Iptables bloqueando gereciador publico do banco do brasil

1. Iptables bloqueando gereciador publico do banco do brasil

removido
(usa Nenhuma)

Enviado em 08/11/2011 - 14:26h

Ola amigos ,

Sou novo no linux :D então estou com varias duvidas kkk por enquanto estou com esse problema aqui na empresa .

Quando acesso o gerenciador de atendimento do banco do brasil para o setor publico e tento enviar um arquivo o mesmo chega a demorar 15 minutos para enviar um arquivo que nao chegar a 2megas.Isso com meu firewall habilitado e com as regras sendo aplicadas direitinho.

Ja com o firewall apenas roteando e sem regras o mesmo arquivo envia em menos de i minuto.

HELP.

0 0

Quote

2. Re: Iptables bloqueando gereciador publico do banco do brasil

diegobnx
(usa Debian)

Enviado em 09/11/2011 - 08:02h

tem como vc posta seu firewall?

fica mais facil te ajudar...

vlw abraxx!!

0 0

Quote

3. Meu Firewall

removido
(usa Nenhuma)

Enviado em 09/11/2011 - 10:19h

Quando entrei na empresa ja encontrei esse firewall e como sou novo no linux e mais ainda com o iptables ainda tive como refazer esse firewall . O maximo que consigo hoje é manter o firewall , colocando e retirando regras . Enfim chega de bla bla bla :D ai vai .

#!/bin/bash

#chkconfig: 2345 90 10

#

######################################################################################

#

# 1.0 Localhost Configuration.

LO_IFACE="lo"

LO_IP="127.0.0.1"

#

#1.1 Rede Local - Interna (eth0)

LAN_IP="172.16.35.1"

LAN_INTERFACE="eth0"

LAN_REDE="172.16.35.0/24"

#

#1.2 Externa - (eth1)

EXT_IP="172.16.254.3"

EXT_INTERFACE="eth1"

EXT_REDE="172.16.254.0/24"

EXT_BROADCAST=""

#

#1.3 Rede Administrativa Predio Novo

ADM_REDE="172.16.33.2/29"

#######################################################################

# CArrega Modulos

#######################################################################

Carega_modulos()

{

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

# /sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

/sbin/modprobe ipt_MASQUERADE

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

}

#####################################################################

#LIMPANDO REGRAS

#####################################################################

Limpa_regras()

{

#NAT

iptables -t nat -F

iptables -t nat -X

#LIMPANDO REGRAS DE FILTER E CHAINS

iptables -F

iptables -X

}

#####################################################################

#Politica de acesso

#####################################################################

Politica_acesso()

{

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

}

###################################################################

#Protecao

###################################################################

#Protecao()

#{

# Ocultando a rota dos pacotes

#for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f

#done

# Evita ataque de spoof

#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

#echo 1 > $f

#done

#prot contra syn-flood

#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#contra ip spoofing

#echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

#Contra Port Scanners:

#iptables -A FORWARD -o tcp -tcp-flags SYN,ACK,FIN,RST RST -m zlimit -limit 1/s -j accept

#Bloquear Back Orifice:

#iptables -A INPUT -p tcp --dport 31337 -j DROP
#iptables -A INPUT -p udp --dport 31337 -j DROP

#Bloquear NetBus:

#iptables -A INPUT -p tcp --dport 12345:12346 -j DROP
#iptables -A INPUT -p udp --dport 12345:12346 -j DROP

#}

########################################################################

# Permissoes de acesso ao firewall --> REGRAS DE INPUT

########################################################################

Acesso_SEMFAZ()

{

iptables -A INPUT -i lo -j ACCEPT #Aceita tudo da interface de loopbak

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Aceita pacotes estabilizados

iptables -I INPUT -i $LAN_INTERFACE -s 172.16.32.0/22 -j ACCEPT # Para permitir roteamento interno (default gateway)

iptables -I INPUT -i $LAN_INTERFACE -s 172.31.0.0/16 -j ACCEPT # Para permitir roteamento interno

# ^----- Estas regras devem ser revistas (habilitar apenas o mtr) U R G E N T E

iptables -A INPUT -m state --state INVALID -j DROP #Dropa pacotes invalidos

iptables -A INPUT -j SPOOF_CHECK #Teste se um Spoof de IP

#LAN

iptables -A INPUT -i $LAN_INTERFACE -s 172.16.32.0/22 -p tcp --dport 40001 -j ACCEPT #Aceita SSH da Rede Interna
iptables -A INPUT -i $LAN_INTERFACE -s 172.31.15.50 -p tcp -m multiport --dport 40001,22 -j ACCEPT #SSH EMERSON

#EXTERNA

iptables -A INPUT -i $EXT_INTERFACE -p icmp -m limit --limit 2/s -j ACCEPT #ICMP

# iptables -A INPUT -i $EXT_INTERFACE -s 172.16.33.0/24 -p tcp --dport 22 -m state --state NEW -j ACCEPT #SSH De REDE Adm. P.NOVO

## BLOQUEIA ACESSOS INVALIDOS

iptables -A INPUT -j LOG -m limit --limit 25/m --limit-burst 2 --log-prefix "SEMFAZ_INPUT:" #log o resto dos pacotes

}

#######################################################################

# FORWARD

#######################################################################

Regras_forward()

{

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Estabelecido passa

iptables -A FORWARD -m state --state INVALID -j DROP #Se for invalido, Dropa

iptables -A FORWARD -j SPOOF_CHECK #Teste se um Spoof de IP

iptables -I FORWARD -i $LAN_INTERFACE -o $LAN_INTERFACE -d 172.16.32.0/22 -j ACCEPT # Para permitir roteamento interno (default gateway)

iptables -I FORWARD -i $LAN_INTERFACE -o $LAN_INTERFACE -d 172.31.0.0/16 -j ACCEPT # Idem acima

## ^------- Rever esta muito aberta

#iptables -A FORWARD -j FORWARD_DROP # Envia os pacotes para tabela de DOR - GERAL

#FORWARD

#

##Aplicacao do SIAT - HTTP,HTTPS (80,443) e Web Service Tomcat - 8080,8180 , 8280 (teste)

##Operacao(10.0.0.18/32);Serv. WEB(10.0.0.10/32);Procuradoria(172.25.0.0/24);SEMURH(172.26.0.0/24)

##SMTT(172.22.0.22/32); SEMAM(172.19.254.92/32)

# LOADBALANCE (172.16.32.26) com acesso publico na porta 8099 (extrato IPTU)

#EXT -> LAN ( E N T R A N D O )

# iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180,8782,8783 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.25.0.0/24 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.25.0.0/24 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.26.0.0/24 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.26.0.0/24 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.26.0.0/24 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.22.0.2/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.22.0.2/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.22.0.2/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.19.254.92/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.19.254.92/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.19.254.92/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 0/0 -d 172.16.32.26/32 -p tcp --dport 8099 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.16.32.25 -p icmp -o $LAN_INTERFACE -j ACCEPT

#

##Aplicacao SIAT. Regras especificas para a Guarda Municipal (VPN-SEMIT)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.109/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.109/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.109/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.110/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.110/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.110/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.113/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.113/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.113/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.114/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.114/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.114/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.115/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.115/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.115/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.116/32 -d 172.16.32.26 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.116/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.116/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.117/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.20.0.117/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.23/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.24/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.25/32 -d 172.16.32.25 -p tcp -m multiport --dport 80,443,8080,8180 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.23/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.24/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.25/32 -d 172.16.32.15 -p tcp -m multiport --dport 80 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN ( S A I N D O )

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 0/0 -p tcp -m multiport --sport 80,443,8080,8180 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 0/0 -p tcp -m multiport --sport 80,443,8080,8180,8280,8782,8783 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.15 -d 0/0 -p tcp -m multiport --sport 80 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26/32 -d 0/0 -p tcp --sport 8099 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 10.0.0.10/32 -p icmp -o $EXT_INTERFACE -j ACCEPT

##Servico para a aplicacao acessar o servidor WEB (ANY) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.16.32.25/32 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25/32 -d 10.0.0.10/32 -o $EXT_INTERFACE -j ACCEPT

#

##Servicos do SPF - 111 (RPCBIND); 139,445 (NETBIOS-SSN SAMBA); 7741/1523 (ORACLE)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.18/32 -d 172.16.32.4 -p tcp -m multiport --dport 111,139,445,1523 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.4 -d 0/0 -p tcp -m multiport --sport 111,139,445,1523 -o $EXT_INTERFACE -j ACCEPT

#

## SSH - 53000,54000,55000

#EXT -> LAN

# iptables -A FORWARD -i $EXT_INTERFACE -s $ADM_REDE -d 172.16.32.25 -p tcp --dport 53000 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s $ADM_REDE -d 172.16.32.26 -p tcp --dport 54000 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s $ADM_REDE -d 172.16.32.28 -p tcp --dport 55000 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d $ADM_REDE -p tcp --sport 53000 -o $EXT_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d $ADM_REDE -p tcp --sport 54000 -o $EXT_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d $ADM_REDE -p tcp --sport 55000 -o $EXT_INTERFACE -j ACCEPT

#

## DNS - 53 RESTRINGIR MAIS ******

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.16.32.0/22 -p tcp --dport 53 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.16.32.0/22 -p udp --dport 53 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.31.0.0/16 -p tcp --dport 53 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.31.0.0/16 -p udp --dport 53 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.0/22 -d 10.0.0.0/24 -p tcp --sport 53 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.0/22 -d 10.0.0.0/24 -p udp --sport 53 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.0/24 -p tcp --sport 53 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.0/24 -p udp --sport 53 -o $EXT_INTERFACE -j ACCEPT

## SQLServer - 1433. Procuradoria(172.25.0.0/24);SEMURH(172.26.0.0/24);SETUR(172.22.0.2/32);SEMAM(172.19.254.92/32)

##

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.18/32 -d 172.16.32.2 -p tcp --dport 1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.25.0.0/24 -d 172.16.32.2 -p tcp --dport 1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.26.0.0/24 -d 172.16.32.2 -p tcp --dport 1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.22.0.2/32 -d 172.16.32.2 -p tcp --dport 1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.19.254.92/32 -d 172.16.32.2 -p tcp --dport 1433 -o $LAN_INTERFACE -j ACCEPT

#Acesso SEMURH ao SAC ONLINE
iptables -A FORWARD -i $EXT_INTERFACE -s 172.26.0.0/24 -d 172.16.32.3 -p tcp --dport -m multiport 1433,80 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.2 -d 0/0 -p tcp --sport 1433 -o $EXT_INTERFACE -j ACCEPT
iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.3 -d 0/0 -p tcp -m multiport --sport 1433,80 -o $EXT_INTERFACE -j ACCEPT

#

## AD - QUAIS AS PORTAS - SEM ACESSO.

#EXT -> LAN

# iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.35.5/32 -d 172.16.32.2 -p tcp -m multiport \

# --dport 53,111,135,139,389,445,636,3268,3269 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.35.5/32 -d 172.16.32.2 -p udp -m multiport \

# --dport 53,111,137,138,389,445,500,636,4500 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.15/32 -d 172.16.35.3/32 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.35.3/32 -d 10.0.0.15/32 -o $EXT_INTERFACE -j ACCEPT

#

## ACESSO A INTERNET VIA PROXY 10.0.0.45 PORTA 81

#EXT -> LAN

# iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.45/32 -d 172.16.32.2/32 -p tcp --dport 81 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.45/32 -d 172.16.32.0/22 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.45/32 -d 172.31.0.0/16 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.10/32 -d 172.31.0.0/16 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.2/32 -d 10.0.0.45/32 -p tcp --sport 81 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.0/22 -d 10.0.0.45/32 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.45/32 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.10/32 -o $EXT_INTERFACE -j ACCEPT

##Servicos da HCG (SIG) - 111 (RPCBIND); 139,445 (NETBIOS-SSN SAMBA); 1433 (SQL); 80 (HTTP)

#EXT -> LAN

# iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.33.0/24 -d 172.16.32.3 -p tcp -m multiport --dport 111,139,445,1433,80,3389 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.35.0/24 -d 172.16.32.3 -p tcp -m multiport --dport 111,139,445,80 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.3 -d 0/0 -p tcp -m multiport --sport 111,139,445,1433,80,3389 -o $EXT_INTERFACE -j ACCEPT

##Servicos de terminal para a SEMIT (3389) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.31.15.0/24 -p tcp -m multiport --sport 111,139,445,80,3389,1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.0/24 -d 172.16.35.0/24 -p tcp -m multiport --sport 111,139,445,80,3389,1433 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.15.0/24 -d 10.0.0.0/24 -p tcp -m multiport --dport 111,139,445,80,3389,1433 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.35.0/24 -d 10.0.0.0/24 -p tcp -m multiport --dport 111,139,445,80,3389,1433 -o $EXT_INTERFACE -j ACCEPT

##Servico para acessar o mainframe situado na SEMIT (23) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.7/32 -d 172.16.35.0/24 -p tcp -m multiport --sport 111,139,445,23 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.7/32 -d 172.31.0.0/16 -p tcp -m multiport --sport 111,139,445,23 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.35.0/24 -d 10.0.0.7/32 -p tcp -m multiport --dport 111,139,445,23 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.7/32 -p tcp -m multiport --dport 111,139,445,23 -o $EXT_INTERFACE -j ACCEPT

##Servico para acessar bases remotas SEMAD e SEMUS (1433) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.20.11/32 -d 172.16.32.0/22 -p tcp -m multiport --sport 111,139,445,1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.17.4.3/32 -d 172.16.32.0/22 -p tcp -m multiport --sport 111,139,445,1433 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.16.20.11/32 -d 172.31.15.0/24 -p tcp -m multiport --sport 111,139,445,1433 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.0/22 -d 172.16.20.11/32 -p tcp -m multiport --dport 111,139,445,1433 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.0/22 -d 172.17.4.3/32 -p tcp -m multiport --dport 111,139,445,1433 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.15.0/24 -d 172.16.20.11/32 -p tcp -m multiport --dport 111,139,445,1433 -o $EXT_INTERFACE -j ACCEPT

##Servico para acessar o GIAP situado na SEMIT (80) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.32/32 -d 172.16.35.0/24 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.32/32 -d 172.31.0.0/16 -p tcp -m multiport --sport 80,443 -o $LAN_INTERFACE -j ACCEPT
iptables -A FORWARD -i $EXT_INTERFACE -s 10.0.0.32/32 -d 172.31.2.33/32 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.35.0/24 -d 10.0.0.32/32 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 10.0.0.32/32 -p tcp -m multiport --dport 80,443 -o $EXT_INTERFACE -j ACCEPT
iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.2.33/32 -d 10.0.0.32/32 -o $EXT_INTERFACE -j ACCEPT

##Servico para acessar o EMAIL da SEMIT (80,25,110) -> S A I N D O <- (dport/sport invertido)

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 172.30.0.2/32 -d 172.16.35.0/24 -p tcp -m multiport --sport 80,443,25,110 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 172.30.0.2/32 -d 172.31.0.0/16 -p tcp -m multiport --sport 80,443,25,110 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.35.0/24 -d 172.30.0.2/32 -p tcp -m multiport --dport 80,443,25,110 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.31.0.0/16 -d 172.30.0.2/32 -p tcp -m multiport --dport 80,443,25,110 -o $EXT_INTERFACE -j ACCEPT

###############################################################################################################################

##Servico da VPN SEFAZ - Cadastro sincronizado. IP = 200.217.233.130. Porta 1194 UDP -> S A I N D O <- (dport/sport invertido)#

##Servico da VPN DSF (SP) IP = 201.85.51.66 . Porta 5166 UDP -> S A I N D O <- (dport/sport invertido)#

##Servico da VPN DSF (MS) IP = 189.11.248.218. Porta 5022 UDP -> S A I N D O <- (dport/sport invertido)#

#EXT -> LAN

iptables -A FORWARD -i $EXT_INTERFACE -s 200.217.233.130/32 -d 172.16.32.26/32 -p udp --sport 1194 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.85.51.66/32 -d 172.16.32.26/32 -p udp --sport 5018 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.26/32 -p udp --sport 5022 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26/32 -d 200.217.233.130/32 -p udp --dport 1194 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26/32 -d 201.85.51.66/32 -p udp --dport 5018 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26/32 -d 189.11.248.218/32 -p udp --dport 5022 -o $EXT_INTERFACE -j ACCEPT

