proxy transparent+iptables

Ze_Rony
(usa Debian)

Enviado em 01/02/2011 - 16:46h

Bem, é o seguinte.

Tenho um debian com proxy transparente+iptables que tenho que bloquear, alem de outros sites os emails pessoias, como hotmail,gmail,yahoo e etc.
até ai tudo bem, muito fácil.

bloquiei no squid e bloquiei o https por padrão, liberei para alguns sites como bancos e outros...

mas agora vem o problema, o email da empresa (que tem que ser liberado) usa o os serviços da google, assim quando digitamos:
mail.minhaempresa.org.br vamos para https://www.google.com/a/minhaempresa.org.br/..

já liberei os ips da google que verifiquei na conexão com iptstate quando me conecto ao email da empresa...
o resto da regra ta ok, os sites de bancos de outros estão oks..
ai está o script:

#!/bin/bash

IF_EXTERNA=eth1
IF_INTERNA=eth0
IP_IF_INTERNA="192.168.0.1"
REDE_IF_INTERNA="192.168.0.0/27"
NETMASK="255.255.255.224"
#--------------
# - CPD
#Administrador:
admin_mac="40:61:86:13:23:A2"
admin_ip="192.168.0.25"
admin_id="ADM-CPD"
#Domain-Server:
domainserver_ip="192.168.0.32"
#Access Point:
ap_ip="192.168.0.2"
ap_id="AP-CPD"

#Brother-Printer:
brotherprinter_ip="192.168.0.6"
brotherprinter_mac="C4:17:FE:00:96:DE"
brotherprinter_id="BRO-PRT"

#--------------------
# - Imprensa
#Diretor de Imprensa:
diogonotebook_ip="192.168.0.20"
diogonotebook_mac=""
diogonotebook_id=""
#Imprensa-PC
imprensapc_ip="192.168.0.21"
imprensapc_mac="00:02:2A:E8:E0:95"
imprensapc_id="IMP-PC"

#-------------------
# - Juridico
#Juridico-PC
juridicopc_ip="192.168.0.22"
juridicopc_mac="00:02:2A:E8:E0:64"
juridicopc_id="JUR-PC"

#------------------
# - Financeiro
#Financeiro-PC
financeiropc_ip="192.168.0.23"
financeiropc_mac="00:02:2A:E8:E0:C3"
financeiropc_id="FIN-PC"

#Recepçao-PC
recepcaopc_ip="192.168.0.26"
recepcaopc_mac=""
recepcaopc_id="REC-PC"

#Presidente-PC
presidentepc_ip="192.168.0.24"
presidentepc_mac="00:02:2A:E8:E0:9F"
presidentepc_id="PRE-PC"


ativar_modulos(){

echo "* Ativando Módulos ..."
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
}
limpar_tabelas(){
echo "* Limpando Tabelas ..."
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
}

do_protect(){
echo "* Criando políticas de defesa do sistema... "

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

iptables -A INPUT -i $IF_EXTERNA -m state --state INVALID -j DROP
iptables -t nat -A PREROUTING -p tcp ! --syn -m state --state NEW -j LOG --log-level 2 --log-prefix "IPTABLES: NEW sem syn: "
iptables -t nat -A PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i $IF_EXTERNA -p tcp --syn -j DROP

#Proteção contra ataques conhecidos
#----------------------------------
#TRINOO
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 10/m -j LOG --log-level 2 --log-prefix "IPTFW: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dport 2744,27665,31335,34555,35555 -j TRINOO
#TROJAN
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 10/m -j LOG --log-level 2 --log-prefix "IPTFW: trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dport 666,4000,6000,6006,16660,20000,20001 -j TROJAN
#WORMS
iptables -t nat -A PREROUTING -p tcp --dport 135 -i $IF_INTERNA -j DROP
#Ping Of Death
iptables -A INPUT -p icmp -m length --length 100: -j DROP
iptables -t nat -A PREROUTING -p icmp -m length --length 100: -j DROP
#Syn flood
iptables -t nat -A PREROUTING -p tcp --syn -m limit --limit 2/s -j ACCEPT
#Bloqueando scanners
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 4 --log-prefix "IPTFW: SCANNER: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --dport 689 -j DROP
iptables -A INPUT -p udp --dport 689 -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j SCANNER
}

