magubuntu
(usa Ubuntu)
Enviado em 20/01/2015 - 15:31h
Segue arquivo do firewall:
#!/bin/bash
# Shell Script - Firewall "Meu_Firewall"
# ===============================
PATH=/sbin:/bin:/usr/sbin:/usr/bin
IPT="/sbin/iptables"
# VARIAVEIS
#++++++++++
# Rede Externa
INET_IP="X.X.X.X"
INET_IFACE="eth0"
# Rede Abertas
CDIR1="Y.Y.Y.Y/18"
CDIR2="Z.Z.Z.Z/19"
IP_ANEXO="A.A.A.A"
VPN_IP_RANGE="10.10.0.0/16"
# Rede Local
LAN_IP="10.1.4.2"
LAN_IP_RANGE="10.1.4.0/24"
LAN_BCAST_ADDR="10.1.4.255"
LAN_IFACE="eth1"
# Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"
# MODULOS ++++++++
modprobe iptable_nat
modprobe ipt_MASQUERADE
# SEGURANCA
#++++++++++
# Protecao
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Multicast,Broadcast - bloqueado
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m pkttype --pkt-type multicast -j DROP
$IPT -A INPUT -p icmp -m length --length 300: -j DROP
$IPT -A INPUT -d 224.0.0.0/8 -j DROP
# Pacotes TCP mau formados - bloqueado
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p TCP ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
# Cria Chain
$IPT -N bad_tcp_packets
$IPT -N allowed
$IPT -N icmp_packets
$IPT -N tcp_packets
$IPT -N udpincoming_packets
# Chain "bad_tcp_packets"
$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# Chain "allowed"
$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j LOG
$IPT -A allowed -p TCP -j DROP
# ICMP rules
$IPT -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT
# Chain "udpincoming_packets"
$IPT -A udpincoming_packets -p UDP --source-port 53 -j ACCEPT
$IPT -A udpincoming_packets -p UDP -i $INET_IFACE -d $LAN_BCAST_ADDR --destination-port 135:139 -j DROP
$IPT -A udpincoming_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP
# Acesso ao Proxy "Squid"
$IPT -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp --dport 3128 -j ACCEPT
# Libera requisicao de entrada ao dns
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 53 -j ACCEPT
# Libera Porta 443
$IPT -A FORWARD -s $LAN_IP_RANGE -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -s $LAN_IP_RANGE -p tcp --dport 5222 -j ACCEPT
# INPUT
#++++++
$IPT -A FORWARD -p tcp -s A.B.C.D --dport 21 -j ACCEPT
$IPT -A FORWARD -p tcp -d A.B.C.D --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s A.B.C.D --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -d A.B.C.D --dport 21 -j ACCEPT
# Nega pacotes mau formado
$IPT -A INPUT -p TCP -j bad_tcp_packets
# Libera acesso ao MRTG
# $IPT -A INPUT -p tcp -i $INET_IFACE -m iprange --src-range 10.1.34.1-10.1.34.29 --dport 80 -j allowed
# $IPT -A INPUT -p tcp -i $LAN_IFACE -m iprange --src-range 10.1.4.1-10.1.4.29 --dport 80 -j allowed
# Libera acesso Impressora
$IPT -t nat -A PREROUTING -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d 10.1.0.0/16 --dport 80 -j ACCEPT
# LIBERA PARA CELSO E BRUNA GGT
$IPT -t nat -A PREROUTING -s 10.1.4.112 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.1.4.112 --dport 80 -j ACCEPT
# liberando acesso remoto desktop
# iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i eth0 --dport 3389 -j DNAT --to-destination 10.1.4.15
# iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
# Libera SSH
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp -i $INET_IFACE -m iprange --src-range 10.1.34.1-10.1.34.29 --dport 7654 -j allowed
$IPT -A INPUT -p tcp -i $LAN_IFACE -m iprange --src-range 10.1.4.1-10.1.4.29 --dport 7654 -j allowed
$IPT -A INPUT -p tcp -s 10.1.34.234 --dport 7654 -j ACCEPT
# SDS CORPORATIVO
$IPT -A INPUT -p all -s D.C.B.A/24 -j ACCEPT
$IPT -A FORWARD -p all -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d D.C.B.A/24 -j ACCEPT
$IPT -A INPUT -p all -s B.C.D.E/24 -j ACCEPT
$IPT -A FORWARD -p all -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d B.C.D.E/24 -j ACCEPT
# Liberacao para a VPN do Scriptcase
$IPT -t nat -A PREROUTING -p udp --dport 1195 -j DNAT --to 10.1.4.184
$IPT -A FORWARD -p udp --dport 1195 -j ACCEPT
$IPT -A INPUT -p udp --dport 1195 -j ACCEPT
# Liberacao para a VPN da INTRANET
$IPT -t nat -A PREROUTING -p udp --dport 1196 -j DNAT --to 10.1.4.8
$IPT -A FORWARD -p udp --dport 1196 -j ACCEPT
$IPT -A INPUT -p udp --dport 1196 -j ACCEPT
# Libera Acesso VPN - INPUT
$IPT -A INPUT -i tun+ -j ACCEPT
# Porta 5000
$IPT -A INPUT -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A INPUT -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A INPUT -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A INPUT -p udp -i $INET_IFACE -s $IP_ANEXO --dport 1194 -j ACCEPT
# DHCP
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# APACHE
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 80 -j ACCEPT
# SAMBA
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -m multiport --dport 445,139 -j ACCEPT
# Liberando NTOP para a rede
$IPT -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE --dport 3000 -j ACCEPT
# Libera entrada para pacotes a partir da Internet
$IPT -A INPUT -p ICMP -i $INET_IFACE -s $CDIR1 -j icmp_packets
$IPT -A INPUT -p ICMP -i $INET_IFACE -s $CDIR2 -j icmp_packets
$IPT -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets
$IPT -A FORWARD -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPT -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
# Libera redes especiais que não fazem parte da Internet
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FORWARD
#++++++++
# REGRAS DE CONTROLE DE ACESSO AS REDES SOCIAIS
$IPT -N FACEBOOK
$IPT -I FORWARD -s $LAN_IP_RANGE -j FACEBOOK
for face in `cat /etc/squid3/acls/bloquear_sociais.txt`;do
iptables -A FACEBOOK -d $face -j REJECT
#LIBERANDO FACEBOOK PARA ALGUMAS MAQUINAS POR MAC NA REDE
# FERNANDO NOTEBOOK
$IPT -I FORWARD -m mac --mac-source D0:DF:9A:8D:31:53 -d $face -j ACCEPT
$IPT -I FORWARD -m mac --mac-source 00:23:5A:76:D6:80 -d $face -j ACCEPT
# FERNANDO CEL
$IPT -I FORWARD -m mac --mac-source C4:43:8F:53:35:61 -d $face -j ACCEPT
# DENISON NOTEBOOK
$IPT -I FORWARD -m mac --mac-source 50:B7:C3:44:7E:F5 -d $face -j ACCEPT
# DENISON CELULAR
$IPT -I FORWARD -m mac --mac-source C0:65:99:13:AB:8B -d $face -j ACCEPT
# SECRETARIO FOMENTO DESKTOP
$IPT -I FORWARD -m mac --mac-source 78:2B:CB:C1:09:C7 -d $face -j ACCEPT
# SECRETARIO CELULAR
$IPT -I FORWARD -m mac --mac-source 3c:e0:72:96:9f:e4 -d $face -j ACCEPT
# SMARTFONE SECRETARIO
$IPT -I FORWARD -m mac --mac-source c8:6f:1d:0e:3b:c8 -d $face -j ACCEPT
#IPAD SECRETARIO1
$IPT -I FORWARD -m mac --mac-source f0:d1:a9:dc:dd:a5 -d $face -j ACCEPT
#IPAD SECRETARIO2
$IPT -I FORWARD -m mac --mac-source b8:f6:b1:9d:6a:91 -d $face -j ACCEPT
#IPAD-SECRETARIO3
$IPT -I FORWARD -m mac --mac-source f0:d1:a9:e6:06:dc -d $face -j ACCEPT
#ANGELA MOCHELL
$IPT -I FORWARD -m mac --mac-source 7c:c3:a1:e7:28:19 -d $face -j ACCEPT
#NOTEBOOK-SEC-FOMENTO1
$IPT -I FORWARD -m mac --mac-source 74:86:7a:f5:cc:a8 -d $face -j ACCEPT
#NOTEBOOK-SEC-FOMENTO2
$IPT -I FORWARD -m mac --mac-source 1c:3e:84:51:70:22 -d $face -j ACCEPT
#TABLET WALDOMIRO - FOMENTO
$IPT -I FORWARD -m mac --mac-source 74:d0:2b:a7:1c:d3 -d $face -j ACCEPT
#BVT-GAB-CELULAR SECRETARIO
$IPT -I FORWARD -m mac --mac-source 3c:e0:72:96:9f:e4 -d $face -j ACCEPT
#CELULAR MARILIA - GAB
$IPT -I FORWARD -m mac --mac-source 98:f0:ab:33:ab:c5 -d $face -j ACCEPT
#CELULAR SILVANA - GAB
$IPT -I FORWARD -m mac --mac-source 94:51:03:d7:b5:d8 -d $face -j ACCEPT
#CELULAR Williane - GAB
$IPT -I FORWARD -m mac --mac-source 2c:be:08:6e:98:22 -d $face -j ACCEPT
#MACBOOK-SECRETARIO-SETQ
$IPT -I FORWARD -m mac --mac-source 94:94:26:02:7a:aa -d $face -j ACCEPT
#Celular Fernanda - Gabinete
$IPT -I FORWARD -m mac --mac-source 00:f4:b9:00:fc:22 -d $face -j ACCEPT
#BVT-OUV-CELULAR FABIO
$IPT -I FORWARD -m mac --mac-source a0:e4:53:dd:0f:ec -d $face -j ACCEPT
#BVT-ASC-390865
$IPT -I FORWARD -m mac --mac-source 78:2b:cb:c1:09:ac -d $face -j ACCEPT
#BVT-ASC-390862
$IPT -I FORWARD -m mac --mac-source 78:2b:cb:c1:0c:49 -d $face -j ACCEPT
#BVT-ASC-390861
$IPT -I FORWARD -m mac --mac-source 78:2b:cb:bf:8e:76 -d $face -j ACCEPT
#BVT-ASC-402659 - hp
$IPT -I FORWARD -m mac --mac-source a0:e4:53:dd:0f:ec -d $face -j ACCEPT
#BVT-ASC-402660 - hp
$IPT -I FORWARD -m mac --mac-source 64:51:06:1a:02:53 -d $face -j ACCEPT
#BVT-OUV-08364
$IPT -I FORWARD -m mac --mac-source 38:ea:a7:19:30:f2 -d $face -j ACCEPT
#BVT-COMISSAO
$IPT -I FORWARD -m mac --mac-source 64:51:06:1a:12:7f -d $face -j ACCEPT
#BVT-GGT-CELSO - SMARTPHONE
$IPT -I FORWARD -m mac --mac-source 38:AA:3C:41:EC:DE -d $face -j ACCEPT
#BVT-SECRETARIO EXECUTIVO ROBERTO SALAMAO - SMARTPHONE
$IPT -I FORWARD -m mac --mac-source f0:db:e2:5d:1b:30 -d $face -j ACCEPT
#BVT-ANGELA MOCHEL - DISPOSITIVO MOVEL
$IPT -I FORWARD -m mac --mac-source f0:d1:a9:e1:35:49 -d $face -j ACCEPT
done
# Nega pacotes TCP mau formado
$IPT -A FORWARD -p TCP -j bad_tcp_packets
# Libera acesso para as impressoras
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d 200.201.198.178 --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -d $LAN_IP_RANGE -s 200.201.198.178 --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE --dport 902 -j ACCEPT
# Libera acesso ao SIMA
$IPT -A FORWARD -p tcp -d C.D.E.F -s $LAN_IP_RANGE --dport 98 -j ACCEPT
# Libera acesso FTP - OI (Sistema Corporativo)
$IPT -A FORWARD -p tcp -d 200.202.193.145 -s $LAN_IP_RANGE --dport 21 -j ACCEPT
$IPT -A FORWARD -p tcp -d 200.202.193.19 -s $LAN_IP_RANGE --dport 22 -j ACCEPT
$IPT -A FORWARD -p udp -d 200.202.193.145 -s $LAN_IP_RANGE --dport 21 -j ACCEPT
$IPT -A FORWARD -p udp -d 200.202.193.19 -s $LAN_IP_RANGE --dport 22 -j ACCEPT
# Libera Acesso VPN - FORWARD
$IPT -A FORWARD -i tun+ -j ACCEPT
