -A OUTPUT -o ! $intint -p UDP --dport $NFS_PORT -j log_reject

# <socks>
iptables -A OUTPUT -o ! $intint -p TCP --syn --dport $SOCKS_PORT -j log_reject
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# controle time-to-live dos demais pacotes
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level $loglevel --log-prefix "OUTPUT PACKET DIED::"

iptables -A OUTPUT -j LOG --log-level $loglevel --log-prefix "OUTPUT ???::"
#
# FORWARD CHAIN
#
echo "FW"
# pacotes da rede interna para a rede interna sao aceitos
iptables -A FORWARD -i $intint -s $intnet -o $intint -j ACCEPT
# pacotes entre a rede interna e a vpn sao aceitos
iptables -A FORWARD -i $intint -s $intnet -o tun+ -j ACCEPT
iptables -A FORWARD -o $intint -d $intnet -i tun+ -j ACCEPT

# libera trafego de servidores
if [ -f /etc/squid/servidores ]; then
exec 9<&0 < /etc/squid/servidores
while read E
do
IP=`echo $E | grep -v ^#`
if [ "x$IP" != "x" ]; then
iptables -A FORWARD -i $intint -s $IP -j ACCEPT
fi
done
fi

# libera acesso internet total para alguns ips
if [ -f /etc/squid/Grupo_Diretoria/ips_diretoria ]; then
exec 9<&0 < /etc/squid/Grupo_Diretoria/ips_diretoria
while read E
do
IP=`echo $E | grep -v ^#`
if [ "x$IP" != "x" ]; then
iptables -A FORWARD -i $intint -s $IP -j ACCEPT
fi
done
fi

# pacotes pre-estabelecidos sao permitidos
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# pacotes indo e vindo da AEM Sistemas e Maxi Help sao aceitos
iptables -A FORWARD -d $jaime -j ACCEPT
iptables -A FORWARD -s $jaime -j ACCEPT
iptables -A FORWARD -d $maxihelp -j ACCEPT
iptables -A FORWARD -s $maxihelp -j ACCEPT
iptables -A FORWARD -d $maxihelp2 -j ACCEPT
iptables -A FORWARD -s $maxihelp2 -j ACCEPT

iptables -A FORWARD -d $srvdc -p tcp --dport ftp -j ACCEPT
iptables -A FORWARD -d $srvdc -p tcp --dport ftp-data -j ACCEPT
iptables -A FORWARD -d $srvdc -p udp --dport ftp -j ACCEPT
iptables -A FORWARD -d $srvdc -p udp --dport ftp-data -j ACCEPT

# checa por trojans
iptables -A FORWARD -j TROJAN_CHECK

# permite o acesso a internet para algumas portas
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport ftp-data -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 2100 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport ssh -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport smtp -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport pop3 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 7750 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 8080 -j ACCEPT


# libero DNS
iptables -A FORWARD -i $intint -s $intnet -p udp --dport domain -j ACCEPT

# habilito licensiamento do windows
iptables -A FORWARD -d 65.55.52.62 -p tcp --dport https -j ACCEPT

# libera atualizacao do windows
iptables -A FORWARD -d watson.microsoft.com -p tcp --dport https -j ACCEPT
iptables -A FORWARD -d download.windowsupdate.com -p tcp --dport http -j ACCEPT
iptables -A FORWARD -d download.microsoft.com -p tcp --dport http -j ACCEPT
iptables -A FORWARD -d crl.microsoft.com -p tcp --dport http -j ACCEPT
iptables -A FORWARD -d mscrl.microsoft.com -p tcp --dport http -j ACCEPT
iptables -A FORWARD -d www.update.microsoft.com -p tcp --dport http -j ACCEPT


# habilito site emissao nf
iptables -A FORWARD -d 201.55.62.0/24 -p tcp --dport https -j ACCEPT

# libera o msn para alguns ips
if [ -f /etc/squid/Grupo_Padrao/ips_msn_liberados ]; then
exec 9<&0 < /etc/squid/Grupo_Padrao/ips_msn_liberados
while read E
do
IP=`echo $E | grep -v ^#`
if [ "x$IP" != "x" ]; then
iptables -A FORWARD -i $intint -s $IP -p tcp --dport 1863 -j ACCEPT
fi
done
fi

#
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport https -j LOG --log-level debug --log-prefix "FW HTTPS::"
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport https -j DROP

# pacotes vindos do servidor para fora sao aceitos
iptables -A FORWARD -d $ts -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -d $tsfernando -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -d $cameras -p tcp --dport 1020 -j ACCEPT
iptables -A FORWARD -d $cameras -p tcp --dport 6036 -j ACCEPT
iptables -A FORWARD -d $sophyxweb -p tcp --dport 7750 -j ACCEPT
iptables -A FORWARD -d $sdti -p tcp --dport 8080 -j ACCEPT


iptables -A FORWARD -m limit --limit 3/s -p tcp -d $sophyxweb --dport 80 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $sophyxcont --dport 90 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $sophyxcrm --dport 8083 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $suportecli --dport 8200 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 22 -j ACCEP
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 8787 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 5432 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 9191 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 9192 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 9193 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $beastcall --dport 9194 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $suportecli --dport 9393 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $sdti --dport 9090 -j ACCEPT

iptables -A FORWARD -m limit --limit 3/s -p tcp -d $oasis --dport 80 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $oasis --dport 3306 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $oasis --dport 3389 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $km --dport 9292 -j ACCEPT

#
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $servidor --dport 80 -j ACCEPT
iptables -A FORWARD -m limit --limit 3/s -p tcp -d $servidor --dport 443 -j ACCEPT

# habilta a conexao conecto exodus
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 69 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p udp --dport 69 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 665 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 4511 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 4899 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 5060 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 5222 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 5900 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 5901 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 8600 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 8601 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 15000 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p udp --dport 15000 -j ACCEPT
iptables -A FORWARD -i $intint -s $intnet -p tcp --dport 1433 -d 201.6.253.107 -j ACCEPT

# habilita ping
iptables -A FORWARD -i $intint -s $intnet -p ICMP --icmp-type 8 -m limit --limit 3/s -j ACCEPT

iptables -A FORWARD -j LOG --log-level $loglevel --log-prefix "FW Unknow::"

# ACESSO RESTRITO AO SITE DA MOBILITY]
iptables -A FORWARD -p tcp -s 192.168.10.0/24 --dport 1500 -j ACCEPT

# LIBERA ACESSO A PORTA 443 PARA ALGUNS SITES
iptables -A FORWARD -p tcp --dport 443 -j DROP
for URL in `grep -v "^#" /etc/squid/libera_porta_443`; do
iptables -I FORWARD -d $URL -p tcp --dport 443 -j ACCEPT
done
echo "Liberando Sites Para Porta 443........................[ OK ]"


#Libera TeamViwer
iptables -t filter -A FORWARD -p tcp --dport 5938 -s 192.168.10.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -s 37.252.239.0/24 -p ALL -j ACCEPT


Alguem poderia me ajudar


  


2. Re: Erro IPTABLES

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 22/04/2014 - 15:41h

Execute o seu script dessa forma q vc vai saber pq q tá dando os erros:


bash -x firewall.sh







Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts