adilsonmenechini
(usa openSUSE)
Enviado em 23/06/2015 - 10:28h
Bom galera
Uso essa regra no firewall ja faz algum tempo e quero dar uma turbinada nela! Como posso melhorar?
case "$1" in
start)
echo -n "Iniciando Iptables....................."
echo
echo 1 > /proc/sys/net/ipv4/ip_forward
#LIMPAR AS REGRAS
$ipt -F
$ipt -F -t nat
#Iniciando os modulos
$mdpb ip_tables
$mdpb iptable_filter
$mdpb ip_conntrack
$mdpb ip_conntrack_ftp
$mdpb ip_nat_ftp
$mdpb iptable_nat
$mdpb ipt_limit
$mdpb ipt_REJECT
$mdpb iptable_nat
################## CHAIN INPUT PACOTES COM DESTINO AO FIREWALL#######
#### BEGIN INPUT
$ipt -P INPUT DROP
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $IFLAN -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$ipt -A INPUT -mstate --state ESTABLISHED,RELATED -j ACCEPT
### http squid dhcp
$ipt -A INPUT -i $IFLAN -p tcp -m multiport --dports 80,3128,67,68,3283,1000 -j ACCEPT
$ipt -A INPUT -i $IFLAN -p tcp -m multiport --sports 67,68,3283 -j ACCEPT
$ipt -A INPUT -i $IFLAN -p udp -m multiport --sports 67,68 -j ACCEPT
### DNS e SSH
$ipt -A INPUT -p tcp -m multiport --dports 53,3007,80,8080,9999,3333 -j ACCEPT
$ipt -A INPUT -p udp -m multiport --dports 53 -j ACCEPT
### Barrando DDOS
$ipt -A INPUT -i $IFWAN -s 10.0.0.0/8 -j DROP
$ipt -A INPUT -i $IFWAN -s 172.16.0.0/12 -j DROP
$ipt -A INPUT -i $IFWAN -s 192.168.0.0/16 -j DROP
$ipt -A INPUT -i $IFWAN -s 224.0.0.0/4 -j DROP
$ipt -A INPUT -i $IFWAN -s 240.0.0.0/5 -j DROP
$ipt -A INPUT -i $IFWAN -s 200.0.0.0/5 -j DROP
##################### END INPUT#####################################
########CHAIN OUTPUT - Pacotes originados na maquina firewall######
$ipt -P OUTPUT ACCEPT
########Chain FORWARD - Pacotes que atravessao a maquina firewall##
########################### BEGIN FORWARD #########################
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --dports 443,53,80,3128,25,110,3456,3389,465,995,22,3050,1527 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --sports 443,53,80,3128,25,110,3456,3389,465,995,22,3050,1527 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --dports 5000,18226,21226,21,7778,5017,1310,2095,2080 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --sports 5000,18226,21226,21,7778,5017,1310,2095,2080 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --dports 1299,3007,5900,5800,491,8888,5002,603,18001 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --sports 1299,3007,5900,5800,10000,491,8888,5002,603,18001 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --dports 587,5001,1720,2631,3456,3000,3001,3002,3003 -j ACCEPT
$ipt -A FORWARD -p tcp -m multiport --sports 587,5001,1720,2631,3456,3000,3001,3002,3003 -j ACCEPT
$ipt -A FORWARD -p udp -m multiport --dports 53,953,3004,3005 -j ACCEPT
$ipt -A FORWARD -p udp -m multiport --sports 53,953,3004,3005 -j ACCEPT
$ipt -A FORWARD -s 8.8.8.8 -j ACCEPT
$ipt -A FORWARD -d 8.8.8.8 -j ACCEPT
####### TOS Voip####################
$ipt -t mangle -A OUTPUT -p udp -m multiport udp --sport 5060,5061,6070,6070 -j TOS --set-tos 16
$ipt -t mangle -A OUTPUT -p udp -m multiport udp --dport 10000:10010,17090:17100,20000:22000 -j TOS --set-tos 16
$ipt -A OUTPUT -t mangle -p udp -m multiport udp --dport 10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
$ipt -A OUTPUT -t mangle -p udp -m multiport udp --sport 5060,5061,6070,6070,10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
####### Prerouting #################
$ipt -t mangle -A PREROUTING -p udp -m multiport udp --dport 5060,5061,6070,6070,10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
$ipt -t mangle -A PREROUTING -p udp -m multiport udp --sport 5060,5061,6070,6070,10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
$ipt -t mangle -A PREROUTING -p udp -m multiport udp --dport 10000:10010,17090:17100,20000:22000 -j MARK --set-mark 0x1
$ipt -t mangle -A PREROUTING -p udp -m multiport udp --sport 5060,5061,6070,6070,10000:10010,17090:17100,20000:22000 -j MARK --set-mark 0x1
####### INPUT #####################
$ipt -t mangle -A INPUT -p udp -m multiport udp --sport 5060,5061,5070,5071 -j TOS --set-tos 16
$ipt -t mangle -A INPUT -p udp -m multiport udp --dport 10000:10010,17090:17100,20000:22000 -j TOS --set-tos 16
$ipt -A INPUT -t mangle -p udp -m multiport udp --dport 10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
$ipt -A INPUT -t mangle -p udp -m multiport udp --sport 5060,5061,6070,6070,10000:10010,17090:17100,20000:22000 -j DSCP --set-dscp-class ef
############### (FULL PORTS)#####################
for ips in `cat /etc/squid/acl/server`; do
$ipt -A FORWARD -s $ips -j ACCEPT
$ipt -A FORWARD -d $ips -j ACCEPT
done
################################################
##################### NAT #####################
$ipt -t nat -A PREROUTING -i eth0 -p tcp --dport 10010 -j DNAT --to-destination 192.168.10.10:3128
################################################
$ipt -A FORWARD -j LOG
### Nat e routing
$ipt -t nat -A POSTROUTING -o $IFWAN -j MASQUERADE
$ipt -t nat -A PREROUTING -i $IFLAN -p tcp ! -d 161.148.231.100 --dport 80 -j REDIRECT --to-port 3128
###########################END FORWARD ############################
;;