# Porta 5000
$IPT -A FORWARD -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A FORWARD -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
# DNS
$IPT -A FORWARD -p UDP -s $LAN_IP_RANGE --dport 53 -j ACCEPT
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 53 -j ACCEPT
# Libera acesso DIRF-IRPF
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d D.E.F.G --dport 3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d E.F.G.H --dport 3456 -j ACCEPT
# Libera atualizacao - Antivirus Kaspersky
$IPT -A FORWARD -p tcp -s 10.1.0.0/16 -d 10.1.4.1 -m multiport --dport 13000,14000,15000 -j ACCEPT
$IPT -A FORWARD -p udp -s 10.1.0.0/16 -d 10.1.4.1 -m multiport --sport 13000,14000,15000 -j ACCEPT
# Liberacao Site da Ouvidoria
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE -d OUVIDORIA.COM -j ACCEPT
# Servidor OI
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE -d OI.COM -j ACCEPT
# Liberacao KERBEROS
$IPT -A FORWARD -p UDP -i $INET_IFACE -o $LAN_IFACE --dport 88 -d 10.1.4.5/32 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -d $VPN_IP_RANGE -j ACCEPT
# Libera acesso aos servicos ATI
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d $CDIR1 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d $CDIR2 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP -o $INET_IFACE -j ACCEPT
$IPT -A FORWARD -p ICMP -j icmp_packets
# Libera FORWARD para o Tunel Intranet
$IPT -A FORWARD -i $INET_IFACE -s $VPN_IP_RANGE -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -d $VPN_IP_RANGE -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -s $IP_ANEXO -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT
#+++++++
# Nega TCP mau formado
$IPT -A OUTPUT -p TCP -j bad_tcp_packets
# Performance - acesso WEB com delay minimo
$IPT -t mangle -A OUTPUT -p TCP -o $INET_IFACE --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A OUTPUT -p TCP -o $INET_IFACE --dport 80 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A OUTPUT -p UDP -o $INET_IFACE --dport 53 -j TOS --set-tos 0x10
# Regra de saida Internet
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
# Libera Acesso VPN - OUTPUT
# Porta 5000
$IPT -A OUTPUT -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A OUTPUT -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
# IPFORWARD + NAT
#++++++++++++++++
# Alterado para permitir NAT para a internet com excecao do tunnel
$IPT -t nat -A POSTROUTING -s 10.1.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 10.130.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 10.252.1.0/24 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 10.252.61.0/24 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 172.20.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 172.24.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
# $IPT -t nat -A POSTROUTING -s 172.25.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT --to-source $INET_IP
# Gerar LOG de pacotes negados
$IPT -A INPUT -p ALL -j LOG --log-level=info --log-prefix " *** DROP INPUT *** "
$IPT -A INPUT -p icmp -j LOG --log-level=info --log-prefix " *** DROP ICMP *** "
$IPT -A INPUT -j DROP
# Politica Padrao
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP