fernando.pedro
(usa Ubuntu)
Enviado em 28/08/2013 - 03:45h
fernando.pedro escreveu:
Boa noite pessoal
Estou com um problema em um firewall que fiz.
Eu fiz algumas modificações mas não consegue acessar anda
O pessoal ai pode me ajudar.
Estou ainda começando no mudo linux e tenho muito para aprender.
#################################################
##liberando todo as portas #
#################################################
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 6000,6020 -j ACCEPT
iptables -I INPUT -p tcp --dport 6000:6020 -j ACCEPT
iptables -I INPUT -p tcp --dport 6000:6020 -j ACCEPT
iptables -I FORWARD -p tcp --dport 6000:6020 -j ACCEPT
iptables -I FORWARD -p tcp --dport 6000:6020 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 6000:6020 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 6000:6020 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 6000:6020 -j DNAT --to-destination 192.168.0.70:6000
iptables -t nat -A PREROUTING -d 189.2.147.178 -p tcp --dport 6000 -j DNAT --to 192.168.0.70
iptables -t nat -A PREROUTING -d 189.2.147.178 -p tcp --dport 6000 -j DNAT --to 192.168.0.70
iptables -t nat -A POSTROUTING -d 192.168.0.70 -p tcp --dport 6000 -j SNAT --to 189.2.147.178
iptables -t nat -A POSTROUTING -d 192.168.0.70 -p tcp --dport 6000 -j SNAT --to 189.2.147.178
este é o meu firewall
tem como verificar aonde esta errado por favor ?
#!/bin/bash
#####################################################
# Autor........: Fernando Pedro #
# Criado em....: 25/05/2009 #
# Modificado em: 28/11/2011 #
# Contato......: #
# Cidade.......: Campo Grande-MS #
#####################################################
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
### variaveis ###
squid=3128
Wan=eth0
Lan=eth1
REDE=192.168.0.0/24
#SERVIDOR CAMERAS
CAMERAS=192.168.0.200
#SERVIDOR SISTEMA
SERVIDOR=192.168.0.70
#IMPRESSORA FLEXOGRAFICA
FLEX=192.168.0.250
MSN="/scripts/msn"
FORWARD="/scripts/forward"
INPUT="/scripts/input"
PORTA80="/scripts/porta80"
PORTA443="/scripts/porta443"
TORRENT="/scripts/torrent"
iptables -t nat -A POSTROUTING -o $Wan -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
#
#ultrasurf fail2ban
iptables -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "
#### STATE #####
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p icmp -m limit --limit 5/s -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
#
#protecao
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-MORTE
iptables -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP
#Bloqueio de ataque ssh de forca bruta
iptables -N SSH-BRUT-FORCE
iptables -A INPUT -i $Wan -p tcp --dport 51022 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP
### Descarte de pacotes nao identificados ICMP
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
iptables -A INPUT -m state -p icmp --state INVALID -j DROP
iptables -A FORWARD -m state -p icmp --state INVALID -j DROP
### Bloqueando tracertroute
#iptables -A INPUT -p udp -s 0/0 -i $Wan --dport 33435:33525 -j REJECT
###### liberacao FORWARD #####
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 123 -j ACCEPT
for i in `cat $FORWARD`; do
iptables -A FORWARD -i $Lan -s $REDE -p tcp --dport $i -j ACCEPT
done
####icmp ####
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
##### Liberacao INPUT #####
for i in `cat $INPUT`; do
iptables -A INPUT -i $Lan -p tcp --dport $i -j ACCEPT
done
iptables -A INPUT -p tcp --dport 49200:49900 -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 51022 -j ACCEPT
#iptables -A INPUT -p udp --dport 23 -j LOG --log-prefix "=UDPPING= "
iptables -A INPUT -p udp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -P tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp --dport 50000:60020 -j ACCEPT
iptables -A INPUT -p UDP --dport 50000:60020 -j ACCEPT
iptables -A INPUT -p udp --dport 6000:6020 -j ACCEPT
iptables -A INPUT -p tcp --dport 6000:6020 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT
### Bloqueio portas diversas
#iptables -A FORWARD -p tcp -s $REDE --dport 1269 -j DROP
#iptables -A FORWARD -p tcp -s $REDE --dport 1291 -j DROP
#Liberar Conectividade Social
iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
iptables -A FORWARD -s $REDE -p tcp -d 200.201.174.204 --dport 2631 -j ACCEPT
##liberar porta 80 direto ##
##Liberar porta 80 - ACESSO DIRETO ##
for i in `cat $PORTA80`; do
iptables -A FORWARD -p tcp -d $i --dport 80 -j ACCEPT
done
##Liberar porta 443 - ACESSO DIRETO ##
for i in `cat $PORTA443`; do
iptables -A FORWARD -p tcp -d $i --dport 443 -j ACCEPT
done
###Liberando KM
iptables -A FORWARD -s $REDE -p tcp -d 200.241.180.210 --dport 8080 -j ACCEPT
# Liberando MSN
for i in `cat $MSN`; do
iptables -A FORWARD -s $i -p tcp --dport 1863 -j ACCEPT
done
#iptables -A FORWARD -p tcp --dport 403 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT
# Tirando alguns micros do squid
# Liberando Luiz
#iptables -t nat -I PREROUTING -m mac --mac-source BC:AE:C5:9C:73:39 -p tcp -j ACCEPT
iptables -A FORWARD -m mac --mac-source BC:AE:C5:9C:73:39 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source f0:7b:cb:41:c5:41 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source b8:ac:6f:c4:6b:fe -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source b8:ac:6f:c4:6c:ac -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:23:5a:60:a3:88 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 74:86:7a:f8:b9:11 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:24:e8:df:3c:a8 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:24:e8:e1:eb:b7 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 74:86:7A:F8:B9:11 -d 0/0 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 48:5b:39:bb:2c:1d -d 0/0 -j ACCEPT
###############################################
#### acesso remoto impressora flexografica ####
###############################################
iptables -t nat -A PREROUTING -i $Wan -p udp --dport 9600 -j DNAT --to-destination $FLEX
iptables -A FORWARD -d $FLEX -p udp --dport 8081 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 9600 -j DNAT --to-destination $FLEX
iptables -A FORWARD -d $FLEX -p tcp --dport 9600 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 80 -j DNAT --to-destination 192.168.0.167
iptables -A FORWARD -d 192.168.0.167 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p udp --dport 8000 -j DNAT --to-destination $FLEX
iptables -A FORWARD -d $FLEX -p udp --dport 8000 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 8000 -j DNAT --to-destination $FLEX
iptables -A FORWARD -d $FLEX -p tcp --dport 8000 -j ACCEPT
###############################################
###redirecionamento para o servidor iniflex ###
###############################################
iptables -t nat -A PREROUTING -i $Wan -p udp --dport 6000:6020 -j DNAT --to-destination 192.168.0.70
iptables -A FORWARD -d 192.168.0.70 -p udp --dport 6000:6020 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 6000:6020 -j DNAT --to-destination 192.168.0.70
iptables -A FORWARD -d 192.168.0.70 -p tcp --dport 6000:6020 -j ACCEPT
#################################################
##liberando todo as as portas #
#################################################
#iptables -A INPUT -p tcp -s 189.2.147.0/16 -j ACCEPT
#iptables -A INPUT -p udp -s 189.2.147.0/16 -j ACCEPT
#iptables -A OUTPUT -p tcp -s 189.2.147.0/16 -j ACCEPT
#iptables -A OUTPUT -p udp -s 189.2.147.0/16 -j ACCEPT
#iptables -A INPUT -P tcp -d 192.168.0.70 -j ACCEPT
#iptables -A INPUT -P udp -d 192.168.0.70 -j ACCEPT
#iptables -A OUTPUT -P tcp -d 192.168.0.70 -j ACCEPT
#iptables -A OUTPUT -P tcp -d 192.168.0.70 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 60000:50020 -j ACCEPT
iptables -I INPUT -p tcp --dport 50000:60020 -j ACCEPT
iptables -I INPUT -p tcp --dport 50000:60020 -j ACCEPT
iptables -I FORWARD -p tcp --dport 50000:60020 -j ACCEPT
iptables -I FORWARD -p tcp --dport 50000:60020 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 50000:60020 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 50000:60020 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 50000:60020 -j DNAT --to-destination 192.168.0.70
iptables -t nat -A PREROUTING -p tcp -d 189.2.147.0/16 -j ACCEPT
#iptables -t nat -A PREROUTING -d 189.2.147.178 -p tcp --dport 6000 -j DNAT --to 192.168.0.70
#iptables -t nat -A PREROUTING -d 189.2.147.178 -p tcp --dport 6000 -j DNAT --to 192.168.0.70
#iptables -t nat -A POSTROUTING -d 192.168.0.70 -p tcp --dport 6000 -j SNAT --to 189.2.147.178
#iptables -t nat -A POSTROUTING -d 192.168.0.70 -p tcp --dport 6000 -j SNAT --to 189.2.147.178
iptables -t nat -A PREROUTING -i $Wan -p udp --dport 6000 -j DNAT --to-destination 192.168.0.69
iptables -A FORWARD -d 192.168.0.69 -p udp --dport 6000 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 6000 -j DNAT --to-destination 192.168.0.69
iptables -A FORWARD -d 192.168.0.69 -p tcp --dport 6000 -j ACCEPT
#################################
##### Acesso remoto cameras #####
#################################
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 8081 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 8081 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 3550 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 3550 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 4550 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 4550 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 5550 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 5550 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 5551 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 5551 -j ACCEPT
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 6550 -j DNAT --to-destination $CAMERAS
iptables -A FORWARD -d $CAMERAS -p tcp --dport 6550 -j ACCEPT
#### Prioridades #####
iptables -t mangle -A OUTPUT -o $Wan -p tcp --dport 51022 -j TOS --set-tos 4
iptables -t mangle -A OUTPUT -o $Wan -p tcp --dport 110 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o $Wan -p tcp --dport 587 -j TOS --set-tos 8
iptables -t mangle -A PREROUTING -i $Lan -p tcp --sport 51022 -j TOS --set-tos 4
iptables -t mangle -A PREROUTING -i $Lan -p tcp --sport 110 -j TOS --set-tos 8
iptables -t mangle -A PREROUTING -i $Lan -p tcp --sport 587 -j TOS --set-tos 8
iptables -t mangle -A PREROUTING -i $Lan -p tcp --sport 80 -j TOS --set-tos 2
iptables -t mangle -A PREROUTING -i $Lan -p tcp --sport 53 -j TOS --set-tos 8
echo Redirecionamento de Servicos e Log das portas usadas TS
## Redirecionamento Porta TS
iptables -t nat -A PREROUTING -i $Wan -p tcp --dport 3389 -j DNAT --to $SERVIDOR
iptables -A FORWARD -d $SERVIDOR -p tcp --dport 3389 -j ACCEPT
echo Redirecionamento e Logs ..... [ok]
#Liberar torrent - ips cadastrados no arquivo: /scripts/torrent
for i in `cat $TORRENT`; do
iptables -A FORWARD -s $i -p tcp --dport 6881:6969 -j ACCEPT
iptables -A FORWARD -s $i -p udp --dport 80 -j ACCEPT
iptables -A FORWARD -s $i -p udp --dport 1024:55635 -j ACCEPT
iptables -A FORWARD -s $i -p udp --dport 1024:55635 -j ACCEPT
done
#Liberar micro das cameras acesso internet
iptables -A FORWARD -s 192.168.0.200 -j ACCEPT
#Liberacao provisoria micro da sala de tintas (tuphauer)
iptables -A FORWARD -s 192.168.0.199 -j ACCEPT
#########################
##### TRANSPARENCIA #####
#########################
#iptables -t nat -A PREROUTING -i $Lan -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $Lan -s 192.168.0.16 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -s 192.168.0.16 -p tcp --dport 443 -j ACCEPT
echo ==SCRIPT DE FIREWALL E
OMPARTILHAMENTO CARREGADO==
