me ajuda se poder com redirecionameto de portas

1. me ajuda se poder com redirecionameto de portas

Lucas Peregrino
Lucas Peregrino

(usa Debian)

Enviado em 09/11/2009 - 12:40h

gente vo posta meu firewall aqui e gostaria se alguem podesse me ajuda pois redireciono as portas no meu modem de velox e no meu servidor nao consigo abrir ela me ajuda ai to tentando por conectar o ssh e nao conecta nem a pau ja revirei a net mais a maioria das regras tao certas assim esperto vle muito obrigado.

## Ativa Modulos
# -------------------------------------------------------
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

## Zera regras
# -------------------------------------------------------
iptables -F
iptables -Z
iptables -X
iptables -t nat -F

## Determina a politica padrao
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

## ICMP
# -------------------------------------------------------
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP

## Abre para a interface de loopback.
# -------------------------------------------------------
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.2.0 -i lo -j ACCEPT

## ACCEPT (libera) pacotes de retorno da internet
# -------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

## DNS - Libera a resolucao de nomes
# -------------------------------------------------------
#INPUT
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 53 -d 200.165.132.147 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 53 -d 200.165.132.155 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
#FORWARD
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.165.132.147 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.165.132.155 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.147 -d 192.168.2.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.155 -d 192.168.2.0/24 --dport 53 -j ACCEPT

## DHCP
# -------------------------------------------------------
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 79 -d 192.168.2.254 -j ACCEPT

## Liberando alguns ips pra ping
# -------------------------------------------------------
iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.2.0/24 -d 0/0 -j ACCEPT

## Mascaramento de rede para acesso externo
# -------------------------------------------------------
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

## Redirencionar portas 80 para 3128
# -------------------------------------------------------
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

## Fechando LocalHost:
# -------------------------------------------------------
iptables -A INPUT -m tcp -p tcp -s 127.0.0.1 --dport 3129 -j DROP

## Libera a conexao para a rede interna
# -------------------------------------------------------iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

## TLL
# -------------------------------------------------------
iptables -t mangle -A OUTPUT -o eth1 -j TTL --ttl-set 128

## Aceita conexoes vindas da rede interna com destino ao web server
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --syn --dport 443 -j ACCEPT

## Create separate chains for ICMP, TCP and UDP to traverse
# -------------------------------------------------------
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

## Abre para uma faixa de endereco da rede local
# -------------------------------------------------------
sudo iptables -A INPUT -p tcp --syn -i eth0 -j ACCEPT

## Abre uma porta (inclusive para a Internet)
# -------------------------------------------------------
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # http
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # https
iptables -A INPUT -p tcp --dport 3129 -j ACCEPT # Squid
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Dyndns
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Email
iptables -A INPUT -p tcp --dport 110 -j ACCEPT # Email
iptables -A INPUT -p tcp --dport 465 -j ACCEPT # Email
iptables -A INPUT -p tcp --dport 995 -j ACCEPT # Email
iptables -A INPUT -p tcp --dport 332 -j ACCEPT # Webmin
iptables -A INPUT -p tcp --dport 6689 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 1863 -j ACCEPT # Msn
iptables -A INPUT -p tcp --dport 4199 -j ACCEPT # NFe
iptables -A INPUT -p tcp --dport 5959 -j ACCEPT # NFe
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT # TServer
iptables -A INPUT -p tcp --dport 1080 -j ACCEPT # Socks
iptables -A INPUT -p tcp --dport 2006 -j ACCEPT # COBCaixa
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT # Caixa
iptables -A INPUT -p tcp --dport 65535 -j ACCEPT # Caixa
iptables -A INPUT -p tcp --dport 3456 -j ACCEPT # Receitanet
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # Mysql
iptables -A INPUT -p tcp --dport 3310 -j ACCEPT # Mysql

## Terminal Server
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth1 -j DNAT --to 192.168.2.253:3389

## Liberando SSH (porta 6689 e 22 )
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 6689 -j ACCEPT

## Liberando SSH Externo
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 6689 -i eth1 -j DNAT --to 192.168.2.254:6689

## Liberando SSH em Servidor web
# -------------------------------------------------------
iptables -t nat -A PREROUTING -d 192.168.1.253 -p tcp --dport 80 -j DNAT --to 192.168.2.55
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT

## Liberando Webmin (porta 332)
# -------------------------------------------------------
iptables -A INPUT -i eth0 -p tcp --dport 332 -j ACCEPT

## Liberando acesso Webmin externo
# -------------------------------------------------------
iptables -A INPUT -i eth1 -p tcp --dport 332 -j ACCEPT

## Libera o mysql
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 3310 -j ACCEPT

# Liberando acesso a NFE (Nota fiscal Eletronica)
# -------------------------------------------------------
iptables -t nat -A PREROUTING -i eth1 -d 200.189.133.249 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --dport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --sport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.189.133.247 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --dport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --sport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --dport 80 -j ACCEPT


## Caixa Economica
# -------------------------------------------------------
iptables -t nat -I PREROUTING -i eth0 -p tcp -d 200.201.174.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.174.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.173.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.166.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.162.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --dport 80 -j ACCEPT

## Liberar Conectividade Social para todos
# liberando acesso a toda a rede 200.201 e pode liberar sites alem da Caixa.
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

## Fechando as portas do samba caso fique de cara para a internet.
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --syn --dport 139 -j DROP
iptables -A INPUT -p tcp -i eth1 --syn --dport 138 -j DROP

#Bloqueio de NetBios
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP

## Bloqueando U89 - software burlador de proxy
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 9666 -j DROP

##Bloqueio de Multicast
# -------------------------------------------------------
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP

##Bloqueio de Black Orifice
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 12345:12345 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 12345:12345 -j DROP

##Bloqueio acesso X server
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 5999:6003 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 5999:6003 -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 7100 -j DROP

##Bloqueio de NetBus
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 31337 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 31337 -j DROP

##Proteç Contra IP Spoofing
# -------------------------------------------------------
iptables -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i eth1 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -i eth1 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j DROP

## Protecao diversas contra portscanners, ping of death, ataques DoS, etc.
# -------------------------------------------------------
#INPUT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp -i eth1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j REJECT
iptables -A INPUT -p icmp -i eth1 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth1 -j ACCEPT
iptables -A OUTPUT -p icmp -o eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p icmp -j DROP
iptables -A INPUT -i eth1 -p tcp --syn -j DROP

#FORWARD
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptabless -A FORWARD -j REJECT --reject-with icmp-port-unreachable

#VALID
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

# Protecao contra port scanners
# -------------------------------------------------------
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth1 -j SCANNER

# Protecao contra tronjans
# -------------------------------------------------------
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 666 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 666 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 4000 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 6000 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 6006 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 16660 -j TROJAN

# Protecao contra trinoo
# -------------------------------------------------------
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 1524 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 27444 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 27665 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 31335 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 34555 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 35555 -j TRINOO

##Rejectando Ident Requeridos
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 113 -j REJECT
iptables -A INPUT -p udp -i eth1 --dport 113 -j REJECT

## Esta regra e coracao do firewall ,
# -------------------------------------------------------
iptables -A INPUT -p tcp --syn -j DROP



  


2. Re: me ajuda se poder com redirecionameto de portas

Genesco Sousa
gesousa

(usa Ubuntu)

Enviado em 09/11/2009 - 12:49h

kra é bom lembrar que algumas portas são travadas pelo provedores, no modem em vez de redirecionar a porta 22 tenta a 2222 e mude no seu servidor ssh a porta de escuta. isso serve tb como medida de segurança, nunca é bom utilizar portas padroes quando acessados pela internet...


3. Re: me ajuda se poder com redirecionameto de portas

Lucas Peregrino
Lucas Peregrino

(usa Debian)

Enviado em 09/11/2009 - 12:56h

sim mais a porta q estou usando seria 6689 pois a 2222 ja e muito visada






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts