emerson2703
(usa CentOS)
Enviado em 21/09/2011 - 16:33h
Boa tarde,
Quando coloquei o script para carregar as regras do firewall, a as maquinas clientes não consegui ascessar a internet, mas pinga para um site normalmente utilizo centos 5.4, segue abaixo meu script:
#!/bin/bash
# Autor: Emerson Guimaraes
#
#
echo -n Aplicando Regras de Firewall...
echo
#### Zera regras
# Removendo regras
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Apagando chains
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Zerando contadores
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
# Carregando Modulos
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# Política
# Nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Liberacao do Sistema Login
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.107 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.138 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 172.16.7.107 -j ACCEPT
# Direcionando para msn-proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 1863
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 1863 -j REDIRECT --to-port 1863
# Caixa conectividade
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 1994
iptables -t nat -A PREROUTING -i eth2 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 1994
iptables -t nat -I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d 200.223.0.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0 --dport 80 -d 200.201.174.207 -j RETURN
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
# Direcionando tudo para o Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 1994
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 1994
# Liberando acesso loopback
iptables -A INPUT -i lo -j ACCEPT
# Ativando o redirecionamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
# Compartilhando a Internet
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Filter
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth2 -j ACCEPT
# Internet
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
#Liberacao do msn-proxy
iptables -A INPUT -p tcp --dport 25000:30000 -s 172.16.4.0/22 -j ACCEPT
#Conectividade social
iptables -I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -I FORWARD -p tcp -d 200.223.0.0 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
# Liberacao Paygo
iptables -A FORWARD -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A FORWARD -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
# Ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Liberando MSN
iptables -A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT
# Sistema Login
iptables -A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 9090 -j ACCEPT
# DNS Firewall
iptables -A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
# Telefonia PABX
iptables -A FORWARD -p udp --dport 1571 -j ACCEPT
iptables -A FORWARD -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp --dport 4000 -j ACCEPT
iptables -A FORWARD -p udp --dport 2631 -j ACCEPT
# Servidor de cameras
iptables -A FORWARD -p tcp -m tcp --dport 8672
iptables -A FORWARD -p tcp -m tcp --dport 9670
# Bancos e Financeiras
iptables -A FORWARD -p tcp -m tcp --dport 5190 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 20000 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 5432 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 809 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 1665 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
# Caixa Economica
iptables -A FORWARD -p tcp -m tcp --dport 2681 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 2631 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2631 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2631 -j ACCEPT
# Liberacao de Envio e Recebimento de E-mail
# Recebimento
iptables -A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
# Envio
iptables -A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 945 -j ACCEPT
# Liberacao Conexao Remota (Teminal Server, VNC e Puty)
# Acesso e Mapeamento Remoto
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
iptables -A FORWARD -p udp --sport 3389 -j ACCEPT
iptables -A FORWARD -p udp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --sport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p udp --sport 3389 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3389 -j ACCEPT
#LSM
iptables -A FORWARD -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -p udp --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -p udp --dport 8000 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8000 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8001 -j ACCEPT
iptables -A FORWARD -p udp --dport 8001 -j ACCEPT
iptables -A INPUT -p tcp --dport 8001 -j ACCEPT
iptables -A INPUT -p udp --dport 8001 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8001 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8001 -j ACCEPT
#Telnet
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -p udp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p udp --dport 23 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 23 -j ACCEPT
iptables -A OUTPUT -p udp --dport 23 -j ACCEPT
#Mysql
iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD -p udp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p udp --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3306 -j ACCEPT
#vpn auditoria
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD -p tcp --dport 4500 -j ACCEPT
iptables -A FORWARD -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -p udp --dport 139 -j ACCEPT
iptables -A FORWARD -p udp --dport 137 -j ACCEPT
iptables -A FORWARD -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p udp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 445 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 137 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 138 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 445 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 389 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT
#VPN
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p udp --dport 1723 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -p udp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1723 -j ACCEPT
# Liberando Redes Externas
iptables -A FORWARD -d 10.101.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.102.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.103.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.104.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.105.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.106.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.107.0.0/24 -j ACCEPT
iptables -A FORWARD -d 172.16.0.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.8.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.12.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.16.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.20.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.27.0/22 -j ACCEPT
iptables -A FORWARD -d 172.16.39.0/22 -j ACCEPT
#FTp
iptables -A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# VNC
iptables -A FORWARD -p tcp -m tcp --dport 4901 -j ACCEPT
# Puty
iptables -A FORWARD -p tcp -m tcp --dport 754 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 754 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Rede Local
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -o eth2 -j ACCEPT
# Internet
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# Proteção contra Ataques
iptables -A INPUT -m state --state INVALID -j DROP
# Proteção contra Port Scanner
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 5/m -j ACCEPT
# Proteção contra os "Ping of Death"
iptables -A INPUT -i inet -p icmp --icmp-type 8 -m limit --limit 5/m -j DROP
iptables -A INPUT -i inet -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i ilan -p icmp -j ACCEPT
#Contra syp floop
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 9666 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9666 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9666 -j ACCEPT
# Protecao contra worms
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j DROP
#Salvando arquivo contendo as regras
/sbin/iptables-save > /etc/sysconfig/iptables