Analisem e opinem nesse script iptables

1. Analisem e opinem nesse script iptables

Novo Pinguim
novopinguim

(usa CentOS)

Enviado em 23/07/2014 - 14:51h

Boa tarde, gostaria de opniões do que pode ser melhorado nesse script, estou aberto a críticas e sugestões, agradeço desde já. :)

#!/bin/bash
# liberando encaminhamento de pacotes
echo "1" > /proc/sys/net/ipv4/ip_forward

# Adiciona modulos no kernel
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -L -n

#TESTE FACEBOOK

#testerevover
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
###########################
#Bloqueio e liberacao de portas
iptables -A INPUT -p tcp --dport 22 -s 201.75.100.65 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 179.222.49.113 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.138.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.77.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

iptables -A INPUT -p tcp --dport 80 -s 192.168.138.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 192.168.77.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

#iptables -A INPUT -p tcp --dport 110 -s 192.168.138.0/24 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -s 192.168.77.0/24 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j DROP

iptables -A INPUT -p tcp --dport 443 -s 192.168.138.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.77.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

iptables -A INPUT -p tcp --dport 3128 -s 192.168.138.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -s 192.168.77.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j DROP

iptables -A INPUT -p tcp --dport 8080 -s 192.168.138.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 192.168.77.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -s 192.168.28.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

#######Libera Porta 80
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#
#####Libera a porta 1433
iptables -A FORWARD -s 0.0.0.0 -p tcp --dport 1433 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0 -p tcp --sport 1433 -j ACCEPT


#Liberar porta
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
#

#REDIRECIONAMENTO TS
iptables -A INPUT -p tcp -i eth1 --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3389 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 192.168.138.4
iptables -A FORWARD -p tcp -i eth0 --dport 3389 -d 192.168.138.4 -j ACCEPT

#REDIRECIONAMENTO DVR
iptables -A INPUT -p tcp -i eth1 --dport 34599 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 34599 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34599 -j DNAT --to-dest 192.168.138.147
iptables -A FORWARD -p tcp -i eth0 --dport 34599 -d 192.168.138.147 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 34567 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 34567 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34567 -j DNAT --to-dest 192.168.138.147
iptables -A FORWARD -p tcp -i eth0 --dport 34567 -d 192.168.138.147 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 8000 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8000 -j DNAT --to-dest 192.168.138.147
iptables -A FORWARD -p tcp -i eth0 --dport 8000 -d 192.168.138.147 -j ACCEPT



#########LIBERAR NOD
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um10.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um12.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um13.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um14.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um16.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d um18.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d update.eset.com/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 62.67.184.68/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 90.183.101.10/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 89.202.149.36/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 93.184.71.27/29 -j LOG -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 89.202.157.227/29 -j LOG -o eth1

######REDIRECIONA PARA O PROXY
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#DESABILITADO iptables -t nat -A PREROUTING -d 192.168.138.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
###
iptables -A INPUT -p tcp -j LOG

########TED LIBERAR########
iptables -A FORWARD -s 192.168.138.42 -p TCP --dport 8017 -j ACCEPT # Ana Paula
###########FIM TED##########


# HTTPD
iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT

# GRRF
iptables -A INPUT -p tcp --dport 407 -j ACCEPT # GRRF
iptables -A INPUT -p tcp --dport 2631 -j ACCEPT # GRRF
iptables -A INPUT -p tcp --dport 3001 -j ACCEPT # GRRF

# Libera para toda a rede interna Ping, FTP e DNS
iptables -t nat -A POSTROUTING -p icmp -s 192.168.138.0/24 -j MASQUERADE -o eth1

iptables -t nat -A POSTROUTING -s 192.168.138.147/32 -j MASQUERADE -o eth1 # DVD Monitoramento
iptables -t nat -A POSTROUTING -s 192.168.138.3/32 -j MASQUERADE -o eth1 # Servidor
iptables -t nat -A POSTROUTING -s 192.168.138.5/32 -j MASQUERADE -o eth1 # Servidor
iptables -t nat -A POSTROUTING -s 192.168.138.145/32 -j MASQUERADE -o eth1 # Proxy
iptables -t nat -A POSTROUTING -s 192.168.138.152/32 -j MASQUERADE -o eth1 # Servidor Cameras

# Oracle

iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.3/32 -d 189.2.85.114 --dport 63867 -j MASQUERADE -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.5/32 -d 189.2.85.114 --dport 63867 -j MASQUERADE -o eth1


# Sefaz
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 200.242.61.0/27 --dport 20 -j MASQUERADE -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 200.242.61.0/27 --dport 21 -j MASQUERADE -o eth1


# IMPACT3
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.41/32 -d 200.250.230.242 --dport 10000 -j MASQUERADE -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.41/32 -d 200.250.230.53 --dport 10000 -j MASQUERADE -o eth1

# DMSnet
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.42/32 -d pmmnt4dns01.pmm.am.gov.br --dport 3026 -j MASQUERADE -o eth1

# Caixa - CS

iptables -t nat -A POSTROUTING -p tcp -s 192.168.138.0/24 -d 200.201.174.200/29 -j MASQUERADE -o eth1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.28.0/24 -d 200.201.174.200/29 -j MASQUERADE -o eth1
iptables -t nat -A PREROUTING -p tcp -d 200.201.173.68 --dport 80 -j DNAT --to 200.201.173.68:80
iptables -t nat -A PREROUTING -p tcp -d 200.201.166.200 --dport 80 -j DNAT --to 200.201.166.200:80
iptables -t nat -A PREROUTING -p tcp -d 200.201.174.207 --dport 80 -j DNAT --to 200.201.174.207:80
iptables -I FORWARD -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT

# FIM CAIXA - CS

# Rota externa para DVR e TS
iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0/0 --to-dest 192.168.138.4:3389 -i eth1 --dport 3389
iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0/0 --to-dest 192.168.138.147:34599 -i eth1 --dport 34599
iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0/0 --to-dest 192.168.138.147:34567 -i eth1 --dport 34567
iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0/0 --to-dest 192.168.138.147:8000 -i eth1 --dport 8000

# Fim rota externa



iptables -t filter -A INPUT -j ACCEPT -i lo
iptables -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -t filter -A INPUT -j LOG -m state --state ESTABLISHED,RELATED
iptables -t filter -A INPUT -j ACCEPT -m state --state NEW -p tcp --dport ssh
iptables -t nat -A PREROUTING



# NEGAR TUDO QUE NAO FACA PARTE DE UMA DAS REGRAS
#iptables -A INPUT -j DROP
#iptables -A FORWARD -j DROP



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts