IPTABLES - Nao consigo liberar DAPI, SPED, CONECTIVIDADE SOCIAL

wellisonwester
(usa openSUSE)

Enviado em 10/08/2016 - 09:05h

######### Segue meu Script de Firewall ##############


#!/bin/sh
#
#

### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $remote_fs $network $syslog
# Required-Stop: $remote_fs $network $syslog
# Should-Start: $local_fs slapd $named
# Should-Stop: $local_fs slapd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: firewall.sh
# Description: Enable service provided by firewall.sh.
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin


LAN2="10.25.0.0/24"
EXTERNA="ppp+"
INTERNA="eth1"

################
# Função Start
################

firewall_start(){


##### Zera regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

##### carregar modulos
# fazer NAT, de forma geral compartilha a interenet com forward /sbin/modprobe iptable_nat
# resolve os problemas de FTP, sempre que tiver problemas com acesso a sites de FTP,
#lentidão, problemas de login ou acesso, tente carregar estes modulos relacionados a FTP.
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# utlizado nas opções que geram log.
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe tun
#============ ativa nat ========================#
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#==============================================================================================================================
# RESTRIÇÕES BÁSICAS =
# Proibe tudo - Deixa as listadas =
#==============================================================================================================================
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

#iptables -A INPUT LOG --log-prefix "FIREWALL: DROP-INPUT "
#iptables -A OUTPUT LOG --log-prefix "FIREWALL: DROP-OUTPUT "
#iptables -A FORWARD LOG --log-prefix "FIREWALL: DROP-FORWARD "

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#========================================================LOOPBACK - TUDO LIVRE================================================
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --syn -s $LAN2 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s $LAN2 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s $LAN2 -j ACCEPT
#=================================================================================================+===============================
# INPUT =
#=================================================================================================================================
## LIBERA VPN
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -A INPUT -i ! $EXTERNA -j ACCEPT
iptables -A INPUT -p icmp -i $INTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s $LAN2 -p tcp --dport 1:65535 -j ACCEPT
#iptables -A INPUT LOG --log-prefix "FIREWALL: SSH-aceito "
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
### MODELO PARA FECHAR PORTAS
#iptables -A INPUT -p tcp -i $EXTERNA --syn --dport 137 -j DROP
#==================================================================================================================================
# OUTPUT =
#==================================================================================================================================
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
### LIBERA VPN
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
### LIBERA DAPI SEFIP SPEED
iptables -A OUTPUT -p tcp --dport 8017 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8017 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3456 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3007 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
#iptables -A OUTPUT -s $LAN2 -p tcp --dport 1:65535 -j ACCEPT
#===================================================================================================================================
# FORWARD =
#===================================================================================================================================
#LIBERA VPN
iptables -A FORWARD -p udp --dport 1194 -j ACCEPT
### MAQUINA WALDIVINO
#iptables -I FORWARD -s 10.25.0.200 -p tcp -j ACCEPT
iptables -A FORWARD -m mac --mac-source 20:1a:06:5a:6a:3c -p tcp -j ACCEPT
### Libera Receita
iptables -A FORWARD -p tcp --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3050 -j ACCEPT
iptables -A FORWARD -p udp --dport 3050 -j ACCEPT
#iptables -A FORWARD -p udp --dport 3050 -j ACCEPT
iptables -A FORWARD -p udp --dport 8017 -j ACCEPT
###
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -s $LAN2 -p tcp --dport 1:65535 -j ACCEPT
### Proteção contra Syn-floods
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
### Proteção contra port scanners ocultos
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
### Proteção contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
###
#nkline.itau.com.br:443 - DIRECT/200.196.152.202
iptables -A FORWARD -p tcp -d 200.198.239.22/24 --dport 3443 -j ACCEPT # SPED FISCAL
iptables -A FORWARD -p tcp -d 200.198.239.22/24 --dport 80 -j ACCEPT # SPED FISCAL
iptables -A FORWARD -p tcp -d 200.198.239.21/24 --dport 3443 -j ACCEPT #EFD
iptables -A FORWARD -p tcp -d 200.198.239.21/24 --dport 80 -j ACCEPT #EFD
iptables -A FORWARD -p tcp -d 200.152.32.0/24 --dport 5017 -j ACCEPT # Min. do trabalho
#iptables -A FORWARD -s 10.25.0.54 -j ACCEPT
### DAPI
iptables -A FORWARD -p tcp -d 200.166.92.41 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.166.92.41 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.16.234.41 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.16.234.41 --dport 80 -j ACCEPT
### CONECTIVIDADE SOCIAL
iptables -A FORWARD -p tcp -d 200.244.109.65/32 --dport 2002 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.174.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.173.68/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.174.207/24 --dport 80 -j ACCEPT
### SPED FISCAL
iptables -A FORWARD -p tcp -d 200.198.232.62/24 --dport 3443 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.198.239.21/24 --dport 3443 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.198.239.21/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.198.239.22/24 --dport 80 -j ACCEPT
### DAPI
iptables -A FORWARD -p tcp -d 200.166.92.41/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.166.92.41/24 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.16.234.41/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.16.234.41/24 --dport 443 -j ACCEPT
### SEF SINTEGRA
iptables -A FORWARD -p tcp -d 201.16.234.27/24 --dport 8017 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.166.92.27/24 --dport 8017 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.176.68/24 --dport 80 -j ACCEPT
### CNS
iptables -A FORWARD -p tcp -d 200.201.174.204/24 --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.198.232.62/24 --dport 80 -j ACCEPT