intranet_access(){
case "$1" in
-e)
case "$2" in
all)
echo "* Habilitando samba, DNS, Web, DHCP e icmp para $4 "
iptables -A INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j LOG --log-level 4 --log-prefix "IPTFW: icmp $4: "
#SAMBA
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 137,138,139,445 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -s $3 -p udp -m multiport --dport 137,138,139 -j ACCEPT
#DNS
iptables -A INPUT -i $IF_INTERNA -s $3 -p udp --dport 53 -j ACCEPT
#DHCP
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -s $3 -p udp --dport 67 -j ACCEPT
#Proxy
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp --dport 3128 -j ACCEPT
#ICMP
iptables -A INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j ACCEPT
;;
samba)
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 137,138,139,445 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -s $3 -p udp -m multiport --dport 137,138,139 -j ACCEPT
;;
dns)
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -s $3 -p udp --dport 53 -j ACCEPT
;;
web)
iptables -A INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 80,443 -j ACCEPT
;;
icmp)
iptables -A INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j LOG --log-level 2 --log-prefix "IPTFW: icmp $4: "
#iptables -A INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j ACCEPT
;;
esac
;;
-d)
case "$2" in
all)
iptables -D INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j LOG --log-level 4 --log-prefix "IPTFW: icmp $4: "
#SAMBA
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 137,138,139,445 -j ACCEPT
iptables -D INPUT -i $IF_INTERNA -s $3 -p udp -m multiport --dport 137,138,139 -j ACCEPT
#WEB
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 80,443 -j ACCEPT
#DNS
iptables -D INPUT -i $IF_INTERNA -s $3 -p udp --dport 53 -j ACCEPT
#DHCP
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp --dport 67 -j ACCEPT
iptables -D INPUT -i $IF_INTERNA -s $3 -p udp --dport 67 -j ACCEPT
#Proxy
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp --dport 3128 -j ACCEPT
#ICMP
iptables -D INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j ACCEPT
;;
samba)
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 137,138,139,445 -j ACCEPT
iptables -D INPUT -i $IF_INTERNA -s $3 -p udp -m multiport --dport 137,138,139 -j ACCEPT
;;
dns)
iptables -D INPUT -i $IF_INTERNA -s $3 -p udp --dport 53 -j ACCEPT
;;
web)
iptables -D INPUT -i $IF_INTERNA -s $3 -p tcp -m multiport --dport 80,443 -j ACCEPT
;;
icmp)
iptables -D INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j LOG --log-level 4 --log-prefix "IPTFW: icmp $4: "
iptables -D INPUT -i $IF_INTERNA -s $3 -p icmp --icmp-type echo-request -m limit --limit 10/m -j ACCEPT
;;
esac
;;
esac
}
internet_access(){
case "$1" in
-e)
case "$2" in
all)
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 443 -j ACCEPT
;;
ftp)
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 21 -j ACCEPT
;;
dns)
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 53 -j ACCEPT
;;
http)
iptables -t nat -A PREROUTING -i $IF_INTERNA -s $3 -p tcp --dport 80 -j REDIRECT --to-port 3128
;;
https)
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 443 -j ACCEPT
;;
esac
;;
-d)
case "$2" in
all)
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 21 -j ACCEPT
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p udp --dport 53 -j ACCEPT
iptables -t nat -D PREROUTING -i $IF_INTERNA -s $3 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 443 -j ACCEPT
;;
ftp)
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 21 -j ACCEPT
;;
dns)
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 53 -j ACCEPT
;;
http)
iptables -t nat -D PREROUTING -i $IF_INTERNA -s $3 -p tcp --dport 80 -j REDIRECT --to-port 3128
;;
https)
iptables -t nat -D PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -s $3 -i $IF_INTERNA -p tcp --dport 443 -j REJECT
iptables -A FORWARD -s $3 -i $IF_INTERNA -p tcp --dport 443 -j REJECT
;;
esac
;;
esac
}


rede_local(){
echo "* Configurando para rede $IP_IF_INTERNA ..."


iptables -A FORWARD -d 170.66.2.59 -j ACCEPT
iptables -A FORWARD -d 170.66.52.28 -j ACCEPT
iptables -A FORWARD -d 92.242.140.9 -j ACCEPT
iptables -A FORWARD -d 74.125.47.121 -j ACCEPT
iptables -A FORWARD -d 189.72.175.85 -j ACCEPT #aplicacao.jt.jus.br
iptables -A FORWARD -d 64.223.163.83 -p tcp --dport 443 -j ACCEPT #google mail
iptables -A FORWARD -d 64.223.163.104 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 64.223.163.83 -p tcp --dport 443 -j ACCEPT
#iptables -A FORWARD -d 209.85.139.0/24 -j ACCEPT
#iptables -A FORWARD -d 64.223.161.0/24 -j ACCEPT
#iptables -A FORWARD -d 66.249.93.0/24 -j ACCEPT
#iptables -A FORWARD -d 209.85.137.0/24 -j ACCEPT
#iptables -A FORWARD -d 72.14.235.0/24 -j ACCEPT
#iptables -A FORWARD -d 64.223.167.0/24 -j ACCEPT
#iptables -A FORWARD -d 72.14.214.0/24 -j ACCEPT
#iptables -A FORWARD -d 209.85.243.0/24 -j ACCEPT
#iptables -A FORWARD -d 72.14.233.0/24 -j ACCEPT