#############################################################################################################

##Acesso da DSF aos servidores. IP Sao Paulo: 201.63.4.146 , 189.47.149.48 , 205.185.209.140 , 201.85.51.66 #

## IP Campo Grande: 189.11.248.218 #

## SIATNET (DATACENTER DSF). Rede: 187.103.147.128/28 #

#############################################################################################################

#EXT -> LAN ENTRANDO

#Para o servidor ORACLE PRODUCAO

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.28 -p tcp -m multiport --dport 1521,55000 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.28 -p tcp --dport 1521 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.28 -p tcp --dport 1521 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 201.63.4.146/32 -d 172.16.32.28 -p tcp -m multiport --dport 1521,55000 -o $LAN_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $EXT_INTERFACE -s 189.47.149.48/32 -d 172.16.32.28 -p tcp -m multiport --dport 1521,55000 -o $LAN_INTERFACE -j ACCEPT

#Para o servidor SPF

# iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.4 -p tcp -m multiport --dport 1523,22 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.63.4.146/32 -d 172.16.32.4 -p tcp -m multiport --dport 1523,22 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.47.149.48/32 -d 172.16.32.4 -p tcp -m multiport --dport 1523,22 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.4 -p tcp -m multiport --dport 1523,22 -o $LAN_INTERFACE -j ACCEPT

#Para os servidores de APLICACAO SIAT - 172.16.32.25 e 26- Porta 53000 (SSH), Aplicacao WEB - > portas 80,443,8080,8180,8280

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.15 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/27 -d 172.16.32.25 -p tcp -m multiport \

--dport 50010,50014,50018 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.15 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.63.4.146/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.63.4.146/32 -d 172.16.32.15 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.63.4.146/32 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.47.149.48/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.47.149.48/32 -d 172.16.32.15 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 189.47.149.48/32 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 205.185.209.140/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 205.185.209.140/32 -d 172.16.32.15 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 205.185.209.140/32 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.85.51.66/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 53000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.85.51.66/32 -d 172.16.32.25 -p tcp -m multiport \

--dport 22,80 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 201.85.51.66/32 -d 172.16.32.26 -p tcp -m multiport \

--dport 54000,80,443,8080,8180,8280 -o $LAN_INTERFACE -j ACCEPT

#Para o servidor ORACLE TESTE - 172.16.32.31 - Portas 56000 (SSH) e 1522 (Oracle)

iptables -A FORWARD -i $EXT_INTERFACE -s 189.11.248.218/32 -d 172.16.32.31 -p tcp -m multiport \

--dport 1522,56000 -o $LAN_INTERFACE -j ACCEPT

iptables -A FORWARD -i $EXT_INTERFACE -s 187.103.147.128/28 -d 172.16.32.31 -p tcp --dport 1522 -o $LAN_INTERFACE -j ACCEPT

#EXT <- LAN SAINDO

#Para o servidor ORACLE PRODUCAO

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 189.11.248.218/32 -p tcp -m multiport --sport 1521,55000 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 187.103.147.128/28 -p tcp --sport 1521 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 187.103.147.137/27 -p tcp --sport 50010 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 187.103.147.138/27 -p tcp --sport 50014 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 187.103.147.153/27 -p tcp --sport 50018 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 187.103.147.128/27 -p tcp -m multiport --sport 50018,50014,50010 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 187.103.147.128/27 -p udp -m multiport --sport 50018,50014,50010 -o $EXT_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 201.63.4.146/32 -p tcp -m multiport --sport 1521,55000 -o $EXT_INTERFACE -j ACCEPT

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.28 -d 189.47.149.48/32 -p tcp -m multiport --sport 1521,55000 -o $EXT_INTERFACE -j ACCEPT

#Para o servidor SPF

# iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.4 -d 189.11.248.218/32 -p tcp -m multiport --sport 1523,22 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.4 -d 201.63.4.146/32 -p tcp -m multiport --sport 1523,22 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.4 -d 189.47.149.48/32 -p tcp -m multiport --sport 1523,22 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.4 -d 187.103.147.128/28 -p tcp -m multiport --sport 1523,22 -o $EXT_INTERFACE -j ACCEPT

#Para os servidores de APLICACAO - 172.16.32.25 e 172.16.32.26 - Porta 53000 (SSH), Aplicacao WEB - > portas 80,443,8080,8180,8280

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 189.11.248.218/32 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 189.11.248.218/32 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 187.103.147.128/28 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 187.103.147.128/28 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 201.63.4.146/32 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 201.63.4.146/32 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 189.47.149.48/32 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 189.47.149.48/32 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 205.185.209.140/32 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 205.185.209.140/32 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.25 -d 201.85.51.66/32 -p tcp -m multiport \

--sport 53000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.26 -d 201.85.51.66/32 -p tcp -m multiport \

--sport 54000,80,443,8080,8180,8280 -o $EXT_INTERFACE -j ACCEPT

#Para o servidor ORACLE TESTE - 172.16.32.31 - Portas 56000 (SSH) e 1522 (Oracle)

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.31 -d 189.11.248.218/32 -p tcp -m multiport \

--sport 1522,56000 -o $EXT_INTERFACE -j ACCEPT

iptables -A FORWARD -i $LAN_INTERFACE -s 172.16.32.31 -d 187.103.147.128/28 -p tcp --sport 1522 -o $EXT_INTERFACE -j ACCEPT

#####################################################################################################################################

## REGRAS PARA BLOQUEIO USANDO LAYER 7 - REGRAS DE FORWARD ##

#####################################################################################################################################

##### BLOQUEANDO LOGMEIN

# iptables -A FORWARD -d www.logmein.com -j REJECT

# iptables -A FORWARD -d secure.logmein.com -j REJECT

# iptables -A FORWARD -p tcp --dport 2002 -j REJECT

# iptables -A FORWARD -d 69.209.251.0/24 -j REJECT

# iptables -A FORWARD -s 69.209.251.0/24 -j REJECT

# iptables -A FORWARD -d asterisk.app01.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app02.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app03.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app04.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app05.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app06.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app07.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app08.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app09.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app10.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app11.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app12.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app13.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app14.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app15.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app16.logmein.com -j REJECT

# iptables -A FORWARD -d asterisk.app17.logmein.com -j REJECT

#iptables -A FORWARD -d asterisk.app18.logmein.com -j REJECT

#iptables -A FORWARD -d asterisk.app19.logmein.com -j REJECT

########################### FIM REGRAS LAYER 7 ######################################################################################

#LOG

iptables -A FORWARD -j LOG -m limit --limit 50/m --limit-burst 2 --log-prefix "SEMFAZ_FORWARD: " #log dos pacotes

iptables -A FORWARD -j DROP

}

Regras_forward_drop()

{

iptables -N FORWARD_DROP

#Rede Interna - LAN

#iptables -A FORWARD -i $LAN_INTERFACE -s $LAN_REDE -p TCP --dport 41031:41900 -j REJECT #Audiogalaxy

# iptables -A FORWARD -i $LAN_INTERFACE -s $LAN_REDE -p TCP --dport 1863 -j REJECT #MSN

## BLOQUEIA ROTEAMENTOS INVALIDOS

iptables -A FORWARD -s 0.0.0.0/8 -i ! lo -j DROP

iptables -A FORWARD -s 255.255.255.255 -i ! lo -j DROP

}

###################################################################

#OUTPUT

###################################################################

Regras_output()

{

iptables -A OUTPUT -o lo -j ACCEPT

iptables -I OUTPUT -o $LAN_INTERFACE -d 172.16.32.0/22 -j ACCEPT # Para permitir roteamento interno (default gateway)

iptables -I OUTPUT -o $LAN_INTERFACE -d 172.31.0.0/16 -j ACCEPT # Para permitir roteamento interno (default gateway)

iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -j LOG --log-prefix "SEMFAZ_OUTPUT: " #log dos pacotes

iptables -A OUTPUT -j DROP

}

##################################################################

#Spoofcheck

##################################################################

Spoof_check()

{

iptables -N SPOOF_CHECK

iptables -A SPOOF_CHECK -s $LAN_REDE ! -i $LAN_INTERFACE -j DROP

iptables -A SPOOF_CHECK -s $EXT_REDE ! -i $EXT_INTERFACE -j DROP

}

##################################################################

# Tabela mangle

##################################################################

Regras_mangle()

{

#Define m�nimo de espera para os servi�os ftp, telnet, irc e DNS, isto

# dar� uma melhor sensa��o de conex�o em tempo real e diminuir� o tempo

# de espera para conex�es que requerem resolu��o de nomes.

iptables -t mangle -A OUTPUT -o ppp+ -p tcp --dport 21 -j TOS --set-tos 0x10

iptables -t mangle -A OUTPUT -o ppp+ -p tcp --dport 23 -j TOS --set-tos 0x10

iptables -t mangle -A OUTPUT -o ppp+ -p tcp --dport 6665:6668 -j TOS --set-tos 0x10

iptables -t mangle -A OUTPUT -o ppp+ -p udp --dport 53 -j TOS --set-tos 0x10

#Entrada

iptables -t mangle -A PREROUTING -i 0 -p tcp --sport 23 -j TOS --set-tos 0x10

}

##################################################################

# Inicia as regras

##################################################################

boot_regras()

{

#Carega_modulos

Limpa_regras

Politica_acesso

Spoof_check

Protecao

Acesso_SEMFAZ

Regras_forward

Regras_output

}

#. /etc/init.d/functions

#. /etc/network

#if [ ${NETWORKING} = "no" ]

#then

# exit 0

#fi

case "$1" in

start)

#

#Habilitando forward(roteamento)

echo 1 > /proc/sys/net/ipv4/ip_forward

#

boot_regras

#Mostra todas as regras

printf "\n .:SEMFAZ Firewall:. \n"

echo

iptables -n -L

iptables -t nat -L

;;

stop)

echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

Limpa_regras

printf ".:SEMFAZ STOP:."

echo

iptables -n -L

;;

status)

clear

printf ".:SEMFAZ Status:."

echo

iptables -n -L -v

;;

router)

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

Limpa_regras

printf ".: ROTEAMENTO HABILITADO SEM FW :."

echo

;;

*)

printf "FIREWALL - SEMFAZ: (start|stop|status|router)"

echo

;;

esac

#exit 0

0 0

Quote

4. Re: Iptables bloqueando gereciador publico do banco do brasil

diegobnx
(usa Debian)

Enviado em 09/11/2011 - 11:03h

bom... vamos ver se consigo te ajudar.

Qual é a faixa de IP do computador que você está tentando enviar esse pacote?

0 0

Quote

5. Faixa de IP

removido
(usa Nenhuma)

Enviado em 09/11/2011 - 11:11h

172.31.0.0/24

0 0

Quote

6. Re: Iptables bloqueando gereciador publico do banco do brasil

diegobnx
(usa Debian)

Enviado em 09/11/2011 - 12:53h

blz...

só mais uma pergunta essa maquina passa por algum proxy?

esse pacote que vc quer passar pelo firewall sai pela porta 443 correto?
se sim... tenta adicionar essa regra com seu firewall rodando:

iptables -I FORWARD -s IP_DO_PC_QUE_PRECISA_LIBERAR -p tcp --dport 443 -j ACCEPT

é so adicionar o ip por ex.:

iptables -I FORWARD -s 172.31.0.123 -p tcp --dport 443 -j ACCEPT

digite direto no terminal ok? não precisa adicionar no script,
o iptables -I adiciona a regra em primeiro acima das outras na chain FORWARD, caso seja outra porta que ele utilize é só substituir.
caso precise remover essa regra é só vc rodar seu firewall novamente.. ou:

iptables -D FORWARD -s IP_DO_PC_QUE_PRECISA_LIBERAR -p tcp --dport 443 -j ACCEPT

o -D REMOVE a regra.

se eu estiver errado me corrijam... pq eu tb não sou nenhum expert hehehe,
a intenção é ajudar ;)

[]'s

0 0

Quote

7. AUTO ATENDIMENTO AO SETOR PUBLICO

removido
(usa Nenhuma)

Enviado em 09/11/2011 - 15:34h

Funciona assim, na verdade temos outra secretaria que fornece internet para nos e tem um proxy que vem de la. Entendeu :D e vou tentar essa regra para porta 443 . Desde ja agradeço pela ajuda amigo.

0 0

Quote