#iptables -A FORWARD -p tcp -d 200.189.179.160 --dport 443 -j ACCEPT
#CONNECT www.me.com.br:443 - DIRECT/200.189.179.160 -
#iptables -A FORWARD -p tcp -d 200.196.152.202/32 --dport 443 -j ACCEPT # Itau
#=================================================================================================================================================
# PREROUTING =
#=================================================================================================================================================
#### FORCA PROXY EXCETO IP ABAIXO
iptables -t nat -A PREROUTING -p tcp -m multiport -s 10.25.0.0/24 --dport 80,443 -j REDIRECT --to-ports 3128
#iptables -t nat -A PREROUTING -i $INTERNA -s \! 10.25.0.200/24 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-ports 3128
#### LIBERA IPS FORA DO PROXY
#iptables -t nat -I PREROUTING -s 10.25.0.200 -p tcp -m multiport --dport 80,443 -j ACCEPT
### MAQUINA WALDIVINO
#iptables -t nat -I PREROUTING -m mac --mac-source 20:1A:06:5A:6A:3C -p tcp -m multiport --dport 80,443 -j ACCEPT
### MAQUINA SISTEMA
#iptables -t nat -p tcp -I PREROUTING -s 10.25.0.200 --dport 80 -j ACCEPT
#iptables -t nat -p tcp -I PREROUTING -s 10.25.0.200 --dport 443 -j ACCEPT
iptables -t nat -I PREROUTING -m mac --mac-source F0:4D:A2:DF:2E:2F -p tcp -m multiport --dport 80,443 -j ACCEPT
#### REDIRECIONAMENTO TERMINAL SERVER
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i $EXTERNA -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination 10.25.0.200

#===============================================================================================================================================
# POSTROUTING =
#===============================================================================================================================================
### HABILITA MASQUERADE REDE INTERNA
#iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o $EXTERNA -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $LAN2 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN2 -o $EXTERNA -j MASQUERADE
###

#===============================================================================================================================================

}


################
# Função Stop
################
firewall_stop(){

##### Zera regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

##### carregar modulos
# fazer NAT, de forma geral compartilha a interenet com forward /sbin/modprobe iptable_nat
# resolve os problemas de FTP, sempre que tiver problemas com acesso a sites de FTP,
#lentidão, problemas de login ou acesso, tente carregar estes modulos relacionados a FTP.
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# utlizado nas opções que geram log.
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe tun
### Políticas em ACCEPT ###
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#============ ativa nat ========================#
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#### TERMINAL SERVER
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i $EXTERNA -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination 10.25.0.200
## Habilita roteamento ###
#iptables -t nat -A POSTROUTING -o $EXTERNA -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o $EXTERNA -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN2 -o $EXTERNA -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $LAN2 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
}

################
# Função Help
################
firewall_help(){
echo "Para ativar o Firewall, adicione o parâmetro 'start'."
echo "Para desativar, adicione 'stop'."
echo "Para reiniciar, 'restart'."
echo "Para obter ajuda, novamente, adicione o parâmetro 'help'."
}

firewall_status(){

echo "Checando Regras do Firewall: "
echo "============================\n"
iptables -nL
iptables -nL -t nat
}

case "$1" in
"start")
firewall_start
echo "\nFirewall Ativo.............................\n"
echo "Para ajuda, adicione o parâmetro 'help'\n"
firewall_status
;;

"stop")
firewall_stop
echo "\nFirewall Desativado.............................\n"
echo "Para ajuda, adicione o parâmetro 'help'\n"
firewall_status
;;
"restart")
firewall_stop
firewall_start
echo "\nFirewall Reiniciado.............................\n"
echo "Para ajuda, adicione o parâmetro 'help'\n"
firewall_status
;;
"help")
firewall_help
;;
*)
echo "Parâmetro inválido\nPara ajuda, adicione o parâmetro 'help'"
exit 0
;;
esac