Enviado em 05/10/2015 - 11:49h
Bom dia galera, como vão?
#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Inicialização da Firewall
#
# config: /etc/sysconfig/iptables
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
function status()
{
${IPTABLES} -L
}
function carrega_modulos()
{
# $MODPROBE ip_tables
# $MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
# $MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
}
function stop()
{
${IPTABLES} --flush
${IPTABLES} -t mangle --flush
${IPTABLES} -t nat --flush
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -F -t mangle
${IPTABLES} -t mangle -X
${IPTABLES} -t nat -X
${IPTABLES} -X
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
}
function start()
{
stop
carrega_modulos
###############################VARIAVEIS DE REDE############################
ETHInternet=eth1
IPInternet=187.50.138.218
ETHLocal=eth0
RedeLocal=192.168.0.0/24
IPLocal=192.168.0.1
ETHWireless=eth2
RedeWireless=192.168.2.0/24
IPWireless=192.168.2.1
echo "IP Internet: "$IPInternet
echo "IP Local: "$IPLocal
echo "IP Wireless: "$IPWireless
##############################HABILITA MONITORAMENTO EXTERNO##################
MONITORA=SIM
IP_MONITORA=192.168.0.5
##############################POLITICAS DE ACESSO############################
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
####################ATIVANDO ROTEAMENTO#####################################
echo 1 > /proc/sys/net/ipv4/ip_forward
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
###########################REGRAS DE INPUT#################################
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
####################TRAFEGO DE LOOOPBACK E INDO PRO LOOPBACK#################
${IPTABLES} -A INPUT -i lo -j ACCEPT
##############TRAFEGO REDE INTERNA##########################################
${IPTABLES} -A INPUT -i $ETHLocal -j ACCEPT
${IPTABLES} -A FORWARD -i $ETHLocal -o $ETHWireless -j DROP
##################TRAFEGO DA REDE WIRELESS#####################################
${IPTABLES} -A INPUT -i $ETHWireless -j ACCEPT
${IPTABLES} -A FORWARD -i $ETHWireless -o $ETHLocal -j DROP
####################SERVICOS ESPECÃFICOS######################################
${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -s 0/0 -j ACCEPT ##Serviço de Ping
${IPTABLES} -A INPUT -p udp --dport domain -j ACCEPT #DNS
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 433 -j ACCEPT ##VPN
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 1999 -j ACCEPT ##SSH
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 3389 -j ACCEPT ##Terminal Server
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 3390 -j ACCEPT ##TSWINDOWS2012
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 8080 -j ACCEPT ##DTS12
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 8888 -j ACCEPT ##SERVIÇO BRADESCO OBB
${IPTABLES} -A INPUT -p udp -s 0/0 --dport 8888 -j ACCEPT ##SERVIÇO BRADESCO OBB
${IPTABLES} -A INPUT -j ACCEPT
#########################CRIA LOG##############################################
LOG_FLOOD="2/s"
SYN_FLOOD="4/s"
PING_FLOOD="2/s"
LOG_LEVEL="debug"
#################SSH, TELNET, FTP
${IPTABLES} -A INPUT -p tcp --dport ssh -j LOG --log-level "warning" --log-prefix "Firewall - sshDENIED"
${IPTABLES} -A INPUT -p tcp --dport telnet -j LOG --log-level "warning" --log-prefix "Firewall - telnetDENIED"
${IPTABLES} -A INPUT -p tcp --dport ftp -j LOG --log-level "warning" --log-prefix "Firewall - ftpDENIED"
#######################LIBERA OFFICE13######################################
${IPTABLES} -I FORWARD -p tcp -d microsoft.com --dport 80 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -d microsoft.com --dport 80 -j ACCEPT
${IPTABLES} -I FORWARD -p tcp -d microsoft.com --dport 443 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -d microsoft.com --dport 443 -j ACCEPT
${IPTABLES} -I FORWARD -p tcp -s microsoft.com --dport 80 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -s microsoft.com --dport 80 -j ACCEPT
${IPTABLES} -I FORWARD -p tcp -s microsoft.com --dport 443 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -s microsoft.com --dport 443 -j ACCEPT
#####################LIBERA SKYPE#################
${IPTABLES} -I OUTPUT -p tcp -d apps.skype.com --dport 443 -j ACCEPT
${IPTABLES} -I FORWARD -p tcp -d apps.skype.com --dport 443 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -d apps.skype.com --dport 443 -j ACCEPT
