magubuntu
(usa Ubuntu)
Enviado em 26/03/2014 - 10:45h
Caro souzacarlos, eu coloquei um registro de log de icmp e conseguir pegar um registro de bloqueio chegando da minha máquina da rede do predio2, coloquei para liberar o ping, mas sem sucesso. Segue o conteúdo do arquivo de firewall da rede onde ficam os servidores virtualizados:
#!/bin/bash
# Shell Script - Firewall
# ===============================
PATH=/sbin:/bin:/usr/sbin:/usr/bin
IPT="/sbin/iptables"
# VARIAVEIS
#++++++++++
# Rede Externa
INET_IP="ip_internet"
INET_IFACE="eth0"
# Rede Abertas
CDIR1="rede_cdir1"
CDIR2="rede_cdir2"
IP_ANEXO="rede_cdir3"
VPN_IP_RANGE="10.1.0.0/16"
# Rede Local
LAN_IP="10.1.4.2"
LAN_IP_RANGE="10.1.4.0/24"
LAN_BCAST_ADDR="10.1.4.255"
LAN_IFACE="eth1"
# Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"
# MODULOS ++++++++
modprobe iptable_nat
modprobe ipt_MASQUERADE
# SEGURANCA
#++++++++++
# Protecao
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Multicast,Broadcast - bloqueado
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m pkttype --pkt-type multicast -j DROP
$IPT -A INPUT -p icmp -m length --length 300: -j DROP
$IPT -A INPUT -d 224.0.0.0/8 -j DROP
# Pacotes TCP mau formados - bloqueado
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p TCP ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
# Cria Chain
$IPT -N bad_tcp_packets
$IPT -N allowed
$IPT -N icmp_packets
$IPT -N tcp_packets
$IPT -N udpincoming_packets
# Chain "bad_tcp_packets"
$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# Chain "allowed"
$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j LOG
$IPT -A allowed -p TCP -j DROP
# ICMP rules
$IPT -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT
# Chain "udpincoming_packets"
$IPT -A udpincoming_packets -p UDP --source-port 53 -j ACCEPT
$IPT -A udpincoming_packets -p UDP -i $INET_IFACE -d $LAN_BCAST_ADDR --destination-port 135:139 -j DROP
$IPT -A udpincoming_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP
# INPUT
#++++++
# Nega pacotes mau formado
$IPT -A INPUT -p TCP -j bad_tcp_packets
#Libera acesso ao vmware
$IPT -I FORWARD -s ip_net_predio2 -d 10.1.4.19 -i eth0 -o eth1 -p icmp -j ACCEPT
$IPT -I FORWARD -d ip_net_predio2 -s 10.1.4.19 -i eth1 -o eth0 -p icmp -j ACCEPT
$IPT -I FORWARD -s 10.1.34.18 -d 10.1.4.19 -i eth0 -o eth1 -p icmp -j ACCEPT
$IPT -I FORWARD -d 10.1.34.18 -s 10.1.4.19 -i eth1 -o eth0 -p icmp -j ACCEPT
$IPT -I FORWARD -p icmp -j LOG
$IPT -I INPUT -p icmp -j ACCEPT
$IPT -I OUTPUT -p icmp -j ACCEPT
# $IPT -I FORWARD -p icmp -d 10.1.4.0/24 -s 10.1.34.0/24 -j ACCEPT
## $IPT -A FORWARD -p all -d 10.1.34.0/24 -s 10.1.4.19 -j ACCEPT
## $IPT -A FORWARD -p all -s 10.1.34.0/24 -d 10.1.4.19 -j ACCEPT
# $IPT -A INPUT -p tcp -s 10.1.34.0/24 --dport 49158 -j ACCEPT
## $IPT -A INPUT -p all -s 10.1.34.0/24 -j ACCEPT
# $IPT -A INPUT -p all -d 10.1.34.234 -j ACCEPT
## $IPT -A OUTPUT -p all -s 10.1.34.0/24 -d 10.1.4.19 -j ACCEPT
## $IPT -A OUTPUT -p all -d 10.1.34.0/24 -s 10.1.4.19 -j ACCEPT
## $IPT -t nat -A PREROUTING -p all -s 10.1.34.0/24 -d 10.1.4.19 -j ACCEPT
# Libera acesso ao MRTG
$IPT -A INPUT -p tcp -i $INET_IFACE -m iprange --src-range 10.1.34.1-10.1.34.29 --dport 80 -j allowed
$IPT -A INPUT -p tcp -i $LAN_IFACE -m iprange --src-range 10.1.4.1-10.1.4.29 --dport 80 -j allowed
# Libera acesso Impressora
$IPT -t nat -A PREROUTING -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE -d 10.1.0.0/16 --dport 80 -j ACCEPT
# Acesso ao Proxy "Squid"
$IPT -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp --dport 3128 -j ACCEPT
# Libera requisicao de entrada ao dns
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 53 -j ACCEPT
# Libera Porta 443
$IPT -A FORWARD -s $LAN_IP_RANGE -p tcp --dport 443 -j ACCEPT
# Libera SSH
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp -i $INET_IFACE -m iprange --src-range 10.1.34.1-10.1.34.29 --dport 7654 -j allowed
$IPT -A INPUT -p tcp -i $LAN_IFACE -m iprange --src-range 10.1.4.1-10.1.4.29 --dport 7654 -j allowed
$IPT -A INPUT -p tcp -s 10.1.34.234 --dport 7654 -j ACCEPT
# SDS CORPORATIVO
$IPT -A INPUT -p all -s 200.238.83.0/24 -j ACCEPT
$IPT -A FORWARD -p all -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d 200.238.83.0/24 -j ACCEPT
$IPT -A INPUT -p all -s 200.238.112.0/24 -j ACCEPT
$IPT -A FORWARD -p all -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d 200.238.112.0/24 -j ACCEPT
# Libera Acesso VPN - INPUT
$IPT -A INPUT -i tun+ -j ACCEPT
# Porta 5000
$IPT -A INPUT -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A INPUT -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A INPUT -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A INPUT -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A INPUT -p udp -i $INET_IFACE -s $IP_ANEXO --dport 1194 -j ACCEPT
# DHCP
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# APACHE
