hugovlmota
(usa CentOS)
Enviado em 15/08/2007 - 09:07h
Galerinha, fiz alguns testes e vc's acreditam que ainda nÃo funciona, irei postar o meu iptables, pois acho que deve haver alguma regra redundante, que está travando a este acesso.
#placa interna =eth0
#placa externa =eth1
# IP do Servidor Web 192.168.1.250
# O IP da Rede Interna vai do 192.168.1.1 até 192.168.1.249
# ----------------------------------------------------------
# Zera regras
# ----------------------------------------------------------
iptables -F
iptables -X
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# ----------------------------------------------------------
# Ativa modulos
# ----------------------------------------------------------
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128
# ----------------------------------------------------------
# Mascaramento ( NAT )
# ----------------------------------------------------------
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#----------------------------------------------------------
# VNC regras de iptables pra repassar pra maquina local
# ----------------------------------------------------------
iptables -A FORWARD -i eth1 -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 5800:5900 -j DNAT --to 192.168.1.1:5800-5900
iptables -t nat -A PREROUTING -p udp -i eth1 --dport 5800:5900 -j DNAT --to 192.168.1.1:5800-5900
# ----------------------------------------------------------
# Proteções Contra Ataques
# ----------------------------------------------------------
#Bloquear Trin00
iptables -A INPUT -p tcp -i eth1 --dport 1524 -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 27665 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 27444 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 31335 -j DROP
# Proteção contra pacotes danificados ou suspeitos.
iptables -A FORWARD -m unclean -j DROP
#Proteção contra Syn-floods
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Protege contra os "Ping of Death"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Protege contra os ataques do tipo "Syn-flood, DoS, etc"
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
# Protege contra port scanners avançados (Ex.: nmap)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Protege AS PORTAS PROIBIDAS
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Porta do FTP "
iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Porta do TELNET "
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "Porta do SSH "
iptables -A INPUT -p tcp --dport 137:139 -j LOG --log-prefix "Porta do NETBEUI "
# Protege contra BackDoors Wincrash e BackOrifice
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Porta do Wincrash "
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Porta do BackOrifice "
# ----------------------------------------------------------
#libera o loopback
# ----------------------------------------------------------
iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
# ----------------------------------------------------------
# libera conexões de fora pra dentro
# ----------------------------------------------------------
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 563 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 563 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# ----------------------------------------------------------
#Liberar portas para minha Correio
# ----------------------------------------------------------
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 201.7.95.96 --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 201.7.95.96 --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -s 201.7.95.96 --sport 53 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -s 201.7.95.96 --sport 53 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
# ----------------------------------------------------------
#Libera porta para a Conectividade Social
# ----------------------------------------------------------
iptables -A FORWARD -p tcp --dport 2631 -j ACCEPT
iptables -A FORWARD -p udp --dport 2631 -j ACCEPT
#-----------------------------------------------------------
#Libera CAT-5017 / SINTEGRA-8017
#-----------------------------------------------------------
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 5017 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 8017 -j ACCEPT
# ----------------------------------------------------------
#Libera porta HTTPS
# ----------------------------------------------------------
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 563 -j ACCEPT
# ----------------------------------------------------------
# Libera conexoes de dentro pra fora:
# ----------------------------------------------------------
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 86 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 5190 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 563 -j ACCEPT
# ----------------------------------------------------------