${IPTABLES} -I OUTPUT -p tcp -s apps.skype.com --dport 443 -j ACCEPT
${IPTABLES} -I FORWARD -p tcp -s apps.skype.com --dport 443 -j ACCEPT
${IPTABLES} -I INPUT -p tcp -s apps.skype.com --dport 443 -j ACCEPT
########################REGRAS DE FORWARD####################################
${IPTABLES} -A FORWARD -o $ETHLocal -m state --state INVALID -j DROP
${IPTABLES} -A FORWARD -o $ETHLocal -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 443 -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
#Direciona o acesso ao servidor 2003 na rede local#
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.0.254:3389
#Direciona o acesso ao servidor 2003 na rede externa#
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth2 --dport 3389 -j DNAT --to 187.50.138.218:3389
#Direciona o acesso ao servidor 2012 na rede local#
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 3390 -j DNAT --to 192.168.0.253:3390
#Direciona o acesso ao servidor 2012 na rede externa#
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 3390 -j DNAT --to 187.50.138.218:3390
#Direciona o acesso ao servidor 2012 para VPN#
#${IPTABLES} -t nat -A PREROUTING -p tcp -i eth2 --dport 443 -j DNAT --to 187.50.138.218:443
#Direciona o tráfego pelo site pje por fora do proxy
${IPTABLES} -t nat -A PREROUTING -i eth1 -d pje.trt15.jus.br -p tcp --dport 443 -j RETURN
#Direciona o acesso ao Datasul 12 na rede interna# DTSPRODUÇÃO
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 8080 -j DNAT --to 192.168.0.253:8080
#Direciona o acesso ao Datasul 12 na rede internet# DTSTESTE
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 8180 -j DNAT --to 192.168.0.253:8180
#Direciona acessos VPN para o windows 2012#
#${IPTABLES} -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport 1723,47 -j DNAT --to 192.168.0.253:1723
#${IPTABLES} -A FORWARD -p tcp -m multiport --port 1723,47 -j ACCEPT
#${IPTABLES} -t nat -A PREROUTING -i eth1 -p udp -m multiport --dport 1723,47 -j DNAT --to 192.168.0.253:1723
#${IPTABLES} -A FORWARD -p udp -m multiport --port 1723,47 -j ACCEPT
#${IPTABLES} -t nat -A PREROUTING -i eth1 -p gre -j DNAT --to 192.168.0.253
#${IPTABLES} -t nat -A PREROUTING -p tcp -m tcp -d 187.50.138.218 --dport 1723 -j DNAT --to-destination 187.50.138.218:1723
${IPTABLES} -I FORWARD -p tcp --dport 1723 -j ACCEPT
############################REGRAS AUXILIARES###############################
#############################MELHORA SSH#####################################
${IPTABLES} -t nat -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
##########################HTTP E NAT########################################
###################CONECTIVIDADE SOCIAL - IP DA REDE INTERNA PARA PROXY TRANSP#####
${IPTABLES} -A FORWARD -s 192.168.0.43/24 -d 0/0 -p tcp --dport 80 -j ACCEPT
##########################LIBERANDO ACESSO DE SERVIDORES PARA ATUALIZACAO################
${IPTABLES} -A FORWARD -s 192.168.0.4/24 -d 0/0 -j ACCEPT
###TESTANDO A LIBERAÇÃO PARA O PC DO CÉSAR##
#${IPTABLES} -I INPUT -d 192.168.0.216/24 -j ACCEPT
#${IPTABLES} -I OUTPUT -d 192.168.0.216/24 -j ACCEPT
#######################TESTE DE REGRAS###################################
##########################PERMITE ACESSO POR IP##########################
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -j ACCEPT
#########################BLOQUEIA PACOTES REQUISITADOS NA PORTA 80#######################
#${IPTABLES} -I FORWARD -s $RedeLocal -p tcp --dport 80 -j DROP
#${IPTABLES} -I FORWARD -s $RedeLocal -p tcp --dport 8080 -j ACCEPT
#${IPTABLES} -I OUTPUT -s 192.168.0.3/8 -j DROP
###########DIRECIONA REDE WIRELESS E LOCAL PARA DESTIN INTERNET####################
${IPTABLES} -t nat -A POSTROUTING -s $RedeLocal -j SNAT --to $IPInternet
${IPTABLES} -t nat -A POSTROUTING -s $RedeWireless -j SNAT --to $IPInternet
##################################FIM#########################################
}
case "$1" in
"start")
start
echo "Iniciando Firewall"
;;
"stop")
stop
echo "Parando Firewall"
sleep 2
echo "ok."
;;
"restart")
echo "Reiniciando Firewall"
sleep 1
echo "ok."
stop; start
;;
*)
esac
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Tem como instalar o gerenciador AMD Adrenalin no Ubuntu 24.04? (15)
Tenho dois Link's ( IP VÁLIDOS ), estou tentando fazer o failover... (0)
Pendrive não formata de jeito nenhum (4)