Rede com um Firewall ligado na porta WAN do router wifi [RESOLVIDO]

1. Rede com um Firewall ligado na porta WAN do router wifi [RESOLVIDO]

bslima
(usa Debian)

Enviado em 21/04/2008 - 19:08h

Pessoal vou explicar a minha situação:

Tenho um computador AMD DURON 900Mhz com 256Mb de memoria aqui na empresa, ele tava encostado sem fazer nada, ai decidi colocar ele como firewall, instalei o ubuntu recompilei o kernel deixei enxuto, ficou bala. Sim, mas vamos seguir ao firewall: Ele tem 2 placas de rede,obvio, uma de cara para internet outra que vai ser ligada na porta WAN de um roteador wireless, a empresa toda wifi :). O que eu quero com o firewall é liberar o acesso aos serviços básicos http,https,ssh,vnc, entre outros, além do que eu tenho um servidor web que vai ficar atras do roteador ao qual eu preciso redirecionar a porta 80 para este servidor, além da porta de vnc para ele. Depois de 2 dias tentando configurar tudo isso aqui no iptables eu acho que cheguei a algo que faz sentido pelo menos pra mim mas que não está funcionando do jeito que eu quero.
Abaixo vai o script do iptables que eu fiz, eu que dei a ideia o chefe adorou e me deu até sexta-feira dia 25, mas como eu me empolguei com a ideia quero acabar logo e botar essa budega pra funcionar. Por favor me ajudem :)

#!/bin/sh
#
# Script iptables para firewall.
# Feito para empresa Intertech - Soluções em Informática
# Autor: Bruno Seabra Nogueira Mendonça Lima - 16-04-2008
#
#
# Libera as portas do SVN (8080), VNC(5800/5900), SSH(22)
# Redireciona as portas da WEB(80) e VNC(5801/5901) para a máquina 192.168.123.1 (SERVIDOR SOL)
# Aceita conexões da rede interna
#
#
#

IPTABLES="/sbin/iptables" ## location to iptables binary file

EXTDEV="eth0" ## external device that connects to modem
INTDEV="eth1" ## internal device that connects to lan
IF_LOC="lo" # Interface Loopback

EXTIP=`ifconfig $EXTDEV | grep "inet " | cut -f2 -d: | cut -f1 -dB` ## external ip address
INTIP=`ifconfig $INTDEV | grep "inet " | cut -f2 -d: | cut -f1 -dB` ## internal ip address

NET_INT="192.168.123.0/24" # Rede da interface IF_INT

case "$1" in
start)

#
## First we want to enable ip forwarding
#
echo -n "Habilitando Compartilhamento ... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Pronto!"

#
## Secondly we want to enable dynamic ips
#
echo -n "Habilitando IP Dinamico ... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Pronto."

#
## Now lets clear all the tables incase they were improperly shutdown
#

echo -n "Descarregando regras e tabelas ... "
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
echo "Pronto."

#
## Its time to start setting up our rules and policies
#

echo -n "Setando o firewall agora ... "

#################################################################
# CHAIN DE PREROUTING
#################################################################

echo -n "Setando as regras de PREROUTING ..."

#Libera o VNC na porta 5900
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTDEV --dport 5800:5900 -j DNAT --to 192.168.123.1:5800-5900
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTDEV --dport 5800:5900 -j DNAT --to 192.168.123.1:5800-5900

#Libera o servidor WEB na porta 80
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTDEV --dport 80 -j DNAT --to 192.168.123.1:80

echo "Pronto!"

#################################################################
# REGRAS DE INPUT E OUTPUT
#################################################################

echo -n "Setando as regras de input e output ..."

#LIbera interface local
echo -n "Liberando interface local ..."
$IPTABLES -A OUTPUT -j ACCEPT -o $IF_LOC
$IPTABLES -A INPUT -j ACCEPT -i $IF_LOC
echo " Pronto!"

## First we want to allow only incoming connections that we establish first
echo -n "Liberando conexões que foram estabelicidas primeiro ... "
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Pronto!"

#Aceita que o firewall acesse a web
echo -n "Liberando acesso a WEB ... "
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 80
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 80
echo "Pronto!"

#Liberando que o firewall acesse o msn
echo -n "Liberando acesso a MSN ... "
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 1863
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 1863
echo "Pronto!"

#Aceita que o firewall faca ssh pra fora
echo -n "Liberando SSH para a internet ... "
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport ssh
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport ssh
echo "Pronto!"

#Aceita conexao com o no-ip.com
echo -n "Liberando conexão com o no-ip.com (8245) ..."
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 8245
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 8245
echo "Pronto!"

#Aceita conexao com o Apache
echo -n "Liberando conexão com Apache (SVN:8080) ..."
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 8080
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 8080
echo "Pronto!"

#Aceita conexao com o ssh
echo -n "Liberando conexão com SSH (22) ..."
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 22
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 22
echo "Pronto!"

# Aceita conexoes da rede interna
echo -n "Liberando conexões da rede interna ..."
$IPTABLES -A OUTPUT -j ACCEPT -d $NET_INT
$IPTABLES -A INPUT -j ACCEPT -s $NET_INT
echo "Pronto!"

echo -n "Pronto!"

#################################################################
# REGRAS DE FORWARD
#################################################################

echo -n "Setando todas as regras de FOWARD ..."
#
## Aceitar a lan interna acessar a internet
#

## Conexões estabelecidas ou relacionadas sejam encaminhadas imediatamente
$IPTABLES -A FORWARD -i $EXTDEV -m state --state RELATED,ESTABLISHED -j ACCEPT

## Encaminha todas as conexões da lan interna para internet
$IPTABLES -A FORWARD -i $INTDEV -o $EXTDEV -j ACCEPT

#Libera o VNC na porta 5900
$IPTABLES -A FORWARD -i $EXTDEV -p tcp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTDEV -p udp --dport 5800:5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Redireciona o WebServer
$IPTABLES -A FORWARD -i $EXTDEV -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "Pronto!"

#################################################################
# REGRAS DE POSTROUTING
#################################################################

## Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTDEV -j MASQUERADE

#$IPTABLES -P OUTPUT ACCEPT

echo -n "Firewall has been fully installed"

;;
stop)

echo -n "Flushin all rules ... "
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
echo "done."
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L -n -v
#$IPTABLES -t nat -L -n
;;
*)
echo "usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0

## EOF ##

0 0

Quote