internet_access -e all $admin_ip $admin_id
intranet_access -e all $admin_ip $admin_id
internet_access -d https $admin_ip $admin_id

internet_access -e all $imprensapc_ip $imprensapc_id
intranet_access -e all $imprensapc_ip $imprensapc_id
#internet_access -d https $imprensapc_ip $imprensapc_id

internet_access -e all $juridicopc_ip $juridicopc_id
intranet_access -e all $juridicopc_ip $juridicopc_id
#internet_access -d https $juridicopc_ip $juridicopc_id

internet_access -e all $financeiropc_ip $financeiropc_id
intranet_access -e all $financeiropc_ip $financeiropc_id
#internet_access -d https $financeiropc_ip $financeiropc_id

internet_access -e all $presidentepc_ip $presidentepc_id
intranet_access -e all $presidentepc_ip $presidentepc_id
#internet_access -d https $presidentepc_ip $presidentepc_id


for cont in `seq 10 19`
do
ip="192.168.0."$cont
internet_access -e "all" $ip "VISITANTE."$cont
intranet_access -e "dns" $ip "VISITANTE."$cont
internet_access -d https $ip "VISITANTE."$cont
done

iptables -A INPUT -i $IF_INTERNA -s $admin_ip -m mac --mac-source $admin_mac -p tcp --dport 25022 -j LOG --log-level 7 --log-prefix "IPTFW: SSH25022: "
iptables -A INPUT -i $IF_INTERNA -s $admin_ip -m mac --mac-source $admin_mac -p tcp --dport 22 -j ACCEPT
}

do_stop(){
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
echo -e '\e[31;1mDESABILITANDO FIREWALL!\e[m'
}
default(){
echo -e "* Política padrão \e[31;1mnão\e[m permissiva ..."

iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#iptables -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#Politicas padrão
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP

#Logs de portas visadas
iptables -A INPUT -p tcp --dport 22 -j LOG --log-level 1 --log-prefix "IPTFW: [ssh] "
iptables -A INPUT -p tcp --dport 23 -j LOG --log-level 1 --log-prefix "IPTFW: [telnet] "
iptables -A INPUT -i $IF_EXTERNA -p tcp --dport 3128 -j LOG --log-level 3 --log-prefix "IPTFW: [squid] "

do_protect

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $REDE_IF_INTERNA -o $IF_EXTERNA -j MASQUERADE
}
case "$1" in
start)
ativar_modulos

rede_local

default
;;
stop|"")
limpar_tabelas
do_stop
;;
restart)
ativar_modulos
limpar_tabelas

rede_local

default
;;
-e)
case "$2" in
--internet)
internet_access -e $3 $4 $5
;;
--intranet)
intranet_access -e $3 $4 $5
;;
*) echo "Use -d com --intranet ou --internet"
esac
;;
-d)
case "$2" in
--internet)
internet_access -d $3 $4 $5
;;
--intranet)
intranet_access -d $3 $4 $5
;;
*) echo "Use -d com --intranet ou --internet"
esac
;;
--help|-h)
echo ""
echo "start - inicia o firewall com as regras padrão"
echo "stop - para o firewall, torna as regras permissivas"
echo "restart - reinicia o firewall"
echo ""
echo "-e - liberar acesso:"
echo "-d - blockear acesso"
echo ""
echo " --internet - opções para internet:"
echo " all - todo o acesso a internet"
echo " ftp - acesso à ftp"
echo " http - acesso à páginas http"
echo " https - acesso à páginas https"
echo " msn - acesso ao msn"
echo "Ex. firewall -d --internet msn 192.168.0.16 ALG-PC"
echo " --intranet - opções para intranet:"
echo " all - todo o acesso a internet"
echo " samba - compartilhamento de arquivos"
echo " web - acesso ao página web da intranet"
echo " dns - resolvedor de nomes"
echo " dhcp - atribuição dinamica de ip"
echo " icmp - echo-request para o servidor"
echo "Ex. firewall -e --intranet samba 192.168.0.10 JUR-PC"
echo ""
;;
*) echo "Parametro incorreto, tente firewall -h ou --help"
esac