marcelr
(usa Debian)
Enviado em 27/01/2010 - 13:30h
echo Criando variaveis
REDE=192.168.0.0/24
WAN=eth0
LAN=eth1
COPEL=eth2
MYIP_LAN=192.168.0.1
MYIP_WAN=192.168.1.101
MYIP_COPEL=200.200.200.200
echo Ativando o roteamento
echo 1 > /proc/sys/net/ipv4/ip_forward
echo Limpando as regras do firewall
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -F FORWARD -t filter
iptables -F FORWARD -t mangle
echo Carregando modulos
modprobe iptable_mangle
echo Montando log do firewall
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
echo Bloqueando ataques
# Descarte de pacotes nao-identificado ICMP (ping)
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Contra DoS:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Contra Port Scanners:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Contra Pings da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Bloquear Back Orifice:
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p udp --dport 31337 -j DROP
# Bloquear NetBus:
iptables -A INPUT -p tcp --dport 12345:12346 -j DROP
iptables -A INPUT -p udp --dport 12345:12346 -j DROP
echo Liberando os servicos para rede
# 22 - ssh (necessa¡o para acessar o servidor)
# 25 - smtp (envio de email)
# 110 - pop3 (recebimento de email)
# 80 - http (pag¡nas web)
# 443 - https (pag¡nas seguras)
# 21 - ftp (transferencias de arquivos)
# 3128 - proxy (necessar¡o para as estacoes navegarem na internet)
iptables -A FORWARD -s 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPT
echo Redirecionando acessos remotos WTS
iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j TOS --set-tos 16
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.253
#iptables -t nat -A PREROUTING -d 200.200.200.200 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.253:3389
#iptables -t nat -A POSTROUTING -d 192.168.0.253 -s 0/0 -p tcp --dport 3389 -j SNAT --to 200.195.149.35
# Permitindo redirecionamento:
iptables -A FORWARD -i eth2 -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -o eth2 -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 3389 -j REJECT
iptables -A FORWARD -i eth0 -p tcp --dport 3389 -j REJECT
echo Liberando DNS
iptables -t filter -A FORWARD -p udp --dport 53 -j ACCEPT
echo Liberando POP e SMTP # terra.com.br
iptables -A FORWARD -d 208.84.244.140 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A FORWARD -d 200.154.56.99 -p tcp -m tcp --dport 110 -j ACCEPT
# regras de retorno:
iptables -A FORWARD -s 208.84.244.140 -p tcp -m tcp --sport 25 -j ACCEPT
iptables -A FORWARD -s 200.154.56.99 -p tcp -m tcp --sport 110 -j ACCEPT
echo Libera acesso ao apache local
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8180 -j ACCEPT
echo Liberando conectividade social
CAIXA="200.252.47.0/24 200.201.0.0/16"
for ip in $CAIXA
do
iptables -t nat -A PREROUTING -p tcp -d $ip -j ACCEPT
iptables -A FORWARD -p tcp -d $ip -j ACCEPT
done
iptables -t nat -A PREROUTING -i eth0 -d internetcaixa.caixa.gov.br -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d
www.caixa.gov.br -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d
www1.caixa.gov.br -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d cmt.caixa.gov.br -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d obsupgdp.caixa.gov.br -p tcp -j ACCEPT
echo Redirecionando rede para proxy transparente
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 8180 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 443 -j REDIRECT --to-port 3128
#echo Liberacao de acesso SSH para acesso remoto
#iptables -A INPUT -p tcp -i eth2 --dport 22 -j ACCEPT
#iptables -A FORWARD -i eth2 -p tcp --dport 22 -j ACCEPT
#iptables -A FORWARD -o eth2 -p tcp --dport 22 -j ACCEPT
echo Liberando acesso ao Windows Update
iptables -A FORWARD -s $REDE -d 207.46.209.122 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $REDE -d 64.4.21.91 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $REDE -d 200.171.222.93 -p tcp --dport 86 -j ACCEPT
echo Liberando o acesso do proxy
iptables -A INPUT -s $REDE -d 0/0 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth2 -j ACCEPT
echo Libera trafego de saida de toda a rede
iptables -A FORWARD -o eth0 -j REJECT
iptables -A FORWARD -o eth2 -j ACCEPT
echo Habilitando o mascaramento
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 3389 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth2 -p udp --dport 3389 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
echo Bloqueia todo o resto
iptables -A INPUT -p tcp --syn -j DROP
echo Firewall: OK