Enviado em 30/09/2013 - 14:42h
Boa tarde pessoal,
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.47 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.47 -p tcp --dport 8773 -j ACCEPT
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
MODPROBE=/sbin/modprobe
IF_LOOPBACK="lo"
IF_INT="eth1"
IP_INT="10.1.1.250"
IF_EXT="eth0"
IP_EXT="XXX.XX.XX.XXX"
#IF_DMZ="eth"
#IP_DMZ=""
NET_INT="10.1.1.0/24"
### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
### this policy does not handle IPv4 traffic except to drop it.
#
echo "[+] Disabling IPv4 traffic..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### this policy does not handle IPv6 traffic except to drop it.
#
echo "[+] Disabling IPv6 traffic..."
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
### load connection-tracking modules
#
echo "[+] Loading modules..."
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ip_tables
$MODPROBE ipt_LOG
$MODPROBE ipt_REJECT
$MODPROBE ipt_MASQUERADE
$MODPROBE ipt_state
$MODPROBE ipt_multiport
$MODPROBE iptable_mangle
$MODPROBE ipt_limit
$MODPROBE xt_limit
$MODPROBE ipt_mark
$MODPROBE ipt_MARK
$MODPROBE ipt_string
$MODPROBE ip_gre
$MODPROBE ip_nat_pptp
$MODPROBE tun
###### INPUT chain ######
#########################
#
echo "[+] Setting up INPUT chain..."
### [++] state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### [++] ACCEPT rules
### [+++] ssh
$IPTABLES -A INPUT -p tcp -i $IF_INT -s $NET_INT --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT -s XXX.XX.XX.XXX/27 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT -s XXX.XX.XX.XXX --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT -s XXX.XX.XX.XXX --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT -s XXX.XX.XX.XXX --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IF_EXT -s XXX.XX.XX.XXX --dport 22 -j ACCEPT
### [+++] pptp
$IPTABLES -A INPUT -i $IF_EXT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -i $IF_EXT -p 47 -j ACCEPT
### [+++] dns
$IPTABLES -A INPUT -i $IF_INT -s $NET_INT -p udp --dport 53 -j ACCEPT
### [++] squid proxy
$IPTABLES -A INPUT -i $IF_INT -p tcp --dport 3128 -s $NET_INT -j ACCEPT
### [++] icmp
$IPTABLES -A INPUT -i $IF_INT -p icmp -s $NET_INT -j ACCEPT
### [++] anti-spoofing rules
$IPTABLES -A INPUT -s 10.0.0.0/8 -i $IF_EXT -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -i $IF_EXT -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -i $IF_EXT -j DROP
$IPTABLES -A INPUT -s 192.168.1.0/16 -i $IF_EXT -j DROP
### [++] state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### [++] ACCEPT rules for allowing connections out
### [+++] pptp
$IPTABLES -A OUTPUT -o $IF_EXT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -p udp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -o $IF_EXT -j ACCEPT
### [++] state tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
##################################################################################
# acesso USUARIOS internet pela rede interna
#$IPTABLES -A FORWARD -i $IF_INT -s $NET_INT -o $IF_EXT -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -j LOG
# acesso cesan.com.br
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.18 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.47 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.45 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.43 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 201.77.202.37 -p tcp -j ACCEPT
#acesso www.dataprev.gov.br
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.152.32.178 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.152.40.93 -p tcp -j ACCEPT
# acesso www.previdencia.gov.br
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.152.40.50 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.152.32.144 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 200.216.216.47 -p tcp -j ACCEPT
#sindec
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -d 201.62.35.202 -p tcp --dport 444 -j ACCEPT
############################################################################################
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
# acesso APs internet
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX-j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
#
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPTABLES -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
### [++] MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE
exit