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 80 -j ACCEPT
# SAMBA
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -m multiport --dport 445,139 -j ACCEPT
# Liberando NTOP para a rede
$IPT -A INPUT -p tcp -i $LAN_IFACE -s $LAN_IP_RANGE --dport 3000 -j ACCEPT
# Libera entrada para pacotes a partir da Internet
$IPT -A INPUT -p ICMP -i $INET_IFACE -s $CDIR1 -j icmp_packets
$IPT -A INPUT -p ICMP -i $INET_IFACE -s $CDIR2 -j icmp_packets
$IPT -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets
$IPT -A FORWARD -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPT -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
# Libera redes especiais que não fazem parte da Internet
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FORWARD
#++++++++
# Nega pacotes TCP mau formado
$IPT -A FORWARD -p TCP -j bad_tcp_packets
# Libera acesso para as impressoras
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d 200.201.198.178 --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -d $LAN_IP_RANGE -s 200.201.198.178 --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE --dport 902 -j ACCEPT
# Libera Acesso VPN - FORWARD
$IPT -A FORWARD -i tun+ -j ACCEPT
# Porta 5000
$IPT -A FORWARD -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A FORWARD -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A FORWARD -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
# DNS
$IPT -A FORWARD -p UDP -s $LAN_IP_RANGE --dport 53 -j ACCEPT
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE --dport 53 -j ACCEPT
# Libera acesso DIRF-IRPF
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d 161.148.185.11 --dport 3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s $LAN_IP_RANGE -d 189.9.71.11 --dport 3456 -j ACCEPT
# Libera atualizacao - Antivirus Kaspersky
$IPT -A FORWARD -p tcp -s 10.1.0.0/16 -d 10.1.4.1 -m multiport --dport 13000,14000,15000 -j ACCEPT
$IPT -A FORWARD -p udp -s 10.1.0.0/16 -d 10.1.4.1 -m multiport --sport 13000,14000,15000 -j ACCEPT
# Liberacao Site da Ouvidoria
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE -d 200.238.107.205 -j ACCEPT
# Servidor OI
$IPT -A FORWARD -p TCP -s $LAN_IP_RANGE -d 200.202.193.19 -j ACCEPT
# Liberacao KERBEROS
$IPT -A FORWARD -p UDP -i $INET_IFACE -o $LAN_IFACE --dport 88 -d 10.1.4.5/32 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -d $VPN_IP_RANGE -j ACCEPT
# Libera acesso aos servicos ATI
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d $CDIR1 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d $CDIR2 -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP -o $INET_IFACE -j ACCEPT
$IPT -A FORWARD -p ICMP -j icmp_packets
# Libera FORWARD para o Tunel Intranet
$IPT -A FORWARD -i $INET_IFACE -s $VPN_IP_RANGE -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -d $VPN_IP_RANGE -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -s $IP_ANEXO -o $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT
#+++++++
# Nega TCP mau formado
$IPT -A OUTPUT -p TCP -j bad_tcp_packets
# Performance - acesso WEB com delay minimo
$IPT -t mangle -A OUTPUT -p TCP -o $INET_IFACE --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A OUTPUT -p TCP -o $INET_IFACE --dport 80 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A OUTPUT -p UDP -o $INET_IFACE --dport 53 -j TOS --set-tos 0x10
# Regra de saida Internet
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
# Libera Acesso VPN - OUTPUT
# Porta 5000
$IPT -A OUTPUT -p udp -d $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --dport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -d $IP_ANEXO --sport 5000 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --sport 5000 -j ACCEPT
# Porta 1194
$IPT -A OUTPUT -p udp -d $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --dport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -d $IP_ANEXO --sport 1194 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP_ANEXO --sport 1194 -j ACCEPT
# IPFORWARD + NAT
#++++++++++++++++
# Alterado para permitir NAT para a internet com excecao do tunnel
$IPT -t nat -A POSTROUTING -s 10.1.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.130.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.252.1.0/24 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 10.252.61.0/24 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 172.20.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 172.24.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 172.25.0.0/16 -o $INET_IFACE -d 10.1.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT --to-source $INET_IP
# Gerar LOG de pacotes negados
$IPT -A INPUT -p ALL -j LOG --log-level=info --log-prefix " *** DROP INPUT *** "
$IPT -A INPUT -p icmp -j LOG --log-level=info --log-prefix " *** DROP ICMP *** "
$IPT -A INPUT -j DROP
# Politica Padrao
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
Grato.